IBM Security Verify

 View Only

Deploying the IBM Security Access Manager Virtual Appliance on Amazon EC2

By Keiran Robinson posted Tue October 15, 2019 11:10 AM

  

The IBM Security Access Manager virtual appliance can be deployed in many environments, both on-premise and in the cloud. Running ISAM in the cloud on Amazon’s Elastic Cloud Compute (EC2) is a popular choice, so recently the ISAM team has worked to make this easier than ever before.

 

It has been possible to run ISAM on EC2 for many years now, however the process required either manually uploading the ISAM firmware VHD provided by IBM or by creating your own ISAM firmware VHD using a local XenServer environment.

 

With the release of ISAM 9.0.6.0 in December 2018, ISAM has been made available in the Amazon Web Services Marketplace as an Amazon Machine Image and can be deployed directly from the AWS Marketplace catalog.

 

AWS Marketplace - IBM Security Access Manager

https://aws.amazon.com/marketplace/pp/B07L53BKF8

 

Provided you already have an active AWS account, you can now get ISAM up and running in AWS much faster and easier than ever before.

 

 

Key Differences in the AWS Marketplace ISAM image

 

The image found in the AWS Marketplace differs slightly from regular ISAM Virtual Appliances. These differences concern how the administrative capabilities of the ISAM Virtual Appliance are accessed and were changed to ensure the image was suitable for deployment in the cloud: 

 

  1. The default admin user account does not use the default password admin. When the instance is created, the admin account password will be set to the EC2 Instance ID. The Instance ID is visible in the EC2 Dashboard or can be retrieved using the EC2 APIs.
  2. Password based login via SSH is disabled. To login via SSH, certificate authentication must be used. The certificate (or “keypair” in EC2 nomenclature) required can be selected when deploying the AMI.
  3. The AMI volume has a fixed size of 100GB, which provides approximately 50GB for the active and inactive firmware partitions.

 

Note that these differences are specific to the AWS Marketplace AMI. AMIs uploaded manually using the legacy procedure for creating an EC2 compatible VHD will still have the default password, password-based SSH login and can be produced in any size.

 

The AMI is provided as a Bring Your Own License (BYOL) solution in the AWS Marketplace, the support licensing and activation process is the same as a regular ISAM Virtual Appliance.

 

 

Deploying an ISAM Virtual Appliance with the EC2 Dashboard

 

Let’s walk through just how easy it is to deploy an ISAM Virtual Appliance in AWS. ISAM can be deployed from either the IBM Security Access Manager Marketplace page or from the EC2 Dashboard. For this guide, we are going to walk through the process of deploying via the EC2 Dashboard.

Click the blue “Launch Instance” button to start the Launch instance wizard.


Select the “AWS Marketplace” tab and search for the term “IBM Security Access Manager” to locate the ISAM AMI. Click the blue “Select” button and the AMI details will appear. By default, the latest version of ISAM will be selected.

Of interest on this page is the “Usage Instructions” which explain how to access the appliance command line interface (CLI) via SSH and the local management interface (LMI) using your browser once the Virtual Appliance is created.

 

The next step is to choose the instance type. The recommended instance type is m4.2xlarge or better, however for the purpose of this article I have chosen a lighter instance type.


The instance details page does not contain any ISAM specific options which need to be tuned.

The Add Storage page allows you to attach additional volumes to the AMI instance being created. The ISAM appliance AMI does not make use of any additional volumes so it is best to leave this as-is.

 

This page also allows you to (attempt to) resize the Root volume. The ISAM AMI Root volume should not be resized. The AMI is a pre-installed 100GB Virtual Appliance image (with ~50GB for the active and inactive firmware partitions) and any additional space will not be utilized.


The Add Tags page does not contain any ISAM specific options.

The Configure Security Groups page allows you to control firewall rules for accessing the appliance. The default rules will allow HTTPS and SSH access (ports 443 and 22 respectively) from all addresses. It is good practise to always minimize the source address range to a range you expect to be accessing the management functions of the appliance from. It is even better to restrict this just to a single address if practical.

The Review Instance Launch screen will show a summary of the configuration options selected. Click the blue “Launch” button to launch the instance.

You will be prompted to select a key pair for this instance. This key pair will be installed on the Virtual Appliance during deployment and will be the only way to access the appliance via SSH.


Now that the instance is launched, you will be returned to the EC2 Dashboard.

Take note of:

  1. The Instance ID, when the Virtual Appliance starts up this will be the initial password for the admin LMI user.
  2. The Public DNS address or Public IP (IPv4).

 

Within moments the ISAM appliance instance will be started and accessible.

 

The LMI is accessible via the Public DNS address or Public IP (IPv4) address in your browser. Use the default admin account to login, providing the EC2 generated instance ID (i-xxxxxxxxxxxxxxxxx) as the password.


The CLI is accessible via SSH using the default admin account and the keypair selected during deployment. Remember that password based authentication is disabled and that the keypair must be used while connecting via SSH.

Now that the Virtual Appliance is up and running, you can begin configuring and working with ISAM just as you would in any other environment.

 

 

Troubleshooting Deployment and Management Access Issues

 

If after a few moments you are still unable to access the appliance, double check that the security groups inbound rules correctly allow access from your IP address to port 443 (HTTPS for the LMI) or 22 (SSH for the CLI).

 

Remember that the default admin LMI account does not use the default credentials (admin:admin) like other ISAM Virtual Appliances and that the password is set to the instance ID generated by EC2 when the Virtual Appliance is launched.

 

If you are using SSH to access the CLI, password-based authentication is completely disabled, you must use the key pair specified during deployment to connect as the admin user.

 

 

Handling Upgrades

 

The Virtual Appliance can be updated using the same mechanisms as a standard ISAM deployment. Refer to the documentation for Licensing and Upgrades or the summary below.

 

  • If a support license is installed, the Virtual Appliance can download update packages from the update server.
  • The update package (.PKG file) provided by IBM can be manually uploaded and installed.

 

There is not an Amazon specific version of the update package, the same update packages used for all ISAM Appliances can also be used with Amazon deployed instances.

 

Similarly, interim fixes or any fixpack packages for ISAM provided by IBM can also be used on Amazon deployed instances.

 

 

As you can see, with the new ISAM AWS Marketplace offering it is now simpler and faster than ever before to get an ISAM Virtual Appliance up and running in EC2. If you have not previously considered running ISAM in EC2 due to the process required to manually create and upload an AMI, we hope you will find this new AWS Marketplace offering helpful.

 

If you have found this entry via a search engine and do not already use ISAM, you can use the following link to sign up for an instant 90-day trial license which will enable the complete set of ISAM functionality so you can evaluate what ISAM can do for your organisation:

 

IBM Security Access Manager Free Trial

https://www.ibm.com/account/reg/us-en/signup?formid=urx-30269

1 comment
57 views

Permalink

Comments

Jimmy Ren
Fri October 16, 2020 11:40 AM

How do you configure a new network interface or a non-management IP to attach to a webseal instance in AWS?