License usage with IBM Security Verify Access OIDC Provider deployed on Kubernetes

The IBM® License Metric Tool (ILMT) is an application that is provided by IBM to audit licensed products to ensure that licensed software is being used appropriately.

Any IBM Security Verify Access OIDC Provider deployment that is used in a production environment must be licensed. To assist customers, the following information demonstrates how licensing information can be collected for containerized Verify Access OIDC Provider deployments by using the Kubernetes infrastructure.
To ensure IBM Security Verify Access OIDC Provider license compliance by using Kubernetes, customers must take the following steps.

  • Deploy the IBM License Metric Tool operator.
  • Deploy IBM Security Verify Access with appropriate annotations.
  • Verify that license metrics are being collected.

📘

Note

The IBM License Metric Tool is only applicable when a processor-based licensing model (PVU) is in use. It cannot be used to monitor user-based licensing (UVU).

Deploy the IBM License Metric Tool operator

The IBM License Metric Tool container can be deployed by using a Kubernetes Operator that is maintained by IBM. This operator is available here. The IBM License Metric Tool team provides a guide to deploy the operator that uses the Kubernetes cli tool.

After the license service container is running, you can deploy IBM Security Verify Access OIDC Provider container and verify that license audit information is being recorded.

Deploy IBM Security Verify Access OIDC Provider

The license service relies on fixed annotations that are added to deployed pods to report on license usage. For IBM Security Verify Access OIDC Provider (Production), add the following annotations to each deployment descriptor.

AnnotationValueDescription
Product nameIBM Security Verify Access Virtual Edition Federation Module AOSName of application that is being licensed.
Product ID13ce5584032a42eab5704711369a11a4Internal identifier of the application that is being licensed.
Product metricPROCESSOR_VALUE_UNITMetric that is used for license usage calculation.
Product charged containersAllNames of containers that are charged.

For IBM Security Verify Access OIDC Provider (Non-Production), add the following annotations to each deployment descriptor.

AnnotationValueDescription
Product nameIBM Security Verify Access Virtual Edition Federation Module Non-Production AOSName of application that is being licensed.
Product ID01a9d83608044a4687b3d29a0d4d0a35Internal identifier of the application that is being licensed.
Product metricPROCESSOR_VALUE_UNITMetric that is used for license usage calculation.
Product charged containersAllNames of containers that are charged.

These annotations must be added to the deployment metadata for each IBM Security Verify Access OIDC Provider container. The following code snippet demonstrates how the required Kubernetes annotations can be added to a deployment.

### ISVAOP Config ###
apiVersion: apps/v1
kind: Deployment
metadata:
  name: isvaop
  labels:
    app: isvaop
spec:
  selector:
    matchLabels:
      app: isvaop
  replicas: 1 
  template: 
    metadata:
      label:
        app: isvaop
      annotations:
        productName: "IBM Security Verify Access Virtual Edition Federation Module AOS"
        productId: "13ce5584032a42eab5704711369a11a4"
        productMetric: "PROCESSOR_VALUE_UNIT"
        productChargedContainers: "All"
    . . . 

Verify the license server metrics

The Rest API of the license service container must be queried to verify that the container is able to collect the correct license audit data. Detailed information on the API can be found here.