Critical changes in this release

Edit online

This topic highlights changes that are made that might impact compatibility with an earlier version in IBM Security Verify Access version 10.0.7.

Platform

TLS Certificate for Configuration Snapshot Service
The configuration snapshot service was changed to require a new environment property CONFIG_SERVICE_TLS_CACERT. This property defines a X509 certificate bundle, which can be used to verify connections to the configuration snapshot service. If this property is missing, then the configuration snapshot is not retrieved from the configured HTTPS URL and the container does not bootstrap. For more information, see the help documentation for the applicable container:
Container Infrastructure
The convenience OpenLDAP container that is shipped with prior releases is no longer updated or maintained. The container deployment of IBM Security Verify Directory can be used as a comparable alternative.

Advanced Access Control (AAC)

Authentication policy kickoff method
The default value for the advanced configuration entry sps.authService.policyKickoffMethod was changed from query to path. This entry controls the format of the URL that is used to invoke an authentication policy. Changing this entry to path allows administrators to set or use ACLs, POPs or CBA policy to prevent access to certain Authentication policies where necessary.

This change has the following impacts:
- The default value is only set for new installations and does not affect an upgrade from a previous version.
- A new macro is available for Infomap authenticators @KICKOFF_METHOD@ that can be used to determine dynamic URLs.
- Template files and example mapping rules available in the access_control section of the File Downloads LMI page are updated to use the new default value. Consider this updating when you upgrade from a previous version and apply any new mapping rules or template files.
For more information, see Common advanced configuration properties.
Relying Party FIDO Metadata Service
A relying party now checks for expired metadata and, if required, makes updates in a stand-alone asynchronous thread. A separate thread is created for each configured relying party that includes at least one metadata service. Each thread sleeps for a configurable time and wakes to check the expiration status of the metadata received from a metadata service. If expired, it attempts to update the metadata and returns to the sleep state. This change means that the retry interval that is set for each configured metadata service no longer exists. For more information, see ../../config/concept/con_mng_metadata_svc.dita and FIDO2 Configuration.
Audit Configuration
Auditing for individual components can now be enabled or disabled rather than a single global enablement for all components. This change adds a new extended data element to each logged audit event. The eventGroup element references the audit component group that created the event. Auditing for the referenced audit component group can be enabled or disabled in the audit configuration. For more information, see Configuring auditing on the appliance.
Passkey Rebrand
Several template pages were changed to use the term "passkey" instead of "FIDO" or "FIDO2". The updated pages are included in the following scenarios:
- FIDO2 WebAuthn Authenticator mechanism
- FIDO2 WebAuthn Registration mechanism
- QR Code Authenticator mechanism
- Identifier First Authentication Scenario policy
- FIDO2 Platform Authenticator Inline Registration Scenario policy
- Second Factor Decision policy
- Device selection page

Federation

RSA1_5 is not longer a supported Key Agreement Algorithm for JWT encryption.
RSA1_5 is no longer supported as a Key Agreement Algorithm for id_token encryption and JWT encryption via STS chain .

Username token STS module with Include the digest of the password value is not supported.
Username token module in Issue mode does not support Include the digest of the password value.