IBM Verify

 View Only

 Can't configure runtime on IVIA 11 config container

Ryan Riffle's profile image
Ryan Riffle posted Sun August 10, 2025 11:43 AM

Hi All,

I've been attempting to setup IVIA in minikube using https://github.com/IBM-Security/verify-access-container-deployment for a lab. I've been able to get the config pod to start and access the LMI with no issue. However, no matter what I try, I can not get the runtime to configure. I'm doing a fresh installation with no previous data to migrate. I've tried using the local ldap, openldap that's deployed with the templates in the repo, and a SVD container and the configuration always fails exactly the same.


* Configuring the server.

Generating the server certificates. This may take a few minutes.

Creating the SSL certificate. This might take several minutes.
The SSL configuration of the Verify Identity Access policy server
has completed successfully.

The policy server's signed SSL certificate is base-64 encoded and
saved in text file "/var/PolicyDirector/keytab/pdcacert.b64"

This file is required by the configuration program on each machine
in your secure domain.
The SSL configuration of Access Control Runtime has completed successfully.
Verify Identity Access policy server domain name: Default
Verify Identity Access policy server host name: iviaconfig-59fb658d69-pfr8c
Verify Identity Access policy server listening port: 7135


* Starting the server.


The server has been started.

The package has been configured successfully.
2025-08-10-16:27:06.918+01:00I----- 0x16B480C9 IRAapi ERROR rgy ira ira_entry.c 4324 0x7fffff057300
HPDRG0201E Error code 0x20 was received from the LDAP server. Error text: "No such object".
2025-08-10-16:27:07.442+01:00I----- 0x16B480C9 IRAapi ERROR rgy ira ira_entry.c 4324 0x7fffff057300
HPDRG0201E Error code 0x20 was received from the LDAP server. Error text: "No such object".

On the LDAP side the errors are
The attribute member with value SECAUTHORITY=DEFAULT already exists.
The attribute member with value SECAUTHORITY=DEFAULT already exists.
Parent entry does not exist for entry cn=Policy,cn=Policies,principalName=sec_master,cn=Users,secAuthority=Default.
The attribute member with value SECAUTHORITY=DEFAULT already exists.
The attribute member with value SECAUTHORITY=DEFAULT already exists.
Parent entry does not exist for entry cn=Policy,cn=Policies,principalName=ivmgrd/master,cn=Users,secAuthority=Default.
Entry CN=RESCREDS,PRINCIPAL=IVMGRD/MASTER,CN=USERS,SECAUTHORITY=DEFAULT to be deleted does not exist.

The process is essentially this:
- Run a few scripts to setup the ssl certs/config maps/etc
- Create the deployment
- Login to LMI of the config container and attempt to configure the runtime.

Does anyone know what I'm missing?

Ryan Riffle's profile image
Ryan Riffle posted Mon August 11, 2025 11:43 AM

I'm not really sure why, but I was able to get it to configure. I just had to use pdconfig manually on the container a few times. It would fail with the same errors and leave a partial config I had to roll back. One time it just worked with no different configuration. 

Related Content