Documentation updates for known limitations
We can view the known software limitations, problems, and workarounds on the IBM Security Verify Access Support site. The Support site describes not only the limitations and problems that exist when the product is released, but also any additional items found after product release. As limitations and problems are discovered and resolved, the IBM Software Support team updates the online knowledge base. By searching the knowledge base, we can find workarounds or solutions to problems that you experience.
Also, check the Troubleshoot topics.
Known limitations for ISAM
- A system error is displayed briefly when the Mozilla Firefox browser is refreshed.
When we use the Mozilla Firefox browser to access the local management interface, sometimes a system error is displayed briefly during a browser refresh. This error is displayed because the browser refresh causes an XMLHttpRequest (XHR) request to be canceled before the request finishes. The error does not indicate impact to normal operations and can be ignored.
- Unable to remove local users or groups from authorization roles with Mozilla Firefox on Mac OS X.
When we use the local management interface through a Mozilla Firefox browser version on a Mac OS X system, we might not be able to remove a user or group from an authorization role. On the Management Authorization page of the local management interface, when you click Edit, the Edit Local Members window is displayed. To remove a user or group, normally you uncheck the check box for that user or group and then click OK to save the changes. However, if we use Firefox on Mac OS X to complete such operation, the browser does not properly recognize the change and does not display any error messages. The user or group list remains unchanged after you click OK.
To avoid such issue on Mac OS X, we have two options:
- Use a different browser to access the local management interface.
- Use the REST API. See the REST API documentation and browse to Manage: System Settings > System Settings > Management Authorization > Updating an authorization role.
- Lower throughput observed with certificate revocation list enabled
- Enable certificate revocation list (CRL) validation might result in a lower throughput from the system. If your certificate does not have a CRL, we might want to disable CRL checking using the advanced configuration parameter kess.crlEnabled. Alternatively, we might want to reduce the frequency of CRL checking using the advanced configuration parameter kess.crlInterval.
- Client certificate authentication for federated directories is not supported for UsernameTokenSTSModule
- When configuring a federated directory, do not select a client certificate.
- In rare circumstances, an OAuth access token validation might fail.
- These instances have been observed very shortly after a restart of the Advanced Access Control runtime server. The symptoms and conditions include:
- Restart the Advanced Access Control runtime server.
- Execute an OAuth flow, such as the Resource Owner Password Credential flow, to obtain a valid access and refresh token pair.
- Attempt to use the access token to access a resource protected by the API Definition associated with the OAuth client that has been granted the access token.
Step 3 has been observed to fail on some rare occasions. The cause is due to delayed restart initialization of some internal Advanced Access Control runtime components. Normal successful processing has been observed when the request for the protected resource in step 3 is resubmitted.
- Junction type for ISAM Oracle PeopleSoft PeopleTools integration
When accessing the PeopleSoft Workcenter Dashboard via WebSEAL using a standard junction type, the dashboard is not displayed correctly. The browser issues a message "Only secure content is displayed" with a button "Show all content". When this button is clicked, an Oracle authentication login panel is displayed. Note the full URI of the server is used instead of just the junction name. Because the content contains an absolute address that WebSEAL cannot filter when a standard junction type is used, for example:
<DIV id="ptasjs1"> http://hostaddress/cs/pathhe /PT_PORTAL_UTIL_JS_MIN_1.js</DIV>In this case, a virtual host junction type must be adopted to negate the limitations associated with the use of standard junction script filtering.
Tooltips display issue Tooltips might not display if we use the keyboard (for example, the Tab key) to navigate to a field. Tooltips are displayed properly when we use a mouse to navigate to the field. Create PIP resource when the server connection for database and LDAP is not available returns the wrong response. For example, when we use the following command: curl -k -b whatigot -s -S --ciphers "DES-CBC3-SHA" -X "POST" -H "Accept:application/json" -H "Content-Type: application/json" --data-binary "{\"name\":\"tldap1234\",\"description\":\"\"\"attributes\":[{\"name\":\"trusteer.pinpoint.csid\",\"selector\":\"wrongtestLdap\"}]\"type\":\"LDAP\",\"predefined\":false,\"properties\":[{\"datatype\":\"String\",\"readOnly\":false,\"sensitive\":false,\"value\":\"objectclass=abc\",\"key\":\"searchBaseDN\"},{\"datatype\":\"String\",\"readOnly\":false,\"sensitive\":false,\"value\":\"cn=*\",\"key\":\"searchFilter\"},{\"datatype\":\"String\",\"readOnly\":false,\"sensitive\":false,\"value\":\"0cdebb0c-49d9-4179-a47a-52f759a4ff57\",\"key\":\"dataSource\"}]}" --user admin:admin -D whatigot "https://{appliance_host}/iam/access/v8/pips/"
The expected response is as follows:
HTTP/1.1 400 Bad RequestBut the actual response is as follows:
HTTP/1.1 201 Created
The error message "illegal character" when we modify an SSO rule is always displayed in English. The error message "illegal character" is always displayed in English no matter which locale your browser uses. Audit events cannot be sent to the remote syslog server if certain information is not provided. If we choose to send the audit events to a remote machine, specify the correct details on the Audit Configuration page for host, port, protocol, and certificates. Otherwise, the audit events cannot be sent to the remote machine. Attribute sources that are being used by a federation or partner is deletable. Users can accidentally delete attribute sources that are in use by a federation or partner. Such operation causes errors to the federation. We must ensure that an attribute source is not in use before you delete it. Federation Module: The email address name ID format requires a mapping rule If we use an email address name ID format in a SAML 2.0 federation, we must set the type of STS Universal User attribute, whose name is "name", to:
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
We can accomplish this using a mapping rule. Following is an example:
// Get the current principal name. var principalName = stsuu.getPrincipalName(); // Set the type of principal name attribute "name" to //"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". stsuu.addPrincipalAttribute(new Attribute("name", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", principalName));Personal certificates are not included in the list of selections when we choose certificates to use for encryption or signature validation with the SAML 2.0 partner management GUI If we use the local management interface to choose certificates to be used for encryption or signature validation, only signer certificates are available for selection. Personal certificates are not included in the list of selections. A work-around is to use the REST API for such operations. Federation module: The RSA-OAEP key encryption algorithm is not supported with HSM keys IBM Security Verify Access does not support decryption of SAML 2.0 messages using the RSA Optional Asymmetric Encryption Padding (RSA-OAEP) key transport algorithm with Hardware Security Module (HSM) keys. The RSA-OAEP algorithm is supported with software (non-HSM) keys. For information on RSA-OAEP, see http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p. The upgrade from Security Access Manager 8.0, 8.0.0.1, and 8.0.0.2 does not correctly migrate the authentication module policies for ISAM for Mobile. The work-around is to create the default set of authentication policies with the local management interface or REST API.
The following link creates a customized query of the live Support knowledge base for items specific to IBM Security Verify Access, Version 9.0, and its fix packs.
IBM Security Access Manager technical documents
We can also create our own search query on the IBM Support Portal. For example:
- Go to the IBM Support Portal:http://www.ibm.com/support/entry/portal/support
- In the "Search support and downloads" field, enter: Verify Access.
- Identity Provider and Service Provider is not recommended to be configured as partners on the same appliance or on the same external HVDB
- Identity Provider and Service Provider is not recommended to be configured as partners on the same appliance or on the same external HVDB. This might lead to several features not functioning correctly. The following problems (but not limited to) might be encountered:
- HTTP Artifact binding SAML single sign flows does not work due to key conflict in storing the messages in runtime database.
- The STS chain mapping created internally for Identity Provider and Service Provider will have identical ‘issuer’ and ‘applies to’ which can lead to unexpected behavior during runtime flow.
- Leads to database contention as the DMAP entries could be inserted or modified simultaneously by Identity provider and Service provider.
It is recommended the Identity Provider and Service Provider that are partners reside in separate appliances configured with separate external HVDB.
- Synchronization of WebSEAL data is unable to handle deleted junctions
- The current WebSEAL sync functionality is designed to pick up new entries or junctions and modifications to existing entries or junctions. However, it is currently unable to detect a deleted junction or entry. This limitation applies to both configuration entries and junctions.
- Local management interface (LMI) session timeouts
- LMI sessions expire after the duration of time specified by the Session Timeout field on the Administrator Settings page. When a session timeout occurs, we are automatically logged out and any unsaved data on the current page is lost. Save your configuration updates in the LMI regularly to avoid data loss in the event of a session timeout.
- PAM Support
- The Web Application Firewall capability will reach end of service on 31st December, 2022. After this date, no further updates will be made available. Customers can continue to use the capability on an as-is basis, and support will be available for general information and existing functionality only. There will be no defect support available.
Parent topic: Product overview