Containers

📘

New configuration container

As of version 10.0.8 a new configuration container, verify-access-config replaces the existing verify-access one.
Note that the legacy verify-access container, will not be delivered as part of future IBM Security Verify Access releases.

IBM Security Verify Access containers are available from the IBM Cloud Container Registry:

Production Containers:

• Web Reverse Proxy
  icr.io/isva/verify-access-wrp
• AAC and Federation Runtime
  icr.io/isva/verify-access-runtime
• OpenID Connect Provider
  icr.io/isva/verify-access-oidc-provider
• Distributed Session Cache
  icr.io/isva/verify-access-dsc

Configuration Containers:

• Configuration Container
  icr.io/isva/verify-access-config
• Snapshot Manager
  icr.io/isva/verify-access-snapshotmgr
• Verify Access Operator
  icr.io/isva/verify-access-operator-bundle
  icr.io/isva/verify-access-operator
• Configuration Container (Legacy)
  icr.io/isva/verify-access

Supporting Containers:

• Open LDAP
  icr.io/isva/verify-access-openldap
• Postgres SQL
  icr.io/isva/verify-access-postgresql

IBM Application Gateway:

• IBM Application Gateway
  icr.io/ibmappgateway/ibm-application-gateway
• IBM Application Gateway Operator
  icr.io/ibmappgateway/ibm-application-gateway-operator
  icr.io/ibmappgateway/ibm-application-gateway-operator-bundle
• IBM Application Gateway Demo Resource Server
  icr.io/ibmappgateway/ibm-application-gateway-demo-resource-server

Additional IBM Application Gateway information is documented here.

For more information about IBM Security Verify Access Container Support, see the Documentation Hub.

Web Reverse Proxy

The Security Verify Access Web Reverse Proxy (WRP) Docker image provides the Web Reverse Proxy capabilities of Security Verify Access.

Usage Information.

AAC and Federation Runtime

The Security Verify Access Runtime Docker image provides the Advanced Access Control and Federation capabilities of Security Verify Access.

Usage Information.

OpenID Connect Provider

The Security Verify Access OpenID Connect Provider.

Distributed Session Cache

The Security Verify Access Distributed Session Cache (DSC) Docker image provides the distributed session cache capabilities of Security Verify Access.

ISVA also natively supports Redis as a native DSC equivalent.

Usage Information.

Configuration Container

📝

Configuration Container

This new container replaces the existing verify-access container.

The Security Verify Access Configuration image contains the services that can be used to configure a Security Verify Access container environment.

Usage Information.

Configuration Container (Legacy)

The Security Verify Access image contains the services that can be used to configure a Security Verify Access container environment.

📝

Configuration Container (Legacy)

This container is superseded by the new lightweight verify-access-config container in version 10.0.8. Future versions of Verify Access will not include the verify-access container and verify-access-config must be used instead.
In versions earlier than 10.0.4, this container can also operate as the web reverse proxy and the AAC and federation runtime. For more information, see the Documentation Center for details on migrating to the improved lightweight containers)

Usage Information.

Operator

The Security Verify Access Operator for Kubernetes Deployment.

Usage Information.

Snapshot Manager

The Security Verify Access container for snapshot manager.

OpenLDAP

The verify-access-openldap image extends the osixia/openldap Docker image by adding the Security Verify Access "secAuthority=Default" schema and suffix to the registry. This image can be used to quickly build a user registry for use with Security Verify Access in non-production environments.

Usage Information.

PostgreSQL

The verify-access-postgresql image extends the official postgres Docker image by adding SSL support and the Security Verify Access schema to the image. This image can be used to quickly deploy a database for use with the Federation and Advanced Access Control offerings of Security Verify Access in non-production environments.

Usage Information.

Verifying Image Signatures

From December 2022, all IBM Security Verify Access container images are signed so that their origin and content can be verified.

The following PGP key can be used for verifying IBM Security Verify Access container images.

In the steps that follow, this key is referred to as public.gpg.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGKxCgABEADH8H3skpjrOFvaOIm39tc2DcP4UhfeZxc36eQRKuWYCFtcC8RC
8Rdt2N9vxItRR35UHWFswuyJVFie/YgYFRW93JqApSE3qvEmzB7dUofeSyeYsiXU
VxziYZbPHCOI9GD8TQs1dG+SvTg23FGFbEweGcDvRbmEWM6o+eT9SotPlr+GApmN
g5LmR6V0K8WFG03BopZeqyky4hCgyoMGh1dqaU0kKwFOs6Zn0Dny6byPJJFpiQz2
yuINsInazGMywh6SwB1MAIoLAyiIPVKEAOCr/KRmLFU1tBFk5zafkaLOLk3jzql3
O33ldIH7ZYt6qdFxEuuiClklHXnWLI3hn3EZZ4HALuBrSU3njuTuERLs1YWq5BmS
xP8yASmKmYD0eeXXwOJtG7xmPNaABfhuXjzCI8KodQiBHrU1KXfvFu1m0308cXUl
IjRCMKwBjX/+JMKokFIc1iWYw6pvFsFlHXzCryCNMMkXGAhKuwcubKxFoNdjv1Fw
cq7iw6KSQPOxTGf8L3jPze81WhLIGDaRwgENK4iVxmY1AuzuWKfGsGeCRqMP8i3c
GeEMyTqmbAFtbB81EgWPTcOB0nBF9xqKSUphIog0UBkEVhVH2Le3/xT2nGIuVcCP
ch8W6+ZNVY/SnHLZFGKznPoWfAg7NaloZHQPYaSGYtYJw47R2hErASc18QARAQAB
tBRJQk1Db2RlU2lnbkNlcnRCMDYyMokCOQQTAQgAIwUCYrEKAAIbLwcLCQgHAwIB
BhUIAgkKCwQWAgMBAh4BAheAAAoJEA4BfqVXI1g0IOcQAI8Uz7BJh0XsC44U2a+F
0xWvN9Iy8agyiWB13MGPNEK10Aap6TMAYx89Fkl96VXf2f9+zRUauIbR6MiJnsAw
7Pvv9u6vw8tspEKgceosW5RprtKN0yyHCWUsmsYA8dWudLSauZgIZo2LR7gsz5Xe
U3C8g3Q5vFuHHESANIKLgoTUPKj3+arWR0ZZqMM/F6Ls457FZBplsf/3KFETmeMb
OUzxUxC8k5Ez8ygNFLqtM5wHATcgGZMCDghAiZdZ7RcO46+MSnunrKQZBOHBdFSc
YPmb2u2wk7wo4aLvtjLcsitRcjhDgeWxnzLChbA2Gec9d8SU6E97BwkFeb/J08Tz
zFgKEdw9yGoZUE4qPa3E6tk8u9eP/ffPmtjXZ+A08dpi1wbnd2/EkA06hC/nD28L
hyTeKnL8HxbDgbU3yY22vVRJoG4mF6cEWsvin+X3d2X2+CJRuw8c+jyP4Qk30rQT
B1v5/0UZG191ENyUqUAREcBNEKm99dlqaxKcTrD08C8p2rB961v/MJDw27FExQrz
rf2w9wr5Hv4jMWY7lkityS0hfGp1wi63cRhhAJ1QY6V/5LDesgFpXmfl4tKIpkV1
xEDlteYX8VZj5ht7w14zohAl516GHJuKVL2To9Swe98U+/x+1eDxb28hT2PqbCr9
jBnteIsLzl4hCi86VcI1vpmZ
=49Ad
-----END PGP PUBLIC KEY BLOCK-----

From March 2023, use the following PGP key to verify IBM Security Verify Access container images.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGQi5+YBEAC5xD1R8ui5UKrsoIZv3CPWanF+iM2v4MIsQ5aHDfjU4ILOX3KI
WSSaam+p3wCHC58WXD/M6RAIDgMQs2unbMpdymxp0jlZ5mtuJ84V+jwn1s7cDal1
frjyI0tFrCUh6ZnnwL5/X28BFnvkERwUUp5r3QXdNQLXn/WaZeXanuV9Go8GjiBc
ic82Sbeb/n0/j0Cw6qRsMlsJwc5xVgqoRYhMKFodcvI6+/mZbtHy5907p2rZpjAu
9aOQt2qbxPruQj6g4WYI+gv07pNuiH7lIZMhYoudOh31L3K4xwepdm+9n45o48py
hxXtr8WASMzk3YdJUJ6s+9jSjWtLxLHXxt/TB30Q0rDRYIRcC5gIlp2NnOWLYkCd
Z5DvJHKxvhdb5DM8WAtnpo/oErMMbhpS0qs0o8tY9tjA3iGYxBQfuwvBVrOoz6l7
sGlgBayYwFGoKQO/jNcHy/ZjgwXTc9htJ39O/7G2wftZ+EEdV7W7FXWKC4Jnlle1
AnyPvrSq4b+pEAAHIwcn3WOEjKX5JQCN/RhOmWypckZXRCaOPFYkrQ6sTNAvrkJl
oxI88dnOG1Djq0M9ugFuPuAV7WCfP92hnUnln8b6+qNRJIzJmW7U+SoHI5nezE5p
HkHn2f9ZJRqxSXnGtmjCkNVrX0ky2OI/a9FutQMJivt+HhMU9yacMlfbPwARAQAB
tCZJQk0gU2VjdXJpdHkgVmVyaWZ5IDxwc2lydEB1cy5pYm0uY29tPokCOgQTAQgA
JAUCZCLn5gIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAKCRAoldmCfU8c
HH8UD/kBzVtaea0Yy2Hl0V/I6thYN8hLbBWoZkCTLyZfP19r/ZvHKoqxzyQ/8dC9
xeQjNfobFtXVRSmeUEfikgM3QbV1nbIk+pl30Ck9GkNIoEdvEKKTlvgyi1ZJ0d60
CDw6hE6BY4rjQIRoHpRbWDq674A8gekAUl3pS0tPgMKHPkZkTzdFzZm9vOcAhLP+
h+NhVIGCG5VPegNhrTel77ubhhk5eIIJsX/PM1YgRC9hAljrir5DUQFRsc1OBj57
6i3ObkwmN8DY8smakqLj78gmeU5wWq4WH72527JwevBNzfFArg9tA2aEOeUaoFPy
KhDXARQmIAcpvs3iO753GVcDLOPClGjCWs3b50yy2adY34aYE7ElRcop4jt9GBn7
PbPSDJ9+CGWd2leZen+RmyGrW1v2uCjQzV5ZJz4Ky8iU4EVse+ttQZSOrH1MxRk8
16Cx0axb34mRKuFEVFxHNkNLecszfe2xYExRdTvp8Yc0In3m38tHt3mF2Kh5bzjf
DxXD8YLDYsMWNxBVk1jrhSYR7j8taKdeFzAhtm7Ezp1E0iEm9r0mNYwBVLOkD4PG
PaBFwhP1n80lGa3TpOvE23P6b6UkcL5qHVwVIaiUp1jz+ye1tO/B0hIPdF1kYDt0
dGmqCEMXGzFzxfNUzZsKV9fcxl9kHM0EZ03wB5XiOrrhyYC/5Q==
=X68Z
-----END PGP PUBLIC KEY BLOCK-----

Automatic Signature Verification Enforcement

Some container environments can be configured with policy that enforces signature verification on all images that are pulled into the environment.

For example, in a Docker environment to enable automatic verification of image signatures, update the /etc/containers/policy.json file to contain the following entries:

{
	"default": [
		{
			"type": "reject"
		}
	],
	"transports": {
		"docker": {
			"icr.io": [
				{
					"type": "signedBy",
					"keyType": "GPGKeys",
					"keyPath": "<path to public.gpg>"
				}
			]
		}
	}
}

Manual Signature Verification

Pre-requisites

Manual signature validation requires gpg2 and skopeo

1. Install gpg2 if it is not already installed, by using the following commands

   • For Debian-based systems:
   Shell

   [demouser@demovm ~]$ sudo apt-get install gnupg2 -y
   

   • For rpm based systems:
   Shell

   [demouser@demovm ~]$ sudo dnf install gnupg2 -y
   

   • For MacOS systems:
   Shell

   [demouser@demovm ~]$ brew install gpg2
   

   • Check the version of gpg2, make sure its GPG 2.1 or later.
   Shell

   [demouser@demovm ~]$ sudo gpg2 --version
   

2. Install skopeo, refer to the following link for instructions: Installing Skopeo

   • Check the version of skopeo, make sure that it is version 0.1.40.
   Shell

   [demouser@demovm ~]$ sudo skopeo --version
   

3. Import the provided public key public.gpg using the gpg2 command.

   Shell

   [demouser@demovm ~]$ sudo gpg2 --import <public.gpg>
   gpg: key 0E017555557235834: public key "IBMCodeSignCertSample" imported
   gpg: Total number processed: 1
   gpg:               imported: 1
   

   • Retrieve the fingerprint by using the following command. The fingerprint is E0A1E35393BA0EBE5E5E04220E017EA557235834 in the following example.
   Shell

   [demouser@demovm ~]$ sudo gpg2 --list-keys
   /home/.gnupg/pubring.kbx
   -------------------------------
   pub   rsa4096 2022-06-21 [SCEA]
       E0A1E35393BA0EBE5E5E04220E017EA557235834
   uid           [ unknown] IBMCodeSignCertSample
   

   From March 2023, Import the new public key public.gpg using the gpg2 command.

   Shell

   [demouser@demovm ~]$ sudo gpg2 --import <public.gpg>
   gpg: key 2895D9827D4F1C1C: public key "IBM Security Verify Sample" imported
   gpg: Total number processed: 1
   gpg:               imported: 1
   
   

   • Retrieve the fingerprint by using the following command. The fingerprint is 2CFC91AD5ADA21966710BE4C2895D9827D4F1C1C in the following example.
   Shell

   [demouser@demovm ~]$ sudo gpg2 --list-keys
   /home/.gnupg/pubring.kbx
   ------------------------
   pub   rsa4096 2023-03-28 [SCE]
         2CFC91AD5ADA21966710BE4C2895D9827D4F1C1C
   uid           [ unknown] IBM Security Verify Sample
   
   

Procedure

To verify the image signature, download the image by using the skopeo command and then validate it using the fingerprint of public.pgp which was retrieved in the previous steps.

Use skopeo to download the image. The format of the skopeo command is:

skopeo copy docker://<image-tag> dir:<image-dir>

Where:

• <image-dir> is a local file system path where the image content is stored.
• <image-tag> is the complete tag for the image to verify.

For example:

[demouser@demovm ~]$ sudo skopeo copy \
    docker://icr.io/isva/verify-access-oidc-provider:23.03 \
    dir:/home/demouser/tmp/container

Use skopeo to verify the image signature. The format of the skopeo command is:

skopeo standalone-verify <image-dir>/manifest.json <image-tag> <fingerprint> <image-dir>/signature

Where:

• <image-dir> is a local file system path where the image content was stored during the skopeo copy command.
• <image-tag> is the complete tag of the image pulled during the skopeo copy command.
• <fingerprint> is the fingerprint of public.pgp.

If the signature is verified successfully, the Signature verified message is displayed.

For example:

[demouser@demovm ~]$ sudo skopeo standalone-verify /home/demouser/tmp/container/manifest.json \
    icr.io/isva/verify-access-oidc-provider:23.03 \
    2CFC91AD5ADA21966710BE4C2895D9827D4F1C1C \
    /home/demouser/tmp/container/signature-1

Signature verified, digest sha256:5c701fbbf9b63a2db17026cbd5104c234a883cbb81df648185696378a9259bd2