IBM Security Verify Access v10

IBM Security Verify Access v10 - What's new

Verify IBM Security Access Manager v10 - What's new

IBM Security Verify Access Platform

Authorization REST API The web reverse proxy embeds an application that provides a REST API for evaluating authorization decisions.
Credential Viewer Application The web reverse proxy embeds an application that returns the credential information for an authenticated session.
Cross Origin Resource Sharing (CORS) The web reverse proxy handles CORS processing, including cross-origin requests and pre-flight requests on behalf of backend applications. See the [cors-policy:<policy-name>] stanza. CORS policies can be managed as part of API Access Control Global policies can be created and attached individually to any existing or new API Access Control resources.
Default TCP Tuning Parameters Certain TCP tuning parameters are set by default in the appliance.
Web reverse proxy TLS 1.1 support By default TLS 1.1 browser support is disabled within the Web Reverse proxy. To re-enable set disable-tls-v11 to "no".
Command Line Interface The command line interface can use curl to test remote web server connectivity. Available from the "tools" menu.
Configuration UI Updates The Local Management Interface (LMI) is modernized and makes use of the Carbon Design System.
WebSEAL OAuth EAS The WebSEAL OAuth EAS can be configured to add credential-attributes into the request sent to the WS-Trust service of the Federation runtime.
JWT Support The web reverse proxy natively generate signed JSON Web Tokens in HTTP request headers which are forwarded to junctioned servers. The API Access Control resource server web services and UI can be used to configure JWT generation for the selected resource server.
Web reverse proxy content insertion The web reverse proxy can be configured to insert content into responses based on partial line matches using [snippet-filter:<uri>:partial-line-match].
Docker Image A new environment variable, USE_CONTAINER_LOG_DIR, can be set in the docker container to specify that a container specific log directory will be used. The ADMIN_PWD environment variable is only used to seed the administrator password in the environment. The password can still be changed using the management UI.
Remote Syslog Forwarding In addition to the messages and trace logs, the Advanced Access Control and Federation runtime log files can be forwarded to a remote syslog server.
Web reverse proxy TLS Ciphers The default accepted TLS ciphers within the Web Reverse proxy have been strengthened using the [ssl-qop-mgmt-default] stanza.
WebSEAL Cookie Attributes WebSEAL can can be configured to add static cookie attributes to HTTP response cookies just before they are returned to clients.
Solid DB Support dropped Support for the Solid DB database as a database to store runtime and configuration data is dropped.
Password Quality Password quality requirements are enforced for the administrator password and LMI system accounts.
Helm Charts The helm charts for ISAM have been relocated to a new GitHub repository.
PAM Support The Web Application Firewall capability will reach end of service on 31st December, 2022. After this date, no further updates will be made available. Customers can continue to use the capability on an as-is basis, and support will be available for general information and existing functionality only. There will be no defect support available.

Advanced Access Control

FIDO2 Auditing Manager The auditing of FIDO2 registration and authentication ceremonies is supported.
Registration Helper for Javascript Mapping Rules Administrators can retrieve the enrollment status and enrollment data of a user's registered 2FA mechanisms from within a Javascript Mapping Rule.
Advanced HTTP Client There is a new version of the HTTP Client that is available to be used in mapping rules. The JavaDoc for the new client is available on the appliance from:
System > Secure Settings > File Downloads > access_control folder > doc folder > ISAM-Javadoc.zip

The fullname for the new client is com.ibm.security.access.httpclient.HttpClientV2.
Local FIDO2 Client New Java class exposed in InfoMap...
com.tivoli.am.fim.fido.LocalFIDOClient

...which exposes the FIDO2 API. Admins no longer have to rely on HTTP callouts to implement customized FIDO2 flows.
FIDO2 Relying Party WebAuthn Specification Enforcement Allows an administrator to enable or disable the enforcement of the WebAuthn Specification, Specification enforces user presence as a requirement during attestation and assertion using a configuration option added to the Relying Party creation and modification interfaces.
FIDO2 Extension support ISAM v10 adds support for FIDO2 extensions during registration and authentication ceremonies. For examples of consuming FIDO extensions during attestations and assertions see the FIDO mediator demo available on the appliance:
Manage System Settings > Secure Settings > File Downloads > access_control folder > examples > mapping_rules

FIDO2 Registrations Admin API Filtering Supports for searching registrations by a selected attribute with limiting search results to a specified number.
Branching Authentication Policies Authentication policies contain support for decisions and branches that enable more complex scenarios than simple workflows with serial steps.

Federation

Support for x5t and x5c in JWKS endpoint and jwt headers Displays x5t#S256 and x5c values of JsonWebKeys. Helper class allows the generation of certificate thumbprint (x5t, x5t#S256), chain. This is useful for users who want to add the x5t value in the jwt header.
Support for X.509 STS Module The ISAM Federation Component supports X.509 for the STS Module.
Improvements to reduce SAML 2.0 Session Footprint Improvements are made to reduce the data stored after the completion of a SAML 2.0 single sign on flow.
Advanced HTTP Client There is a new version of the HTTP Client that is available to be used in mapping rules. The JavaDoc for the new client is available on the appliance from:
System > Secure Settings > File Downloads > access_control folder > doc folder > ISAM-Javadoc.zip

The fullname for the new client is...
com.ibm.security.access.httpclient.HttpClientV2

Native LDAP lookup helper The ISAM Federation Component introduces a native LDAP Utility that can be used in the STS JS mapping rule to access the LDAP server.
Legacy OIDC is deprecatedAttention: In ISAM v10, legacy OIDC is deprecated. For new installations of ISAM v10, the option to configure legacy OIDC Federation no longer exists. For upgrade installations to ISAM v10, legacy OIDC runtime flows will fail with an error message, Legacy OIDC has been deprecated. Existing legacy OIDC configurations are not be accessible after the upgrade. Optionally, we can clean up the existing legacy OIDC configurations before upgrading to ISAM v10.
FAPI/OIDC Compliance Wizards ISAM v10 supports OpenID OP and Financial API Compliant OIDC protocol.
Use Distributed Session Cache (DSC) to store SAML 2.0 sessions Store of SAML2.0 session in the Distributed Session Cache (DSC) using the advanced configuration parameter saml20.sessionStore.

Parent topic: Product overview

Authorization REST API	The web reverse proxy embeds an application that provides a REST API for evaluating authorization decisions.
Credential Viewer Application	The web reverse proxy embeds an application that returns the credential information for an authenticated session.
Cross Origin Resource Sharing (CORS)	The web reverse proxy handles CORS processing, including cross-origin requests and pre-flight requests on behalf of backend applications. See the [cors-policy:<policy-name>] stanza. CORS policies can be managed as part of API Access Control Global policies can be created and attached individually to any existing or new API Access Control resources.
Default TCP Tuning Parameters	Certain TCP tuning parameters are set by default in the appliance.
Web reverse proxy TLS 1.1 support	By default TLS 1.1 browser support is disabled within the Web Reverse proxy. To re-enable set disable-tls-v11 to "no".
Command Line Interface	The command line interface can use curl to test remote web server connectivity. Available from the "tools" menu.
Configuration UI Updates	The Local Management Interface (LMI) is modernized and makes use of the Carbon Design System.
WebSEAL OAuth EAS	The WebSEAL OAuth EAS can be configured to add credential-attributes into the request sent to the WS-Trust service of the Federation runtime.
JWT Support	The web reverse proxy natively generate signed JSON Web Tokens in HTTP request headers which are forwarded to junctioned servers. The API Access Control resource server web services and UI can be used to configure JWT generation for the selected resource server.
Web reverse proxy content insertion	The web reverse proxy can be configured to insert content into responses based on partial line matches using [snippet-filter:<uri>:partial-line-match].
Docker Image	A new environment variable, USE_CONTAINER_LOG_DIR, can be set in the docker container to specify that a container specific log directory will be used. The ADMIN_PWD environment variable is only used to seed the administrator password in the environment. The password can still be changed using the management UI.
Remote Syslog Forwarding	In addition to the messages and trace logs, the Advanced Access Control and Federation runtime log files can be forwarded to a remote syslog server.
Web reverse proxy TLS Ciphers	The default accepted TLS ciphers within the Web Reverse proxy have been strengthened using the [ssl-qop-mgmt-default] stanza.
WebSEAL Cookie Attributes	WebSEAL can can be configured to add static cookie attributes to HTTP response cookies just before they are returned to clients.
Solid DB Support dropped	Support for the Solid DB database as a database to store runtime and configuration data is dropped.
Password Quality	Password quality requirements are enforced for the administrator password and LMI system accounts.
Helm Charts	The helm charts for ISAM have been relocated to a new GitHub repository.
PAM Support	The Web Application Firewall capability will reach end of service on 31st December, 2022. After this date, no further updates will be made available. Customers can continue to use the capability on an as-is basis, and support will be available for general information and existing functionality only. There will be no defect support available.

FIDO2 Auditing Manager	The auditing of FIDO2 registration and authentication ceremonies is supported.
Registration Helper for Javascript Mapping Rules	Administrators can retrieve the enrollment status and enrollment data of a user's registered 2FA mechanisms from within a Javascript Mapping Rule.
Advanced HTTP Client	There is a new version of the HTTP Client that is available to be used in mapping rules. The JavaDoc for the new client is available on the appliance from: System > Secure Settings > File Downloads > access_control folder > doc folder > ISAM-Javadoc.zip The fullname for the new client is com.ibm.security.access.httpclient.HttpClientV2.
Local FIDO2 Client	New Java class exposed in InfoMap... com.tivoli.am.fim.fido.LocalFIDOClient ...which exposes the FIDO2 API. Admins no longer have to rely on HTTP callouts to implement customized FIDO2 flows.
FIDO2 Relying Party WebAuthn Specification Enforcement	Allows an administrator to enable or disable the enforcement of the WebAuthn Specification, Specification enforces user presence as a requirement during attestation and assertion using a configuration option added to the Relying Party creation and modification interfaces.
FIDO2 Extension support	ISAM v10 adds support for FIDO2 extensions during registration and authentication ceremonies. For examples of consuming FIDO extensions during attestations and assertions see the FIDO mediator demo available on the appliance: Manage System Settings > Secure Settings > File Downloads > access_control folder > examples > mapping_rules
FIDO2 Registrations Admin API Filtering	Supports for searching registrations by a selected attribute with limiting search results to a specified number.
Branching Authentication Policies	Authentication policies contain support for decisions and branches that enable more complex scenarios than simple workflows with serial steps.

Support for x5t and x5c in JWKS endpoint and jwt headers	Displays x5t#S256 and x5c values of JsonWebKeys. Helper class allows the generation of certificate thumbprint (x5t, x5t#S256), chain. This is useful for users who want to add the x5t value in the jwt header.
Support for X.509 STS Module	The ISAM Federation Component supports X.509 for the STS Module.
Improvements to reduce SAML 2.0 Session Footprint	Improvements are made to reduce the data stored after the completion of a SAML 2.0 single sign on flow.
Advanced HTTP Client	There is a new version of the HTTP Client that is available to be used in mapping rules. The JavaDoc for the new client is available on the appliance from: System > Secure Settings > File Downloads > access_control folder > doc folder > ISAM-Javadoc.zip The fullname for the new client is... com.ibm.security.access.httpclient.HttpClientV2
Native LDAP lookup helper	The ISAM Federation Component introduces a native LDAP Utility that can be used in the STS JS mapping rule to access the LDAP server.
Legacy OIDC is deprecatedAttention: In ISAM v10, legacy OIDC is deprecated.	For new installations of ISAM v10, the option to configure legacy OIDC Federation no longer exists. For upgrade installations to ISAM v10, legacy OIDC runtime flows will fail with an error message, Legacy OIDC has been deprecated. Existing legacy OIDC configurations are not be accessible after the upgrade. Optionally, we can clean up the existing legacy OIDC configurations before upgrading to ISAM v10.
FAPI/OIDC Compliance Wizards	ISAM v10 supports OpenID OP and Financial API Compliant OIDC protocol.
Use Distributed Session Cache (DSC) to store SAML 2.0 sessions	Store of SAML2.0 session in the Distributed Session Cache (DSC) using the advanced configuration parameter saml20.sessionStore.