IBM Security Verify

This blog will go through the steps of a simple CI/CD pipeline to manage a IBM Security Verify Access container (Kubernetes/OpenShift) deployment.

First, we will use the `verify_access_autoconf` python project to configure Verify Access and create a snapshot file; then we will use the Verify Access Operator to deploy the generated snapshot to the required runtime containers to an OpenShift cluster.

Prerequisite:

• Install Verify Access Operator
  The Verify Access Operator can be installed from [operatorhub.io](https://operatorhub.io/operator/ibm-security-verify-access-operator) or via the RedHat Operator Community marketplace.

• Generate PKI + required configuration files.
  There is a configuration file provided to configure a deployment and set-up a demonstration WebSEAL instance. The provided configuration file relies on two certificates (.pem files) in the pki directory, one for the LDAP connection, and one for the HVDB connection. Deploying these databases is beyond the scope of this blog.

• Install required python packages

Time estimate: 30 mins

Configuring Verify Access

Create containers using template + any required infrastructure (LDAP server + HVDB). A sample OpenShift template is provided here to deploy the core Verify Access containers. it is expected that the LDAP and HVDB services have already been created.

oc process -f oshift-isva-standalone-template.yaml \
    -p APP_NAME='verify-access-demo' \
    -p ISVA_VERSION='10.0.5.0' \
    -p CONFIG_SERVICE='isvaconfig' \
    -p RUNTIME_SERVICE='isvaruntime' \
    -p WEBSEAL_SERVICE='isvawebeal' \
    -p DSC_SERVICE='isvadsc' \
    -p CONFIG_ID='cfgsvc' \
    -p CONFIG_PW='betterThanPassw0rd' \
    -p ISVA_IMAGE_NAME='icr.io/isva/verify-access' \
    -p TIMEZONE='Etc/UTC' \
    -p SERVICE_ACCOUNT='verifyaccess' \
    | oc create -f -

Update properties file for your deployment. A demo properties file is provided to run the provided config.yaml file. You will likely need to update the ISVA_MGMT_BASE_URL property to the DNS/IP address of the configuration container. In a demo this can easily be achieved by port-forwarding the configuration pod from kubernetes/openshift to a local (127.x.x.x) address.

Run the python automated configuration tool from this directory:

source autoconf.properties && python -m verify_access_autoconf

Upload snapshot to Operator

Once you have verified that your deployment has been successfully configured, you will need to upload the generated snapshot to the Operator’s snapshot manager service. This service is authenticated, so first you will have to retrieve the username, password and URL that the snapshot manager is configured to use.

Next you will need to upload the snapshot. the simplest way to do this is to use the configuration (LMI) Verify Access container to upload the snapshot to the Operator.

An example bash script is provided to read the Operator’s secret and upload the snapshot. Tu run the script you will need to provide the name of the configuration container, as well as the name of the snapshot to upload, eg:

bash upload_snapshot_to_operator.sh isvaconfig-8694c5fb66 isva_10.0.6.0_published.snapshot

Deploy Verify Access Operator

Use template to deploy snapshot generated in previous steps to required runtime containers. The following code snippet uses this template Do deploy an ibmsecurityverifyaccess CRD for each type of runtime service.

oc process -f oshift-isva-operator-template.yaml \
    -p APP_NAME='verify-access-operator-demo' \
    -p ISVA_BASE_IMAGE_NAME='icr.io/isva/verify-access' \
    -p SERVICE_ACCOUNT='verifyaccess' \
    -p ISVA_VERSION='10.0.5.0' \
    -p INSTANCE='default' \
    -p SNAPSHOT='published' \
    -p LANGUAGE='en_US.utf8' \
    -p WRP_REPLICAS='1' \
    -p RUNTIME_REPLICAS='1' \
    -p DSC_REPLICAS='1' \
    | oc create -f -