IBM® Security Access Manager for Mobile and IBM Security Access Manager for Web provide new features and extended functions for Version 8.0.0.4.
The following sections detail the new features for Version 8.0.0.4 and earlier fix pack releases. Each fix pack includes all features that are introduced in prior fix packs.
Each product contains the same code. The difference between the two fix packs is the activation level license. The Mobile product provides a license to activate the Mobile features in the appliance. The Web product provides a license to activate the Web features in the appliance.
After your initial deployment, if you decide that you want an additional activation level, you need only obtain the necessary license. You do not need to redeploy the product. For example, if you purchase and deploy IBM Security Access Manager for Web V8.0.0.4, and afterward decide to deploy the Mobile features, you need only obtain and install the Mobile license. You do not need to reload the fix pack code.
This version contains the following updates for IBM Security Access Manager for Mobile:
Get entitlements from an external database to make access decisions. DB2®, Oracle, and solidDB® databases are supported. See Managing server connections.
Share access control policies between IBM Security Access Manager for Mobile appliances and back up policies. See Managing access control policies.
Configure an access control policy that provides an extra step-up authentication measure that uses knowledge questions and answers to authenticate the user. See Configuring a Knowledge Questions authentication mechanism.
Configure an authentication policy that prompts the user to accept an End-User License Agreement (EULA) during an authentication flow. See Configuring an End-User License Agreement authentication mechanism.
Use the value of a single-valued session attribute to determine a match or mismatched value. See Attribute matchers.
Publish all policies that require publishing with one action, rather than publishing each one separately. See Managing access control policies.
Configure the REST services in the attribute collection service to GET session and behavior attributes. See Configuring the REST service to GET session and behavior attributes.
View the JSON for the session and behavior attributes for diagnostic purposes. See Viewing the JSON for behavior and session attributes.
Worklight version and device predefined attributes added. See Predefined attributes.
Create customized components, such as your own obligation handler or authentication mechanism. See Software Development Kit.
Security Access Manager provides more extensions points for customization. Implement your own obligation handler and authentication mechanism by using these extensions. See Extensions.
Authentication mechanisms indicate the conditions that authenticate a user. See Authentication and Managing authentication mechanisms.
Obligations determine more required actions before access is denied or granted to a protected resource. See Managing obligations.
Import, export, create, rename, and delete files or directories in Security Access Manager. See Modifying template files.
This version contains the following updates for IBM Security Access Manager for Web:
Basic users are users in the registry that are not imported to the Security Access Manager. Basic users can now authenticate in Security Access Manager. See Configuring the runtime to authenticate basic users.
This feature enabled Access Manager to authenticate against multiple user registries, which means that corporate registries can be kept separate from the Security Access Manager user registry. See Managing federated directories.
The HTTP transformation rules feature is enhanced to enable an administer to modify an HTTP request or response that is based on evaluation of an XSLT rule. The XML response of the request or response now supports inclusion of attributes from the credential. See Configuration file updates.
WebSEAL can now create Kerberos tokens. In prior releases, WebSEAL used an IBM Tivoli® Federated Identity Manager server to create the tokens. See Single sign-on using Kerberos constrained delegation.
WebSEAL can now create an authenticated session by using an OAuth token. See Support for OAuth authorization decisions.
You can now use the local management interface to edit the ivmgrd.conf file. See Managing runtime configuration files.
New features are available for appliance functions that are active for both IBM Security Access Manager for Web V8.0.0.4 and IBM Security Access Manager for Mobile V8.0.0.4
A new menu is available in the command-line interface that enables the administrator to monitor specific logs. See Monitoring log files in the command-line interface.
You can use the command-line interface to list the ports on which the appliance is listening, and test whether the appliance can connect to a specific port on a host over TCP. See Command line interface.
You can import an SSL server certificate as a signer certificate. See Managing SSL certificates.
You can manage on-board users and groups that are used for authenticating to the local management interface, and you can manage roles to control access to the local management interface. See Managing roles of users and groups.
You can now manage the default gateway for the appliance from the Static Routes menu on the local management interface. See Configuring static routes.
Restricting nodes that are in the DMZ ensures that an organization's network remains secure. Enable this feature by using the local management interface. See Restricted nodes.
The activation level for individual nodes within a cluster can now vary on a per node basis. See Cluster architecture rules.
You can now complete these management tasks for the embedded LDAP server:
See also Managing the embedded LDAP server.
Version 8.0.0.3 is distributed as a fix pack on IBM Fix Central. This version contains the following updates for IBM Security Access Manager for Mobile:
Multi-fact authentication is implemented through support for authentication policies. Authentication policies are workflows that dictate the authentication mechanisms that are required so that the user can access a resource. You can specify multiple mechanisms to be used in sequence to build a credential for use in making an authentication decision. For more information, see Authentication policies.
Security Access Manager for Mobile provides QR code support to enhance registration and authentication scenarios with mobile devices.
An extra OAuth 2.0 method was added to support the deletion of a token from the token cache. For more information, see OAuth 2.0 mapping rule methods.
Specify the set of characters that are used to generate tokens. For more information, see Creating an API protection definition.
Security Access Manager for Mobile provides a set of APIs that are implemented based on REST services. The REST APIs are available so that you can administer the management tasks, by using JAX-RS, outside of the IBM Security Access Manager for Mobile user interface. See REST APIs.
Version 8.0.0.1 is distributed as a fix pack on IBM Fix Central. This version contains the following updates for IBM Security Access Manager for Mobile:
Security Access Manager for Mobile extends the OAuth 2.0 capability with a PIN policy. The PIN policy provides the capability of protecting a refresh token with a PIN provided by the API protection client. Support for this optional PIN protection can be used for authenticating hybrid and native mobile applications. For more information, see PIN policy.
Security Access Manager for Mobile supports user-interactive consent and auto-consent for the authorize endpoint. This consent can be configured on an API protection definition basis. For more information, see Trusted clients management.
Customizable pages are available for users to manage their tokens and consent decisions. For more information, see Managing OAuth 2.0 authorization grants.
JavaScript mapping rules for the entire token lifecycle are supported. For more information, see Managing OAuth 2.0 mapping rules.
HTTP or HTTPS POST and GET calls to external systems within JavaScript mapping rules are supported. This feature is useful in scenarios where external data sources can be consulted during OAuth token generation and validation. For more information, see OAuth 2.0 mapping rule methods.