What's new in this release

Verify Access Platform

• Rate Limit support

  The rate limit support of WebSEAL can be configured to include HTTP headers in the response that contain rate limit information. It can also be configured to include reaction information in the WebSEAL message log file, see Rate limiting.

• SSH public key authentication

  The appliance can now be configured to allow administrators to access the command line interface using SSH public key authentication, see SSH key authentication.

• Cloud-Init network configuration support

  The cloud provided Cloud-Init metadata services can be used to provide static network configuration to a virtual appliance when you first start it, see Setting network configuration with Cloud-Init user-data..

• Rest API to query WebSEAL ACLs

  New management rest API to query details about configured Access Control Lists (ACLs) in the WebSEAL resource server. Administrators are able to search for ACLs by name or extended attribute properties. Administrators can now also search for protected objects by ACL name or extended attribute properties. More information can be found in the Web Services rest API documentation that is hosted on Verify Access management interfaces.

• Command-line tool to monitor internal database status

  The Verify Access command-line interface has a new tool to query the status of the internal configuration and high-volume databases. Administrators are now able to gather information about database resource usage and performance. The output from this tool can also return JSON formatted data.

• Memory usage warning and alerts

  The system event logging capabilities of Verify Access is now able to monitor RAM usage on the appliance. Now Verify Access generates a warning event at 80% RAM usage, and an alert at 90% RAM usage. The frequency which events are generated and the thresholds for warning and alert events can be configured with Advanced Tuning Parameters.

• Logging option in the database update tool

  The database update tool has a new flag to log the trace from SQL updates to files instead of the console (stdout). When logging is enabled, a summary of the database operations and their results is logged to the console, with more detailed information available in the corresponding log file. Logging to a file can help administrators quickly identify whether a database upgrade is successful, and determine the cause of a failure when an upgrade is unsuccessful. For more information, see the usage documentation of the database update tool.

• Ignore NTLM authentication requests.

  When SPNEGO authentication is configured, WebSEAL can now be configured to ignore NTLM authentication requests from clients, see spnego-ignore-ntlm-requests.

Advanced Access Control (AAC)

• FIDO2 metadata services

  It is now possible to specify a new truststore, in addition to the SSL truststore that is used to verify the signature of the downloaded metadata blob. For more information about configuring metadata services, see Manage Metadata Services.

• FIDO2 Mediation request parameters
  In FIDO2 mediation, several FIDO2 request parameters are available to the mediator context, allowing the mediator mapping rule to access these parameters as they were presented in the calling request. These parameters are

  • context.rawRequestData.clientDataJSON
  • context.rawRequestData.attestationObject
  • context.rawRequestData.authenticatorData

  More information can be found at the FIDO2 Mediation page.
• FIDO2/WebAuthn Nickname Generation

  The fido_common.js template file was added to provide functions for generating a nickname for new FIDO registrations. Previously, navigator.platform (deprecated) was combined with a date string to generate the nickname. The nickname generation functions instead preference the use of navigator.userAgentData to create a meaningful nickname based on the OS, browser, and authenticator type. The FIDO2 PAIR scenario and the Identifier First Authentication (IFA) scenarios were updated to use generatePasskeyNickname, one of the new functions.

• FIDO2/WebAuthn Attestation and Assertion Timeout

  It is now possible to specify a custom timeout value for attestation and assertion requests. The timeout can be set in

  • Relying party configuration. The timeout set for the relying party is applied to all requests unless a specific timeout is set by using one of the other methods in this list. The default timeout is 300 seconds. For more information, see FIDO2 Configuration.
  • Local FIDO client. A timeout can be passed as a parameter in the attestationOptions and assertionOptions method calls. For more information see, Local FIDO Client.
  • FIDO2/WebAuthn registration and authentication policies. For more information see, Authentication policy parameters and credentials.
• MMFA configuration wizard

  The QR Code login endpoint set by the MMFA configuration wizard is now based on the setting of the advanced configuration entry sps.authService.policyKickoffMethod. If the entry is set as query, the query string format is used. Otherwise, the path format is used.

• IBM Security Verify Gateway configuration wizard

  The QR Code login endpoint set by the IBM Security Verify Gateway configuration wizard is now based on the setting of the advanced configuration entry sps.authService.policyKickoffMethod. If the entry is set as query, the query string format is used. Otherwise, the path format is used.

Federation

• Point of contact wizard for ISVA OIDC Container

  The point of contact wizard to configure OpenID Connect or OAuth 2.0 Provider Configuration can now configure the ISVA OIDC Container based provider. Configuring a reverse proxy for OAuth and an OIDC Connect provider

• Update an existing API protection definition to add new grant types

  An existing API Protection Definition can be modified to add new grant types. Managing API protection definitions

• Support for transfer-encoding chunked

  The /token and /introspect can now accept chunked requests, see the advanced configuration setting OAuth20.

• Support for setting Key selection criteria for every SAML 2.0 Federation

  Key selection criteria can be set for every SAML 2.0 Federation, hence every Federation can have a different certificate rollover strategy. SAML 2.0 identity provider worksheet

  A Runtime reload is required when this setting is updated.

• OAuth 2.0 Security Best Practice

  Recommendations to be OAuth 2.0 Security Best Practice compliant with Verify Access. See Achieving OAuth 2.0 Security Best Current Practice with Verify Access

Supporting Program Updates

Some licenses of IBM Security Verify Access bundle supporting software. The following updates to this software were made in this release.

• IBM Db2 Standard Edition

  The IBM Db2 Standard Edition was updated to v11.5.8.

• IBM Security Verify Directory

  IBM Security Verify Access now bundles IBM Security Verify Directory v10.0.

  Be aware that IBM Security Directory Server v6.4 and IBM Security Directory Suite v8.0.1 recently announced their future end of support dates and plan accordingly.

For more information, see the license documents here.