Two updates were made in Verify Access 10.0.7.0 to provide administrators with more tools to secure the generation and retrieval of configuration snapshot files. These updates are: the ability to define a x509 certificate bundle to validate the connection to the configuration snapshot service; and the ability to encrypt (and decrypt) configuration snapshot files.
Validate connections to Configuration Snapshot Service:
Previously, when retrieving the configuration snapshot from the management service, the connection was not verified with a trust store. From 10.0.7.0 onwards, administrators must define how the connection to the snapshot management service should be verified. This is done by setting an environment property CONFIG_SERVICE_TLS_CACERT, which defines how Verify Access selects a CA certificate store to validate connections to the snapshot service. if this property is not set then Verify Access will not be able to retrieve a configuration snapshot and will fail to start.
Administrators are given three options to verify the connection:
CONFIG_SERVICE_TLS_CACERT=operator
This uses the tls.cert property from the verify-access-operator Kubernetes Secret (in the same namespace as the Verify Access container) to verify the connection to the snapshot management service. You should use this option if the IBM Security Verify Access Operator is being used to manage snapshots.CONFIG_SERVICE_TLS_CACERT=file:/path/to/ca_bundle.pem
This option allows an administrator to provide their own CA certificate bundle to verify the connection to the snapshot management service. You should use this option if the configuration container or another snapshot management container is being used to publish the snapshot.CONFIG_SERVICE_TLS_CACERT=disabled
This option allows administrators to preserve the legacy behavior where connections to the snapshot management service are not verified. This option should only be used in testing and non-production environments.
If you fail to set this property when deploying Verify Access, the containers will not start and an the following error message promoting you to set the required environment variable is logged:
WGAWA1000E Failed to verify the SSL connection to the configuration snapshot service.
Validating connections to the Verify Access Operator Snapshot Management Service:
The previous sections documents the required environment variable to configure Verify Access to use the PKI provided by the Verify Access Operator to validate the connection to the snapshot management service. What this configuration does is read the verify-access-operator secret from the same namespace that the runtime Pods are deployed to. This secret is created and managed by the Verify Access Operator when it deploys runtime containers to a namespace. Administrators must ensure that the service account used to deploy Pods has permission to read this secret.
In OpenShift environments, by default service accounts do not have sufficient permissions to read secrets from their own namespace. Therefore you will need to add a Role Based Access-Control (RBAC) configuration for the service account which is running the deployed Pods. For this example I will use the default service account deployed to the default namespace. The following YAML defines the minimum permission required by the service account to fetch the required properties from the Operator's secret:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: default-isva-operator
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: default-isva-operator-binding
namespace: default
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: default-isva-operator
apiGroup: rbac.authorization.k8s.io
The above YAML configuration creates a ClusterRole called default-isva-operator, which grants permission to read the verify-acccess-operator secret. This new ClusterRole is then bound to the default service account (in the default namespace) using a ClusterRoleBinding. If you are deploying Verify Access runtime containers to a different namespace, or using a different service account, then some of the properties in this example may change.
Encrypting Configuration Snapshot Files:
Administrators now have the option to define the CONFIG_SNAPSHOT_SECRETS environment property. This property contains a list of one or more secrets, delineated by || (two pipe characters), which are used to encrypt and decrypt the configuration snapshot file.
When this property is set in the Configuration container, the first secret in the list is used to encrypt any configuration snapshot files generated by the container. If the configuration container is being bootstrapped with a configuration snapshot then all of the secrets in the list are used to attempt to decrypt the file. Similarly when a Verify Access runtime container is deployed, all secrets in the list are used to attempt to decrypt a configuration snapshot file.
Administrators should be aware that any configuration snapshot file which has been encrypted cannot be recovered without the secret used for encryption.
An example deployment using this environment variable is:
apiVersion: apps/v1
kind: Deployment
metadata:
name: isvawebseal
labels:
app: isvawebseal
spec:
selector:
matchLabels:
app: isvawebseal
replicas: 1
revisionHistoryLimit: 1
template:
metadata:
labels:
app: isvawebseal
annotations:
productName: "IBM Security Verify Access Virtual Edition"
productId: "e2ba21cf5df245bb8524be1957857d9f"
productMetric: "PROCESSOR_VALUE_UNIT"
productChargedContainers: "All"
spec:
containers:
- name: isvawebseal
image: icr.io/isva/verify-access-wrp:10.0.7.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
env:
- name: CONTAINER_TIMEZONE
value: Australia/Brisbane
- name: CONFIG_SERVICE_URL
value: https://isamconfig:9443/shared_volume
- name: CONFIG_SNAPSHOT_SECRETS
value: AsecretToDecryptWith||AnotherSecretToDecryptWith
- name: CONFIG_SERVICE_USER_NAME
valueFrom:
secretKeyRef:
name: configreader
key: username
- name: CONFIG_SERVICE_USER_PWD
valueFrom:
secretKeyRef:
name: configreader
key: password
- name: CONFIG_SERVICE_TLS_CACERT
value: file:/path/to/bundle_ca.pem