This is good to know. However, when I try to create a new cert database the only option I see is local.
I was following the instructions here:
https://www.ibm.com/docs/en/sva/10.0.7?topic=storage-configuring-network-hardware-security-module-hsm-support
Are there different instructions for the container version? Granted, I also don't have the IBM Security Verify Access SafeNet Luna Network HSM Extension installed, but how does that get installed in the container world if that is the issue?
PS: The binding of the IP address is what I had wondered was keeping back these solutions.
Thanks Scott!
Matt
------------------------------
Matt Jenkins
------------------------------
Original Message:
Sent: Sun June 02, 2024 05:03 PM
From: Scott Exton
Subject: IBM Security Verify Access on Containers utilizing HSMs
Mat,
The SafeNet Luna HSM device is actually supported in an ISVA containerised environment already.
The main factor which inhibits adoption of a HSM device in a containerised environment is that a lot of HSM devices require manual registration of the client IP address and binds an authentication token to that IP address. This works in an environment where the IP addresses of clients are static, but does not work well in a containerised environment. The SafeNet Luna HSM device doesn't bind a client to a specific IP address, which is why we can claim support for this HSM device.
I hope that this helps.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 5/31/2024 12:45:00 PM
From: Matt Jenkins
Subject: IBM Security Verify Access on Containers utilizing HSMs
I know that HSMs are not supported on containers. Is it impossible to use an HSM for containers in general? Meaning, is this something that perhaps IBM would think of entertaining in an RFE/idea? Or is it not possible to use an HSM within a container architecture because of the way the ISVA configuration is handled/shared between all the containers?
I see some integrations with RedHat OpenShift and Luna HSM when I do a bit of digging. However, I'm not familiar with any of these solutions, but I do wonder if there is a potential to use one of these integrations for the ISVA containers to be able to utilize an HSM.
Thanks for the discussion!
------------------------------
Matt Jenkins
------------------------------