Deployment Considerations

When you deploy The IBM Security Verify Access OIDC Provider, consider the following points.

IBM Security Verify Access OIDC Provider must be hosted in a secure network zone and not visible to the public zone. It is only routed through Verify Access Web Reverse Proxy.
All non-TLS communication must be disabled. Enable TLS-only communication between IBM Security Verify Access OIDC Provider and data layer components such as Security Verify Access runtime database, LDAP and Redis.
Security Verify Access runtime database must be hosted in a secure network zone and not be routable from the internet.
Use a highly available solution for the external Runtime Database. This service is critical to Security Verify Access OIDC Provider operation.
If external session storage is used, in the form of the Runtime Database or Redis, it must be hosted in a secure network zone and not be accessible directly from the public zone.
Use an external logging server or service to store logs. ISVAOP streams logs into the container standard output (stdout).
Keep the host systems and Docker up to date.
Run the Security Verify Access OIDC Provider as a non-root user.

High Availability Considerations

When you deploy The IBM Security Verify Access OIDC Provider for high availability, consider the following points.

Use Redis or Runtime Database as session storage. Redis is preferred given it is highly performant and provides automated cleanup of expired data.
In-memory session storage is not recommended. If it is used, modify the ISVAOP junction to be Stateful. See https://www.ibm.com/docs/en/sva/10.0.5?topic=junctions-configuration-stateful.

For ingress controls, ensure that only required pods and services are exposed.
For egress controls, ensure that outbound accesses are given for required pods only and that ports, protocol, and destinations are limited whenever possible.
For Inter-pod controls, allow only flows between specific pods or groups of pods that are required to communicate as part of normal operations.