What's new in this release

Verify Access Platform

• Logging the status of the cluster restart services from the command line

  When the command line interface is used to restart the cluster services, the status of each individual service stop and start is logged in the cluster log file. To view the log file, go to the Application Log Files page in the LMI and find the msg__cluster_mgr.log file in the cluster section.

• Extra details in SSL Certificates View dialog

  When you view a certificate or certificate request in the configuration UI, you can now see more details along with the certificate content. The details can include the serial number and the signature algorithm, which were not previously visible in any UI dialogs.

• Rate Limit Lockout

  You can now specify the length of time that matching requests are locked out when the configured WebSEAL capacity is exceeded. See Rate Limiting Policy Files.

• Environment property for verifying connections to the configuration snapshot service.
  A new environment property CONFIG_SERVICE_TLS_CACERT is required when the configuration snapshot service is used for Verify Access container deployments. If the certificate environment property is not set when the configuration snapshot service is used, the container does not bootstrap. For more information, see:

  • Docker image for
  • Docker image for Runtime
  • Docker image for Web Reverse Proxy
  • Docker image for Distributed Session Cache
• Environment property for encrypting and decrypting configuration snapshots
  A new environment property CONFIG_SNAPSHOT_SECRETS can be set in configuration and runtime containers to encrypt and decrypt configuration snapshot files. For more information, see:

  • Docker image for
  • Docker image for Runtime
  • Docker image for Web Reverse Proxy
  • Docker image for Distributed Session Cache
• Group membership search optimizations

  You can now optimize how group membership of a user is determined in WebSEAL when using federated registries. See Managing federated directories.

• Lua transformation rule extensions
  Extra capabilities are available for the Lua transformation rule support:

  • Create custom authorization rules.
  • Create custom authentication mechanisms.
  • Add custom attributes to an authenticated credential.

  See Lua Transformation.

• Reverse Proxy JWT field types

  When the Reverse Proxy is constructing a JWT, credential attributes can be configured to always be added as array, regardless of length. See claim

• VMware ESXi 8.0

  The Virtual Appliance can now be run on VMware ESXi 8.0 servers and supports VMware Paravirtual disks. See Installing the virtual appliance by using VMware.

• Container Infrastructure

  The convenience OpenLDAP container that is shipped with prior releases is no longer updated or maintained. The container deployment of IBM Security Verify Directory can be used as a comparable alternative.

• Container Platform

  The Appliance and Virtual Appliance can now host selected IBM containerized applications. See Container Platform.

Advanced Access Control (AAC)

• Authentication policy kickoff method

  The default value for the advanced configuration entry sps.authService.policyKickoffMethod was changed from query to path. This entry controls the format of the URL that is used to invoke an authentication policy. Changing this entry to path allows administrators to set or use ACLs, POPs or CBA policy to prevent access to certain Authentication policies where necessary.

  This change has the following impacts:

  • The default value is only set for new installations and does not affect an upgrade from a previous version.
  • A new macro is available for Infomap authenticators @KICKOFF_METHOD@ that can be used to determine dynamic URLs.
  • Template files and example mapping rules available in the access_control section of the File Downloads LMI page are updated to use the new default value. Consider this updating when you upgrade from a previous version and apply any new mapping rules or template files.

  For more information, see Common advanced configuration properties.

• Oracle server connection

  The full JDBC URL can now be specified for an Oracle server connection rather than by using the server name and port to generate the connection string. For more information, see Managing server connections.

• HttpClientV2

  The RequestParameters object that contains the various parameters that the HttpClientV2 requires can now contain a cookie store. The cookie store is sent in the specific HTTP request and the returned HttpResponse object contains the updated cookie store. For multiple HTTP request and response usages, the cookie store must be extracted from each response and set for subsequent requests. The HttpClientV2 does not store the cookie state when the request is complete.

• Relying Party FIDO Metadata Service

  A relying party now checks for expired metadata and, if required, makes updates in a stand-alone asynchronous thread. A separate thread is created for each configured relying party that includes at least one metadata service. Each thread sleeps for a configurable time and wakes to check the expiration status of the metadata received from a metadata service. If expired, it attempts to update the metadata and returns to the sleep state. This change means that the retry interval that is set for each configured metadata service no longer exists. For more information, see Manage Metadata Services and FIDO2 Configuration.

• MMFA Advanced Configuration

  A new tab was added to the MMFA Configuration page that allows Advanced Configuration properties under the MMFA category to be updated. The page contains useful descriptions and a map of inputs to configuration properties. See MMFA Advanced Configuration.

• Audit tagging

  Audit configuration was changed to allow administrators to configure a tag that is inserted into audit entries. See Configuring auditing on the appliance.

• MAC OTP customizable template page paths

  The template pages presented to the user during a MAC OTP policy can now be configured to reference different template file paths on both policy and mechanism levels. See Configuring a MAC one-time password mechanism and Authentication policy parameters and credentials.

• USC Passkey Account Create policy

  A new out-of-the-box user self-care policy was added that prompts a user to enroll a passkey instead of setting a password. See Passkey Account Create policy.

• Audit Configuration

  Auditing for individual components can now be enabled or disabled rather than a single global enablement for all components. When global auditing is enabled, enable or disable the individual components from the Audit Configuration page. See Configuring auditing on the appliance.

Federation

• Support for SearchControl for AttributeUtil search function

  Support for providing SearchControl parameters while doing a search using AttributeUtil mapping rule utility. Read the Javadoc for more details.

• Support for signing.kid claim as a WST claim

  signing.kid can now be consumed when sent as a WST claim during an STS chain invocation.

Supporting Program Updates

Some licenses of IBM Security Verify Access bundle supporting software. The following updates to this software were made in this release.

• IBM Db2 Standard Edition

  The IBM Db2 Standard Edition was updated to v11.5.8.

• IBM Security Verify Directory

  IBM Security Verify Access now bundles IBM Security Verify Directory v10.0.

  Be aware that IBM Security Directory Server v6.4 and IBM Security Directory Suite v8.0.1 recently announced their future end of support dates and plan accordingly.

For more information, see the license documents here.