What's new in this release
IBM Security Verify Access provides new features and extended functions for Version 10.0.8.
Verify Access Platform
- Auditing records are generated for commands that are called from the command line.
An audit record for all commands that are called from the command line is generated and sent to the system event log.
- Global tracing web service.
A list of the current tracing status for all components that support tracing can be retrieved by using the tracing web service. The list can include only components with trace enabled or a comprehensive list that shows the tracing status regardless of enablement. For more information, see the Web Services documentation in the LMI and find the tracing web service that is part of the All list.
- Global tracing CLI command.
A list of the all components that currently have tracing enabled can be retrieved by using the isam tracing_status CLI command. For more information, see Command-line interface.
- User create command.
A user account can be made valid when the account is first created by using the -account-valid option of the padmin user create command. For more information, see user create.
- Kerberos keytab management
Kerberos keytab files that were previously imported by using the management interface can now be exported from the appliance. For more information, see Managing keytab files or Managing keytab files in the Web Services documentation.
- WebSEAL request log directives.
The value of an environment variable can be added to the WebSEAL request log. For more information, see Customizing the HTTP request log.
- SFTP access to support files.
The support files that a Verify Access appliance generates can now be retrieved with an SFTP client. Administrators who have SSH access can also connect with an SFTP client to download support files. For more information, see SFTP support file management.
- WebSEAL EAI session logout.
An EAI response HTTP header can be set to logout the current user session. For more information, see EAI Server Task.
- Snapshot manager.
The container image that provides the snapshot manager functionality sends messages to the console in JSON format, and also supports the ability to delete a stored snapshot. For more information, see Docker image for Verify Access Snapshot Manager.
- Configuration container
The lightweight and secure verify-access-config container can be used to configure a containerized environment. For more information, see Docker image for Configuration.
- JWT configuration
Default configuration for creating a JSON Web Token can be specified in the
[jwt]configuration stanza. For more information, see Configuration. - JWT data types
Data types can now be specified for claims that are obtained from credential attributes in a JSON Web Token. For more information, see claim.
- WebSEAL OIDC Relying Party Proof Key for Code Exchange
The reverse proxy OIDC Relying Party can now use Proof Key for Code Exchange (PKCE) during the authorization code flow. For more information, see enable-pkce.
- External configuration database.
An external database can be configured in a containerized environment to store configuration data. For more information, see Configuration database.
- Container administrator password
The ADMIN_PWD_MODE environment variable in a containerized environment controls whether the provided administrator password can be changed by using the web console. For more information, see Docker image for Security Verify Access and Docker image for Configuration.
- Auditing filter
Auditing events can be excluded from the auditing log. For more information, see Parameters for the logcfg entry.
- Container Platform
The embedded runtime database is accessible from containerized applications. For more information, see Runtime database access.
- OIDC SSO authentication to the Local Management Interface.
The Local Management Interface can now be configured to accept authentication from external identity providers that use the OIDC 2.0 specification. For more information, see Configuring management authentication.
Advanced Access Control (AAC)
- STSUniversalUser API.
The STSUniversalUser API can be used to parse an iv-creds string to create an STSUniversalUser. For more information, see Security Token Service Universal User document.
- SCIM Security Entity Attributes
Security entity attributes, such as secPwdFailures, can now be returned in SCIM payloads under the Verify Access user schema. Each attribute must be configured with a mapping to a SCIM attribute. For more information, see Verify Access user.
- Authentication Policy Import
Authentication policies can be imported in a bundle file. For more information, see Importing a bundled authentication policy.
- Managing the runtime server
The menu can be used to stop and start the runtime server. For more information, see Tuning runtime application parameters and tracing specifications
- New context properties in InfoMap JavaScript authentication rules.
Two new properties are available in the InfoMap JavaScript mapping rules context. These properties give administrators access to the current and next state of the current authentication policy. For more information, see Table 2.
- Passkey metadata
A new page is available for an administrator to view the state of any Passkey metadata that is being used by the runtime server. For more information, see Viewing your runtime data state.
- OTP Enrollment mechanism
A new mechanism, OTP Enrollment, was added to allow users to enroll a TOTP or HOTP during a policy execution. For more information, see Configuring an OTP enrollment mechanism.
- SMS gateway server connection
A new server connection type was added to allow administrators to share SMS gateway configuration between authentication policies. For more information, see Managing server connections.
- OTP policy configuration
The TOTP, HOTP and MAC OTP mechanisms were extended to have new properties at the mechanism level for template pages, and existing mechanism configuration was added at the policy level. See Configuring a TOTP one-time password mechanism, Configuring an HOTP one-time password mechanism, Configuring a MAC one-time password mechanism, and Authentication policy parameters and credentials.
Digital Credentials
- Support for Verifiable Credentials
A digital credentials service is available to support Verifiable Credentials. For more information, see Digital Credentials overview.
Supporting Program Updates
Some licenses of IBM Security Verify Access bundled supporting software. The following updates to this software were made in this release.
- None