Containers

📘

IBM will no longer host IBM Security Verify containers on Docker Hub after December 31st, 2022

All containers should be sourced from the IBM Container registry links as detailed below.
This may be a breaking change to any automated deployment processes.

IBM Security Verify Access containers are available from the IBM Cloud Container Registry:

Production Containers:

• Web Reverse Proxy
  icr.io/isva/verify-access-wrp
• AAC and Federation Runtime
  icr.io/isva/verify-access-runtime
• OpenID Connect Provider
  icr.io/isva/verify-access-oidc-provider
• Distributed Session Cache
  icr.io/isva/verify-access-dsc

Configuration Containers:

• Configuration Container
  icr.io/isva/verify-access
• Snapshot Manager
  icr.io/isva/verify-access-snapshotmgr
• Verify Access Operator
  icr.io/isva/verify-access-operator-bundle
  icr.io/isva/verify-access-operator

Supporting Containers:

• Open LDAP
  icr.io/isva/verify-access-openldap
• Postgres SQL
  icr.io/isva/verify-access-postgresql

IBM Application Gateway:

• IBM Application Gateway
  icr.io/ibmappgateway/ibm-application-gateway
• IBM Application Gateway Operator
  icr.io/ibmappgateway/ibm-application-gateway-operator
  icr.io/ibmappgateway/ibm-application-gateway-operator-bundle
• IBM Application Gateway Demo Resource Server
  icr.io/ibmappgateway/ibm-application-gateway-demo-resource-server

Additional IBM Application Gateway information is documented here.

For more information about IBM Security Verify Access Container Support, see the Documentation Hub.

Web Reverse Proxy

The Security Verify Access Web Reverse Proxy (WRP) Docker image provides the Web Reverse Proxy capabilities of Security Verify Access.

Usage Information.

AAC and Federation Runtime

The Security Verify Access Runtime Docker image provides the Advanced Access Control and Federation capabilities of Security Verify Access.

Usage Information.

OpenID Connect Provider

The Security Verify Access OpenID Connect Provider.

Distributed Session Cache

The Security Verify Access Distributed Session Cache (DSC) Docker image provides the distributed session cache capabilities of Security Verify Access.

ISVA also natively supports Redis as a native DSC equivalent.

Usage Information.

Configuration Container

The Security Verify Access Docker image contains the services which can be used to configure the Security Verify Access environment for Docker.

📝

Lightweight Containers

In versions earlier than 10.0.4, this container could also operate as the web reverse proxy and the AAC and federation runtime. For more information see the Documentation Center for details on migrating to the improved lightweight containers)

Usage Information.

Operator

The Security Verify Access Operator for Kubernetes Deployment.

Usage Information.

Snapshot Manager

The Security Verify Access container for snapshot manager.

OpenLDAP

The verify-access-openldap image extends the osixia/openldap Docker image by adding the Security Verify Access "secAuthority=Default" schema and suffix to the registry. This image can be used to quickly build a user registry for use with Security Verify Access in non-production environments.

Usage Information.

PostgreSQL

The verify-access-postgresql image extends the official postgres Docker image by adding SSL support and the Security Verify Access schema to the image. This image can be used to quickly deploy a database for use with the Federation and Advanced Access Control offerings of Security Verify Access in non-production environments.

Usage Information.

Verifying Image Signatures

From December 2022, all IBM Security Verify Access container images are signed so that their origin and content can be verified.

The following PGP key can be used for verifying IBM Security Verify Access container images.

In the steps that follow, this key is referred to as public.gpg.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGKxCgABEADH8H3skpjrOFvaOIm39tc2DcP4UhfeZxc36eQRKuWYCFtcC8RC
8Rdt2N9vxItRR35UHWFswuyJVFie/YgYFRW93JqApSE3qvEmzB7dUofeSyeYsiXU
VxziYZbPHCOI9GD8TQs1dG+SvTg23FGFbEweGcDvRbmEWM6o+eT9SotPlr+GApmN
g5LmR6V0K8WFG03BopZeqyky4hCgyoMGh1dqaU0kKwFOs6Zn0Dny6byPJJFpiQz2
yuINsInazGMywh6SwB1MAIoLAyiIPVKEAOCr/KRmLFU1tBFk5zafkaLOLk3jzql3
O33ldIH7ZYt6qdFxEuuiClklHXnWLI3hn3EZZ4HALuBrSU3njuTuERLs1YWq5BmS
xP8yASmKmYD0eeXXwOJtG7xmPNaABfhuXjzCI8KodQiBHrU1KXfvFu1m0308cXUl
IjRCMKwBjX/+JMKokFIc1iWYw6pvFsFlHXzCryCNMMkXGAhKuwcubKxFoNdjv1Fw
cq7iw6KSQPOxTGf8L3jPze81WhLIGDaRwgENK4iVxmY1AuzuWKfGsGeCRqMP8i3c
GeEMyTqmbAFtbB81EgWPTcOB0nBF9xqKSUphIog0UBkEVhVH2Le3/xT2nGIuVcCP
ch8W6+ZNVY/SnHLZFGKznPoWfAg7NaloZHQPYaSGYtYJw47R2hErASc18QARAQAB
tBRJQk1Db2RlU2lnbkNlcnRCMDYyMokCOQQTAQgAIwUCYrEKAAIbLwcLCQgHAwIB
BhUIAgkKCwQWAgMBAh4BAheAAAoJEA4BfqVXI1g0IOcQAI8Uz7BJh0XsC44U2a+F
0xWvN9Iy8agyiWB13MGPNEK10Aap6TMAYx89Fkl96VXf2f9+zRUauIbR6MiJnsAw
7Pvv9u6vw8tspEKgceosW5RprtKN0yyHCWUsmsYA8dWudLSauZgIZo2LR7gsz5Xe
U3C8g3Q5vFuHHESANIKLgoTUPKj3+arWR0ZZqMM/F6Ls457FZBplsf/3KFETmeMb
OUzxUxC8k5Ez8ygNFLqtM5wHATcgGZMCDghAiZdZ7RcO46+MSnunrKQZBOHBdFSc
YPmb2u2wk7wo4aLvtjLcsitRcjhDgeWxnzLChbA2Gec9d8SU6E97BwkFeb/J08Tz
zFgKEdw9yGoZUE4qPa3E6tk8u9eP/ffPmtjXZ+A08dpi1wbnd2/EkA06hC/nD28L
hyTeKnL8HxbDgbU3yY22vVRJoG4mF6cEWsvin+X3d2X2+CJRuw8c+jyP4Qk30rQT
B1v5/0UZG191ENyUqUAREcBNEKm99dlqaxKcTrD08C8p2rB961v/MJDw27FExQrz
rf2w9wr5Hv4jMWY7lkityS0hfGp1wi63cRhhAJ1QY6V/5LDesgFpXmfl4tKIpkV1
xEDlteYX8VZj5ht7w14zohAl516GHJuKVL2To9Swe98U+/x+1eDxb28hT2PqbCr9
jBnteIsLzl4hCi86VcI1vpmZ
=49Ad
-----END PGP PUBLIC KEY BLOCK-----

From March 2023, use the following PGP key to verify IBM Security Verify Access container images.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGQi5+YBEAC5xD1R8ui5UKrsoIZv3CPWanF+iM2v4MIsQ5aHDfjU4ILOX3KI
WSSaam+p3wCHC58WXD/M6RAIDgMQs2unbMpdymxp0jlZ5mtuJ84V+jwn1s7cDal1
frjyI0tFrCUh6ZnnwL5/X28BFnvkERwUUp5r3QXdNQLXn/WaZeXanuV9Go8GjiBc
ic82Sbeb/n0/j0Cw6qRsMlsJwc5xVgqoRYhMKFodcvI6+/mZbtHy5907p2rZpjAu
9aOQt2qbxPruQj6g4WYI+gv07pNuiH7lIZMhYoudOh31L3K4xwepdm+9n45o48py
hxXtr8WASMzk3YdJUJ6s+9jSjWtLxLHXxt/TB30Q0rDRYIRcC5gIlp2NnOWLYkCd
Z5DvJHKxvhdb5DM8WAtnpo/oErMMbhpS0qs0o8tY9tjA3iGYxBQfuwvBVrOoz6l7
sGlgBayYwFGoKQO/jNcHy/ZjgwXTc9htJ39O/7G2wftZ+EEdV7W7FXWKC4Jnlle1
AnyPvrSq4b+pEAAHIwcn3WOEjKX5JQCN/RhOmWypckZXRCaOPFYkrQ6sTNAvrkJl
oxI88dnOG1Djq0M9ugFuPuAV7WCfP92hnUnln8b6+qNRJIzJmW7U+SoHI5nezE5p
HkHn2f9ZJRqxSXnGtmjCkNVrX0ky2OI/a9FutQMJivt+HhMU9yacMlfbPwARAQAB
tCZJQk0gU2VjdXJpdHkgVmVyaWZ5IDxwc2lydEB1cy5pYm0uY29tPokCOgQTAQgA
JAUCZCLn5gIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAKCRAoldmCfU8c
HH8UD/kBzVtaea0Yy2Hl0V/I6thYN8hLbBWoZkCTLyZfP19r/ZvHKoqxzyQ/8dC9
xeQjNfobFtXVRSmeUEfikgM3QbV1nbIk+pl30Ck9GkNIoEdvEKKTlvgyi1ZJ0d60
CDw6hE6BY4rjQIRoHpRbWDq674A8gekAUl3pS0tPgMKHPkZkTzdFzZm9vOcAhLP+
h+NhVIGCG5VPegNhrTel77ubhhk5eIIJsX/PM1YgRC9hAljrir5DUQFRsc1OBj57
6i3ObkwmN8DY8smakqLj78gmeU5wWq4WH72527JwevBNzfFArg9tA2aEOeUaoFPy
KhDXARQmIAcpvs3iO753GVcDLOPClGjCWs3b50yy2adY34aYE7ElRcop4jt9GBn7
PbPSDJ9+CGWd2leZen+RmyGrW1v2uCjQzV5ZJz4Ky8iU4EVse+ttQZSOrH1MxRk8
16Cx0axb34mRKuFEVFxHNkNLecszfe2xYExRdTvp8Yc0In3m38tHt3mF2Kh5bzjf
DxXD8YLDYsMWNxBVk1jrhSYR7j8taKdeFzAhtm7Ezp1E0iEm9r0mNYwBVLOkD4PG
PaBFwhP1n80lGa3TpOvE23P6b6UkcL5qHVwVIaiUp1jz+ye1tO/B0hIPdF1kYDt0
dGmqCEMXGzFzxfNUzZsKV9fcxl9kHM0EZ03wB5XiOrrhyYC/5Q==
=X68Z
-----END PGP PUBLIC KEY BLOCK-----

Automatic Signature Verification Enforcement

Some container environments can be configured with policy which enforces signature verification on all images pulled into the environment.

For example, in a Docker environment to enable automatic verification of image signatures, update the /etc/containers/policy.json file to contain the following entries:

{
	"default": [
		{
			"type": "reject"
		}
	],
	"transports": {
		"docker": {
			"icr.io": [
				{
					"type": "signedBy",
					"keyType": "GPGKeys",
					"keyPath": "<path to public.gpg>"
				}
			]
		}
	}
}

Manual Signature Verification

Pre-requisites

Manual signature validation requires gpg2 and skopeo

1. Install gpg2 if its not already installed, by using the following commands

   • For Debian based systems:
   Shell

   [demouser@demovm ~]$ sudo apt-get install gnupg2 -y
   

   • For rpm based systems:
   Shell

   [demouser@demovm ~]$ sudo dnf install gnupg2 -y
   

   • For MacOS systems:
   Shell

   [demouser@demovm ~]$ brew install gpg2
   

   • Check the version of gpg2, make sure its GPG 2.1 or later.
   Shell

   [demouser@demovm ~]$ sudo gpg2 --version
   

2. Install skopeo, refer to the following link for instructions: Installing Skopeo

   • Check the version of skopeo, make sure that it is version 0.1.40.
   Shell

   [demouser@demovm ~]$ sudo skopeo --version
   

3. Import the provided public key public.gpg using the gpg2 command.

   Shell

   [demouser@demovm ~]$ sudo gpg2 --import <public.gpg>
   gpg: key 0E017555557235834: public key "IBMCodeSignCertSample" imported
   gpg: Total number processed: 1
   gpg:               imported: 1
   

   • Retrieve the fingerprint by using the following command. The fingerprint is E0A1E35393BA0EBE5E5E04220E017EA557235834 in the following example.
   Shell

   [demouser@demovm ~]$ sudo gpg2 --list-keys
   /home/.gnupg/pubring.kbx
   -------------------------------
   pub   rsa4096 2022-06-21 [SCEA]
       E0A1E35393BA0EBE5E5E04220E017EA557235834
   uid           [ unknown] IBMCodeSignCertSample
   

   From March 2023, Import the new public key public.gpg using the gpg2 command.

   Shell

   [demouser@demovm ~]$ sudo gpg2 --import <public.gpg>
   gpg: key 2895D9827D4F1C1C: public key "IBM Security Verify Sample" imported
   gpg: Total number processed: 1
   gpg:               imported: 1
   
   

   • Retrieve the fingerprint by using the following command. The fingerprint is 2CFC91AD5ADA21966710BE4C2895D9827D4F1C1C in the following example.
   Shell

   [demouser@demovm ~]$ sudo gpg2 --list-keys
   /home/.gnupg/pubring.kbx
   ------------------------
   pub   rsa4096 2023-03-28 [SCE]
         2CFC91AD5ADA21966710BE4C2895D9827D4F1C1C
   uid           [ unknown] IBM Security Verify Sample
   
   

Procedure

To verify the image signature, download the image using the skopeo command and then validate it using the fingerprint of public.pgp which was retrieved in the previous steps.

Use skopeo to download the image. The format of the skopeo command is:

skopeo copy docker://<image-tag> dir:<image-dir>

Where:

• <image-dir> is a local file system path where the image content will be stored.
• <image-tag> is the complete tag for the image to verify.

For example:

[demouser@demovm ~]$ sudo skopeo copy \
    docker://icr.io/isva/verify-access-oidc-provider:23.03 \
    dir:/home/demouser/tmp/container

Use skopeo to verify the image signature. The format of the skopeo command is:

skopeo standalone-verify <image-dir>/manifest.json <image-tag> <fingerprint> <image-dir>/signature

Where:

• <image-dir> is a local file system path where the image content was stored during the skopeo copy command.
• <image-tag> is the complete tag of the image pulled during the skopeo copy command.
• <fingerprint> is the fingerprint of public.pgp.

If the signature is verified successfully, the Signature verified message will be displayed.

For example:

[demouser@demovm ~]$ sudo skopeo standalone-verify /home/demouser/tmp/container/manifest.json \
    icr.io/isva/verify-access-oidc-provider:23.03 \
    2CFC91AD5ADA21966710BE4C2895D9827D4F1C1C \
    /home/demouser/tmp/container/signature-1

Signature verified, digest sha256:5c701fbbf9b63a2db17026cbd5104c234a883cbb81df648185696378a9259bd2