IBM Security Verify

 View Only

  • 1.  IAG and howto preload trusted certificates?

    Posted Fri May 31, 2024 04:45 AM

    Hi,

    We run the IAG in Kubernetes as reverse proxies in front of many applications and it generally works well.

    One of the pain point is trusted certificate management. In IAG you seems to need to specify any additional trusted certificate in the config file by base64 encoding pem certificates. When a new trusted cert is to be added this setting would need to be modified for every IAG deployment.

    I wonder if anyone has been able to preload extra CA certificates for IAG during the build phase in the Dockerfile.
    I even experimented with something like this:

    ===
    RUN     find /tmp/preload-certs/*crt | xargs -n1 -I % /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -add -file % -db /opt/pdweb/config.template/shared/keytab/default.kdb -stashed
    ===

    But it seems the kdb files cannot be found during the build phase before the webseld proces starts and I really cannot figure out where webseald get the inital kdb keystore from. 

    Has anyone else here managed to preload more CA certificates onto IAG? It seems it would be the proper way to do it.

    Regards,
    Peter







    ------------------------------
    Peter Lindqvist
    ------------------------------


  • 2.  RE: IAG and howto preload trusted certificates?

    Posted Sun June 02, 2024 05:16 PM

    Peter,

     

    You can definitely pre-bake your own certificates into a new container image which is based on IAG.  The easiest way to do this is to ensure that the certificates are in the same directory as your Dockerfile, and then use the 'COPY' command within your Dockerfile to add this certificate to the container file system. 

     

    However, just placing the certificates on the file system still won't make them automatically available to IAG itself.  You still need to ensure that the IAG configuration is told about this file.  For example:

     

            - resource_servers:

                - path: "/example"

                  # ...

                  servers:

                    - host: www.test.com

                      port: 443

                      virtual_host: testportal.test.com

                      ssl:

                        certificate:

                          - "@my-certs/ww-test-com.crt"

                        server_dn: cn=test

                      url_style:

                        case_insensitive: true

                        windows: false

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com

    1 Corporate Court
    Bundall, QLD 4217
    Australia

     

     

     




    Original Message


  • 3.  RE: IAG and howto preload trusted certificates?

    Posted 22 days ago

    Thanks Scott!

    Works nicely after implementing like above, you still need to reference the certs in the config file but it seems you can have a generic reference with the config below.

    I added the following to the Dockerfile:

    # Certs to preload - Add more certs in this folder to have them trusted by IAG
    COPY preload-certs /tmp/preload-certs
    # Add all preloaded certs to one PEM file
    RUN cat /tmp/preload-certs/* > /var/iag/config/preloaded_trusted_certs.pem

    That allowed me to keep the config file the same regardless if we change the trusted certificates:
    ssl:
      trust_certificates:
        # Preloaded certs
        - "@preloaded_trusted_certs.pem"







    ------------------------------
    Peter Lindqvist
    ------------------------------

    Original Message


  • 4.  RE: IAG and howto preload trusted certificates?

    Posted 22 days ago

    Peter,

     

    You might also like to explore the IAG Kubernetes operator.  It has been designed for exactly this type of situation and has the ability to 'merge' configuration together from different sources and automatically restart affected pods.  Further information can be found at: https://github.com/IBM-Security/ibm-application-gateway-operator?tab=readme-ov-file#custom-resource-model.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     




    Original Message