Troubleshooting
Problem
IBM Security Access Manager 9.0.3.0 firmware introduced the potential to degrade performance of Advanced Access Control features during high load peak periods.
Symptom
Runtime database statements see a significant increase in resources to execute.
Cause
Updates to SQL statements to address issues regarding mixed-case characters in usernames.
Environment
- IBM Security Access Manager 9.0.3.0 Advanced Access Control
- OAuth Tokens and Trusted Clients
- MMFA/IBM Verify/U2F authentication
- FIDO2/WebAuthn (9.0.7.0+)
Resolving The Problem
IBM Security Access Manager 9.0.4.0 firmware reverts the SQL statement changes and introduces character case insensitive usernames.
A fresh installation of the 9.0.4.0 firmware (or later) will enable this functionality automatically. No further action is required.
Upgrading to the 9.0.4.0 firmware (or later) will require some manual migration in order to enable this functionality.
For internal database deployments, please open a support case to request the "migrate_runtimedb_userinfo.fixpack" which can be installed on 9.0.4.0 and later firmware versions.
Note: This fixpack is not applicable to containerized deployment of ISAM (eg. ISAM on Docker).
A fresh installation of the 9.0.4.0 firmware (or later) will enable this functionality automatically. No further action is required.
Upgrading to the 9.0.4.0 firmware (or later) will require some manual migration in order to enable this functionality.
For internal database deployments, please open a support case to request the "migrate_runtimedb_userinfo.fixpack" which can be installed on 9.0.4.0 and later firmware versions.
Note: This fixpack is not applicable to containerized deployment of ISAM (eg. ISAM on Docker).
For external database deployments, execute the following SQL statements against the Runtime database:
{{{
UPDATE AUTHENTICATORS SET USERNAME=LOWER(USERNAME);
UPDATE MMFA_AUTH_TXN_DATA SET USERNAME=LOWER(USERNAME);
UPDATE OAUTH20_TOKEN_CACHE SET USERNAME=LOWER(USERNAME);
UPDATE OAUTH_TRUSTED_CLIENT SET USERNAME=LOWER(USERNAME);
UPDATE RBA_USER_DEVICE SET USER_ID=LOWER(USER_ID);
UPDATE RBA_USER_USAGE_DATA SET USER_ID=LOWER(USER_ID);
UPDATE U2F_TOKENS SET USERNAME=LOWER(USERNAME);
UPDATE USER_ATTRIBUTES SET USER_ID=LOWER(USER_ID);
INSERT INTO [HV]DB_SCHEMA_UPDATES VALUES (CURRENT_TIMESTAMP, 198711069, 'username.legacyBehavior');
}}}
Note: The schema updates table name may contain an "HV" prefix that should be identified prior to running the commands.
{{{
UPDATE AUTHENTICATORS SET USERNAME=LOWER(USERNAME);
UPDATE MMFA_AUTH_TXN_DATA SET USERNAME=LOWER(USERNAME);
UPDATE OAUTH20_TOKEN_CACHE SET USERNAME=LOWER(USERNAME);
UPDATE OAUTH_TRUSTED_CLIENT SET USERNAME=LOWER(USERNAME);
UPDATE RBA_USER_DEVICE SET USER_ID=LOWER(USER_ID);
UPDATE RBA_USER_USAGE_DATA SET USER_ID=LOWER(USER_ID);
UPDATE U2F_TOKENS SET USERNAME=LOWER(USERNAME);
UPDATE USER_ATTRIBUTES SET USER_ID=LOWER(USER_ID);
INSERT INTO [HV]DB_SCHEMA_UPDATES VALUES (CURRENT_TIMESTAMP, 198711069, 'username.legacyBehavior');
}}}
Note: The schema updates table name may contain an "HV" prefix that should be identified prior to running the commands.
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZU8Q","label":"IBM Security Access Manager"},"Component":"--","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"9.0.3.0;9.0.4.0;9.0.5.0;9.0.6.0;9.0.7.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
03 December 2019
UID
swg22007256