License
License usage with IBM Security Verify Access OIDC Provider deployed on Kubernetes
The IBM® License Metric Tool (ILMT) is an application that is provided by IBM to audit licensed products to ensure that licensed software is being used appropriately.
Any IBM Security Verify Access OIDC Provider deployment that is used in a production environment must be licensed. To assist customers, the following information demonstrates how licensing information can be collected for containerized Verify Access OIDC Provider deployments by using the Kubernetes infrastructure.
To ensure IBM Security Verify Access OIDC Provider license compliance by using Kubernetes, customers must take the following steps.
- Deploy the IBM License Metric Tool operator.
- Deploy IBM Security Verify Access with appropriate annotations.
- Verify that license metrics are being collected.
Note
The IBM License Metric Tool is only applicable when a processor-based licensing model (PVU) is in use. It cannot be used to monitor user-based licensing (UVU).
Deploy the IBM License Metric Tool operator
The IBM License Metric Tool container can be deployed by using a Kubernetes Operator that is maintained by IBM. This operator is available here. The IBM License Metric Tool team provides a guide to deploy the operator that uses the Kubernetes cli tool.
After the license service container is running, you can deploy IBM Security Verify Access OIDC Provider container and verify that license audit information is being recorded.
Deploy IBM Security Verify Access OIDC Provider
The license service relies on fixed annotations that are added to deployed pods to report on license usage. For IBM Security Verify Access OIDC Provider (Production), add the following annotations to each deployment descriptor.
| Annotation | Value | Description |
|---|---|---|
| Product name | IBM Security Verify Access Virtual Edition Federation Module AOS | Name of application that is being licensed. |
| Product ID | 13ce5584032a42eab5704711369a11a4 | Internal identifier of the application that is being licensed. |
| Product metric | PROCESSOR_VALUE_UNIT | Metric that is used for license usage calculation. |
| Product charged containers | All | Names of containers that are charged. |
For IBM Security Verify Access OIDC Provider (Non-Production), add the following annotations to each deployment descriptor.
| Annotation | Value | Description |
|---|---|---|
| Product name | IBM Security Verify Access Virtual Edition Federation Module Non-Production AOS | Name of application that is being licensed. |
| Product ID | 01a9d83608044a4687b3d29a0d4d0a35 | Internal identifier of the application that is being licensed. |
| Product metric | PROCESSOR_VALUE_UNIT | Metric that is used for license usage calculation. |
| Product charged containers | All | Names of containers that are charged. |
These annotations must be added to the deployment metadata for each IBM Security Verify Access OIDC Provider container. The following code snippet demonstrates how the required Kubernetes annotations can be added to a deployment.
### ISVAOP Config ###
apiVersion: apps/v1
kind: Deployment
metadata:
name: isvaop
labels:
app: isvaop
spec:
selector:
matchLabels:
app: isvaop
replicas: 1
template:
metadata:
label:
app: isvaop
annotations:
productName: "IBM Security Verify Access Virtual Edition Federation Module AOS"
productId: "13ce5584032a42eab5704711369a11a4"
productMetric: "PROCESSOR_VALUE_UNIT"
productChargedContainers: "All"
. . .
Verify the license server metrics
The Rest API of the license service container must be queried to verify that the container is able to collect the correct license audit data. Detailed information on the API can be found here.
Updated about 1 month ago