Downloading Certified Container images from IBM Entitled Registry
You can pull the Sterling B2B Integrator or Sterling File Gateway Certified Container images from IBM Entitled Registry into the cluster or download and load the images using Passport Advantage archives.
- IBM® Sterling
B2B Integrator v6.1.0.0
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.0
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.0
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.0
- IBM Sterling
File Gateway v6.1.0.0
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.0
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.0
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.0
- IBM Sterling
B2B Integrator v6.1.0.1
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.1
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.1
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.1
- IBM Sterling
File Gateway v6.1.0.1
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.1
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.1
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.1
- IBM Sterling
B2B Integrator v6.1.0.2
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.2
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.2
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.2
- IBM Sterling
File Gateway v6.1.0.2
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.2
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.2
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.2
- IBM Sterling
B2B Integrator v6.1.0.3
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.3
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.3
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.3
- IBM Sterling
File Gateway v6.1.0.3
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.3
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.3
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.3
- IBM Sterling
B2B Integrator v6.1.0.4
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.4
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.4
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.4
- IBM Sterling
File Gateway v6.1.0.4
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.4
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.4
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.4
- IBM Sterling
B2B Integrator v6.1.0.4_1
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.4_1
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.4_1
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.4_1
- IBM Sterling
File Gateway v6.1.0.4_1
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.4_1
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.4_1
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.4_1
- IBM Sterling
B2B Integrator v6.1.0.5
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.5
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.5
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.5
- IBM Sterling
File Gateway v6.1.0.5
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.5
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.5
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.5
- IBM Sterling
B2B Integrator v6.1.0.5_1
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.5_1
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.5_1
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.5
- IBM Sterling
File Gateway v6.1.0.5_1
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.5_1
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.5_1
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.5_1
- IBM Sterling
B2B Integrator v6.1.0.5_2
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.5_2
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.5_2
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.5_2
- IBM Sterling
File Gateway v6.1.0.5_2
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.5_2
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.5_2
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.5_2
- IBM Sterling
B2B Integrator v6.1.0.6
Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.6
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.6
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.6
- IBM Sterling
File Gateway v6.1.0.6
Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.6
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.6
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.6
- IBM Sterling
B2B Integrator v6.1.0.7 Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.7
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.7
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.7
- IBM Sterling
File Gateway v6.1.0.7 Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.7
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.7
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.7
- IBM Sterling
B2B Integrator v6.1.0.8 Certified Container
- cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.8
- cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.0.8
- cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.0.8
- IBM Sterling
File Gateway v6.1.0.8 Certified Container
- cp.icr.io/cp/ibm-sfg/sfg:6.1.0.8
- cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.0.8
- cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.0.8
- Ensure that you have obtained the Entitlement key.
- Log in to MyIBM Container Software Library with the IBM ID and Password that are associated with the entitled software. In case, you are not directed to the entitlement page, click Get an entitlement key and obtain the Entitlement Key.
- In the Entitlement key section, click Copy key to copy the entitlement key to the clipboard.
- Save the Entitlement Key to a safe location for later use.
To confirm your Entitlement Key is valid, click View library provided in the left of the page. You can view the list of products that you are entitled to. If Sterling B2B Integrator or Sterling File Gateway is not listed, or if the View library link is disabled, it indicates that the identity with which you are logged in to the container library does not have an entitlement for Sterling B2B Integrator or Sterling File Gateway. In this case, the Entitlement Key is not valid for installing the software.
- Set Entitled Registry information by completing the following steps:
- Run export commands that set ENTITLED_REGISTRY to
cp.icr.io
. - Set ENTITLED_REGISTRY_USER to
cp
. - Set ENTITLED_REGISTRY_KEY to the entitlement key that you saved to a safe location.
- Run export commands that set ENTITLED_REGISTRY to
- Optional. Log in to Entitled Registry using the following
docker login
command to validate the Entitled Registry credentials:docker login "$ENTITLED_REGISTRY" -u "$ENTITLED_REGISTRY_USER" -p "$ENTITLED_REGISTRY_KEY"
- Run the following command to create Docker pull Secret for pulling the images from IBM Entitled
Registry:
kubectl create secret docker-registry <secret name> --docker- username="cp" --docker-password="<Entitled registry API key>" -- docker-email="<email address" --docker-server="cp.icr.io" -n <namespace>
- Update the service account or Helm Chart image pull secret configurations with the above Secret name.
- Follow these steps to download and push images to an OpenShift or a local image registry.
- Download the image using the
docker or podman pull
command.docker pull cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.0 podman pull cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.0
- Tag the downloaded image with the correct local or OpenShift
registry.
docker tag <imageid> <registry URL>:<tag> podman tag <imageid> <registry URL>:<tag>
- Push the Docker image using the
docker or podman push
command.docker push <registry URL>:<tag> podman push <registry URL>:<tag>
- Download the image using the
Image signature verification
You can verify and ensure only IBM signed images are pulled in your environment by setting up image signature verification.
Prerequisites- Ensure access to Entitled Registry (ER).
- Ensure
Skopeo
package is installed from GitHub. - Ensure a local image repository is available to pull the image from ER.
- Download and extract the container image_sign.zip file.
The zip file contains:
b2bpublickey.gpg
- Public key used to verify the signature of the container image.certificate.pem and chain0.pem
- Certificate chain used to verify the validity of the certificate used to sign the container image.
Setting up automatic signature enforcement
Perform the following steps to set up automatic signature verification:
- Make the required changes in the
/etc/containers/policy.json
file. Set"default" : "type"
asreject
and add an entry for the ER repository in"transports"
.{ "default": [ { "type":"reject" } ], "transports": { "docker": { "cp.icr.io/cp/ibm-b2bi/b2bi": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPath": "<b2bpublickey.gpg>"}] } } }
Note: To extract older unsigned images in your environment, change thepolicy.json
to set"type":"insecureAcceptAnything"
for ER repository, as shown below.{ "default": [ { "type":"insecureAcceptAnything" } ], "transports": { "docker": { "cp.icr.io/cp/ibm-b2bi/b2bi": [{ "type": "insecureAcceptAnything"} ] } } }
- Execute the following command to pull image from ER to your internal Docker
repository.
skopeo copy docker://cp.icr.io/cp/ibm-b2bi/b2bi:<tag> docker://<local_repository>:<tag> --src-creds iamapikey:key --dest-creds username:password For example, skopeo copy docker://cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.3 docker://dockerrepo:5000/b2bi:6.1.0.3 --src-creds iamapikey:key –dest-creds myuser:mypwd
Verifying signature manually
- Import the public key from the IBM package to the customer on prem keyring and note the
fingerprint.
sudo gpg2 --import <b2bpublickey.gpg>
- Pull the image
locally.
sudo skopeo copy docker:// cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.3 dir:<imagedir> --src-creds iamapikey:key
- Verify the signature
manually.
sudo skopeo standalone-verify <imagedir>/manifest.json <local image reference /repo:tag> <gpgkeyfingerprint> <imagedir>/signature #verify that the image pulled was signed by the private pair of the gpg public key. Remove spaces from gpgkeyfingerprint #The gpgkeyfingerprint can be retrieved using sudo gpg2 --fingerprint
- Compare the certificate to contain the public
key.
openssl x509 -text -in <certificate.pem> #shows the certificate details, e.g. it is signed by IBM and Digicert gpg2 -v --list-packets <public.gpg> #shows the public key details
You can compare the exponent/data of the public key and the certificate to see that the public key is indeed the one within the certificate.
Certificate Modulus:00:e2:45:27:25:e9:a3:1f:c2:37:27:ac:4c:89:86: ae:32:d5:2a:84:69:3b:01:cb:54:34:b0:b3:1b:6d: ....... Exponent: 65537 (0x10001) Public key: pkey[0]: E2452725E9A31FC23727AC4C8986AE32D52A84693B01CB5434B0B31B6D pkey[1]: 010001
Note: You can use the following command to validate that the certificate used for signing the image is not expired:openssl ocsp -no_nonce -issuer <chain0.pem> -cert <certificate.pem> -VAfile <chain0.pem> -text -url http://ocsp.digicert.com -respout ocsptest
Important: The certificate is refreshed once in two years.