IBM Security Verify

 View Only

  • 1.  IBM Security Verify Access on Containers utilizing HSMs

    IBM Champion
    Posted Fri May 31, 2024 12:45 PM

    I know that HSMs are not supported on containers.  Is it impossible to use an HSM for containers in general?  Meaning, is this something that perhaps IBM would think of entertaining in an RFE/idea?  Or is it not possible to use an HSM within a container architecture because of the way the ISVA configuration is handled/shared between all the containers?

    I see some integrations with RedHat OpenShift and Luna HSM when I do a bit of digging.  However, I'm not familiar with any of these solutions, but I do wonder if there is a potential to use one of these integrations for the ISVA containers to be able to utilize an HSM.

    Thanks for the discussion!



    ------------------------------
    Matt Jenkins
    ------------------------------


  • 2.  RE: IBM Security Verify Access on Containers utilizing HSMs

    Posted Sun June 02, 2024 05:03 PM

    Mat,

     

    The SafeNet Luna HSM device is actually supported in an ISVA containerised environment already. 

     

    The main factor which inhibits adoption of a HSM device in a containerised environment is that a lot of HSM devices require manual registration of the client IP address and binds an authentication token to that IP address.  This works in an environment where the IP addresses of clients are static, but does not work well in a containerised environment.  The SafeNet Luna HSM device doesn't bind a client to a specific IP address, which is why we can claim support for this HSM device.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     




    Original Message


  • 3.  RE: IBM Security Verify Access on Containers utilizing HSMs

    IBM Champion
    Posted Sun June 02, 2024 05:21 PM

    This is good to know.  However, when I try to create a new cert database the only option I see is local.

    I was following the instructions here:  

    https://www.ibm.com/docs/en/sva/10.0.7?topic=storage-configuring-network-hardware-security-module-hsm-support

    Are there different instructions for the container version?  Granted, I also don't have the IBM Security Verify Access SafeNet Luna Network HSM Extension installed, but how does that get installed in the container world if that is the issue?

    PS:  The binding of the IP address is what I had wondered was keeping back these solutions.

    Thanks Scott!

    Matt



    ------------------------------
    Matt Jenkins
    ------------------------------

    Original Message


  • 4.  RE: IBM Security Verify Access on Containers utilizing HSMs

    Posted Sun June 02, 2024 05:39 PM

    Matt,

     

    You will only have the option of a 'local' key file until a HSM extension is installed.  So, you would first need to install the Lune SafeNet HSM extension into your configuration container.  This can be done using the LMI in the same way that you do for a virtual appliance.

     

    Thanks.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com

    1 Corporate Court
    Bundall, QLD 4217
    Australia

     

     

     




    Original Message