What's new in this release
IBM® Security Verify Access provides new features and extended functions for Version 10.0.1.
Verify Access Platform
- Reverse Proxy Headers
Static HTTP headers can now be added to requests which are sent to junctioned servers. See header-data.
- Management Authentication
The management users, which can be used to authenticate against the Web UI, can now also be used to authenticate against the Command Line Interface (CLI). See Configuring management authentication.
- PostgreSQL failover support
When PostgreSQL is configured as the external config or runtime database, one or more failover servers can now be added. See Runtime database and Configuration database.
- Reverse Proxy Statistics
Statistics from the Reverse Proxy can now be published to a remote
statsd
server. Sending statistics to Statsd. - Reverse Proxy Snippet Filter
Pattern matching is now supported when matching snippet filter URI’s. See pattern-match-uri.
- Command Line InterfaceThe following commands have been added to the ‘diagnostics’ component of the command line interface:
- ls : Generate a list of the files contained on the local system.
- ps: Generate a list of the processes running on the system.
- kill: Terminate the specified running process.
- Reverse Proxy Redirects
The Web Reverse Proxy can now be configured to automatically redirect HTTP requests to the corresponding HTTPS resource. See redirect-http-to-https.
- Reverse Proxy Persistent Sessions
The Web Reverse Proxy can now be configured to remember the username, which is used in a login form, and can also be configured to persist authenticated sessions across browser restarts. See Persistent Sessions.
- Credential Viewer Application
The attributes which are returned from the credential viewer application can now be filtered. See attribute-rule.
- Redis Support
The Web Reverse Proxy can now be configured to use a Redis server as an alternative to the Distributed Session Cache (DSC) for the remote storage of sessions. See Redis Session Cache.
- Filtering requests from the request.log
The HTTP transformation rules capability of the Web Reverse proxy can now be used to control whether a particular request will appear in the request log or not. See XSL Transformation Rules.
- OpenLDAP User Registry support
An OpenLDAP server can now be used as the Security Verify Access user registry. See Installing and configuring the OpenLDAP Server.
- Reverse Proxy Policy and Auditing
The reverse proxy can now be configured to use the contents of a HTTP header as the client IP address in authorization decisions and auditing records. See client-ip-http-header.
- Reverse proxy configuration
The following junction configuration entries can now be customised on a per-junction basis: ping-time, ping-attempt-threshold, recovery-ping-time, recovery-ping-attempt-threshold and match-vhj-first. See [junction] stanza.
- OpenShift 4.x Support
IBM Security Verify Access is supported on OpenShift 4.x. See Kubernetes support for information on setting up the Verify Access containers and see Docker image for OpenLDAP support for information on setting up the user registry.
- Kerberos Keys added to Node Replication
Kerberos keyfiles are now shared with all added nodes in a clustered environment.
- Kubernetes Health Checks
The health check script which is used in a Kubernetes environment has been improved to more reliably detect the health of the pods. See Kubernetes support.
- Certificate Expiry Notifications
The certificate expiry notifications which are generated by the appliance have been updated to include the name of the key database in which the expiring certificate resides.
- Web Reverse Proxy: Expect 100-continue support
The Web Reverse Proxy can now handle HTTP requests which contain the 'expect: 100-continue' HTTP header, as per section 8.2.3 of RFC 2616 (Hypertext Transfer Protocol – HTTP/1.1). See proxy-expect-header and expect-hdr-timeout.
Advanced Access Control
- MMFA Auditing
Auditing is now enhanced for MMFA authenticator, authentication method, and transaction flows. You can turn on auditing in Audit Configuration. See Configuring auditing on the appliance. The audit events for authenticator and authentication method flows will have the type AUDIT_WORKFLOW.
- Database clean-up thread enhancements
The database clean-up threads have been modified to remove the lazy loading characteristics. This results in each thread starting when the runtime server is started (instead of when the first database transaction is requested). In addition administrators now have the ability to start and stop threads without impacting service availability (runtime restart no longer required). See Runtime database tuning parameters.
- IBM Security Verify
integration: Factors
The IBM Security Verify Strong Authentication/API Integration is now updated to include support for the Factors endpoint (v2.0 of the initial Authentication Methods endpoint).
New methods for enrolling, managing, and verifying authentication factors are added to CiClient. See Embedded Cloud Identity API Calls in an Info Map Mechanism.
The out of the box mapping rules are updated to use the new CiClient methods. See Cloud Identity API Integration.
- Advanced Access Control (AAC) User Registry – Group management
AAC user registry groups can now be managed. See Managing User Registries.
- Support for Apple Platform (FIDO2) Attestation
FIDO2/WebAuthn registration and authentication has been extended to include support for Apple platform authenticators (TouchID and FaceID) using Safari. This also includes the support for validating the Apple Platform Attestation Statement Format.
- FIDO compatibility with WebAuthn L2
Enhancements have been made to FIDO capabilities to be compatible with the Level 2 specification of WebAuthn. All changes are backwards compatible with clients which only support the Level 1 specification. The example JavaScript FIDO2 mediator has also been updated with demonstration scenarios using Level 2 features.
- HTTP response headers in an InfoMap Authentication Mechanism
A new JavaScript context variable "responseHeaders" is now added to InfoMap Authentication. By using this variable, an InfoMap author has been added to set custom HTTP response headers. The complete list of available context parameters can be found here: Available Parameters in Info Map.
- AAC runtime server HTTP port update for Docker
When you are running IBM Security Verify Access on docker the AAC runtime server is now available via HTTP using port 80. See Scenario - AAC/Federation Runtime Configuration.
- RSA SecurID Authentication
A new RSA SecurID authentication mechanism has been provided which utilizes the new 'RSA SecurID Authentication API' when communicating with the RSA Authentication Manager. See Configuring an RSA SecurID one-time password mechanism.
Federation
- Federation User Registry – Group management
Federation user registry groups can now be managed. See Managing User Registries.
- Runtime monitoring support using Prometheus
Support for runtime monitoring can now be enabled with Prometheus. See Runtime monitoring using Prometheus.