The IBM Security Verify Access OIDC Provider (ISVAOP) image is available from IBM Cloud Container Registry: icr.io/isva/verify-access-oidc-provider:24.06

Download the image using the docker pull command, as below.

docker pull icr.io/isva/verify-access-oidc-provider:24.06

See Software Downloads > Containers for more information.

Pre-requisites

Configuration

The configuration for the container is supplied as YAML files, template files, JavaScript files along with other potential supporting files (e.g. PEM certificate files).

๐Ÿ“˜

Note

Boilerplate YAML configuration is available for download from the Resources Github Repository.

When the container starts, it processes configuration found at '/var/isvaop/config' directory. As such, the configuration for the container will need to be present in this directory before the container is started or mounted as part of startup. This can be achieved by:

  1. Pre-baking the configuration into a new image which is based on the ISVAOP image. A Dockerfile which can be used to create a pre-baked image is shown below:
##
## You can build this image by issuing the following command:
##          docker build -t acme-isvaop:1.0 $PWD
##

## The container is based on the ISVAOP container.
FROM icr.io/isva/verify-access-oidc-provider:24.06

## Copy the configuration files from the data directory
## to the docker image.
COPY data/. /var/isvaop/config/


## Some labels which will be associated with the image.
LABEL maintainer="[email protected]" \
    vendor="ACME"
  1. Placing the configuration information into a Docker volume and then mounting this volume into the Docker container. Information on Docker volumes can be found at: https://docs.docker.com/storage/volumes/;

  2. Placing the configuration information into a local directory on the Docker host and then creating a Bind mount to the Docker container. Information on Docker Bind mounts can be found at: https://docs.docker.com/storage/bind-mounts/.

Ports

The ISVAOP container exposes a single port for each protocol which is enabled for the server. For the HTTPS protocol the 8436 port is exposed, and for the HTTP protocol the 8432 port is exposed. By default, the Docker environment will publish the port to a random port on the Docker host. If a specific port or Docker host IP address is required the '--publish' option should be used with the 'docker run' command.

Quick Start

To start a container using a bind-mounted configuration volume, ports and standard environment variables, use the following command:

[demouser@demovm ~]$ docker run --hostname isvaop-test --name isvaop-test \
    --detach \
    --publish 8436:8436 \
    --volume /home/demouser/isvaop-test:/var/isvaop/config/ \
    icr.io/isva/verify-access-oidc-provider:24.06
    
## Logs are streamed to container stdout
[demouser@demovm ~]$ docker logs -f isvaop-test

Supported Docker Versions

  • This image is officially supported on Docker version v17 and later;
  • Support for older versions is provided on a best-effort basis.

License

The image is covered by the IBM Software License. The license can be viewed directly from the image by executing the following command:

[demouser@demovm ~]$ docker run --rm --entrypoint license icr.io/isva/verify-access-oidc-provider:24.06