Downloading Certified Container images from IBM Entitled Registry

You can pull the Sterling B2B Integrator or Sterling File Gateway Certified Container images from IBM Entitled Registry into the cluster or mirror the images in case of an air-gapped environment. For details, refer to Mirroring Certified Container images in an air-gapped environment.

The following Certified Container images are available for download from IBM Entitled Registry:
Note:
The Certified Container images for v6.1.2.x are available for the following platform architectures:
  • Linux® on x86-64 bit CPU architecture (AMD64)
  • Linux® on Z (s390x).
  • Linux® on PowerLE (ppc64le).

When you pull images from the Entitled Registry, the system downloads the images matching the client architecture automatically. For example, if you pull images from a client or container platform cluster node with s390x architecture, the system downloads images for s390x architecture automatically. For every installation, you can set up your architecture preference in the Helm Charts configuration file. For more information, refer to Configuring the Certified Container.

  • IBM® Sterling B2B Integrator v6.1.2.0 Certified Container
    • cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.0
    • cp.icr.io/cp/ibm-b2bi/b2bi-dbsetup:6.1.2.0
    • cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.2.0
    • cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.2.0
    • cp.icr.io/cp/opencontent-common-utils:1.1.36
  • IBM Sterling File Gateway v6.1.2.0 Certified Container
    • cp.icr.io/cp/ibm-sfg/sfg:6.1.2.0
    • cp.icr.io/cp/ibm-sfg/sfg-dbsetup:6.1.2.0
    • cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.2.0
    • cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.2.0
    • cp.icr.io/cp/opencontent-common-utils:1.1.36
  • IBM Sterling B2B Integrator v6.1.2.1 Certified Container
    • cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1
    • cp.icr.io/cp/ibm-b2bi/b2bi-dbsetup:6.1.2.1
    • cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.2.1
    • cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.2.1
    • cp.icr.io/cp/ibm-b2bi/b2bi-resources:6.1.2.1
    • cp.icr.io/cp/opencontent-common-utils:1.1.54
  • IBM Sterling File Gateway v6.1.2.1 Certified Container
    • cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1
    • cp.icr.io/cp/ibm-sfg/sfg-dbsetup:6.1.2.1
    • cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.2.1
    • cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.2.1
    • cp.icr.io/cp/ibm-sfg/sfg-resources:6.1.2.1
    • cp.icr.io/cp/opencontent-common-utils:1.1.54
  • IBM Sterling B2B Integrator v6.1.2.2 Certified Container
    • cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.2
    • cp.icr.io/cp/ibm-b2bi/b2bi-dbsetup:6.1.2.2
    • cp.icr.io/cp/ibm-b2bi/b2bi-purge:6.1.2.2
    • cp.icr.io/cp/ibm-b2bi/b2bi-ps:6.1.2.2
    • cp.icr.io/cp/ibm-b2bi/b2bi-resources:6.1.2.2
    • cp.icr.io/cp/opencontent-common-utils:1.1.60
  • IBM Sterling File Gateway v6.1.2.2 Certified Container
    • cp.icr.io/cp/ibm-sfg/sfg:6.1.2.2
    • cp.icr.io/cp/ibm-sfg/sfg-dbsetup:6.1.2.2
    • cp.icr.io/cp/ibm-sfg/sfg-purge:6.1.2.2
    • cp.icr.io/cp/ibm-sfg/sfg-ps:6.1.2.2
    • cp.icr.io/cp/ibm-sfg/sfg-resources:6.1.2.2
    • cp.icr.io/cp/opencontent-common-utils:1.1.60
  • IBM Sterling B2B Integrator v6.1.2.3 Certified Container
    • cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.3
  • IBM Sterling File Gateway v6.1.2.3 Certified Container
    • cp.icr.io/cp/ibm-sfg/sfg:6.1.2.3
Complete the following steps to download Certified Container images from IBM Entitled Registry:
  1. Ensure that you have obtained the Entitlement key.
  2. Log in to MyIBM Container Software Library with the IBM ID and Password that are associated with the entitled software. In case, you are not directed to the entitlement page, click Get an entitlement key and obtain the Entitlement Key.
  3. In the Entitlement key section, click Copy key to copy the entitlement key to the clipboard.
  4. Save the Entitlement Key to a safe location for later use.

    To confirm your Entitlement Key is valid, click View library provided in the left of the page. You can view the list of products that you are entitled to. If Sterling B2B Integrator or Sterling File Gateway is not listed, or if the View library link is disabled, it indicates that the identity with which you are logged in to the container library does not have an entitlement for Sterling B2B Integrator or Sterling File Gateway. In this case, the Entitlement Key is not valid for installing the software.

  5. Set Entitled Registry information by completing the following steps:
    1. Run export commands that set ENTITLED_REGISTRY to cp.icr.io.
    2. Set ENTITLED_REGISTRY_USER to cp.
    3. Set ENTITLED_REGISTRY_KEY to the entitlement key that you saved to a safe location.
  6. Optional. Log in to Entitled Registry using the following docker login command to validate the Entitled Registry credentials: 
    docker login "$ENTITLED_REGISTRY" -u "$ENTITLED_REGISTRY_USER" -p "$ENTITLED_REGISTRY_KEY
    Configure Helm to Pull images directly from the IBM entitled Registry
  7. Run the following command to create Docker pull Secret for pulling the images from IBM Entitled Registry:
    kubectl create secret docker-registry <secret name> --docker-username="cp" --docker-password="<Entitled registry API key>" --docker-email="<email address" --docker-server="cp.icr.io" -n <namespace>
  8. Update the service account or Helm Chart image pull secret configurations with the above Secret name.
    For example: 
    values.global.pullSecret: ibm-entitlement-key
    Pull images manually and push to an internal registry
  9. Follow these steps to download and push images to an OpenShift or a local image registry.
    1. Download the image using the docker or podman pull command.
      
docker pull cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.0
podman pull cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.0
    2. Tag the downloaded image with the correct local or OpenShift registry.
      
docker tag <imageid> <registry URL>:<tag>
podman tag <imageid> <registry URL>:<tag>
      For example: 
      docker tag 76b3dc4c111 my-registry/my-namespace/b2bi:6.1.2.0
    3. Push the Docker image using the docker or podman push command.
      
docker push <registry URL>:<tag>
podman push <registry URL>:<tag>
      For example: 
      docker push 76b3dc4c111 my-registry/my-namespace/b2bi:6.1.2.0
  10. Run the following command to create a Docker pull secret for pulling the images from the Registry
    kubectl create secret docker-registry <name of secret> --docker-server=
<your-registry-server> --docker-username=<your-username> --docker-password=<your-password>
 --docker-email=<your-email>
    Configure this pull secret in the service account used for deployment using this command:
    kubectl patch serviceaccount <service-account-name> -p '{"imagePullSecrets": [{"name": "<pull-secret-name>"}]}'
    Note: If you do not create a separate service account, the service account name is "default."
  11. Optionally update the Helm Chart image pull secret configurations with the above Secret name.
    For example: 
    values.global.pullSecret: <pull-secret-name>
Important: You must ensure that the worker nodes in Red Hat OpenShift or Kubernetes container platform cluster are of the matching architecture x86-64, s390x, or ppc64le.

Image signature verification (Optional)

You can verify and ensure only IBM signed images are pulled in your environment by setting up image signature verification.

Prerequisites
  1. Ensure access to Entitled Registry (ER).
  2. Ensure Skopeo package is installed from GitHub.
  3. Ensure a local image repository is available to pull the image from ER.
  4. Download and extract the container files listed below.
    For v6.1.2.1 and v6.1.2.2 image_sign.zip, and for v6.1.2.3 onwards images_sign.zip. The zip file contains:
    • b2bpublickey.gpg - Public key used to verify the signature of the container image.
    • certificate.pem and chain0.pem - Certificate chain used to verify the validity of the certificate used to sign the container image.

Setting up automatic signature enforcement

Perform the following steps to set up automatic signature verification:

  1. Make the required changes in the /etc/containers/policy.json file. Set "default" : "type" as reject and add an entry for the ER repository in "transports". 
    
{ 
                 "default": [ 
                     { 
                        "type":"reject"
                      } 
                   ], 
            "transports": 
                   { 
                     "docker": 
                       { 
                         "cp.icr.io/cp/ibm-b2bi/b2bi": [{ "type": "signedBy", "keyType": 
"GPGKeys", "keyPath": "<b2bpublickey.gpg>"}]
                       } 
                    }
 }
    Note: To extract older unsigned images in your environment, change the policy.json to set "type":"insecureAcceptAnything" for ER repository, as shown below.
    
{ "default": [
               {
                  "type":"insecureAcceptAnything"
                }
              ],
              "transports":
                 {
                     "docker":
                         { 
                            "cp.icr.io/cp/ibm-b2bi/b2bi": [{ "type": "insecureAcceptAnything"}
                        ] 
                     } 
                 }
 }
  2. Execute the following command to pull image from ER to your internal Docker repository.
    
skopeo copy docker://cp.icr.io/cp/ibm-b2bi/b2bi:<tag> 
docker://<local_repository>:<tag> --src-creds 
iamapikey:key --dest-creds username:password

For example, 
skopeo copy docker://cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.0 
docker://dockerrepo:5000/b2bi:6.1.2.0 --src-creds 
iamapikey:key –dest-creds myuser:mypwd

Verifying signature manually

Perform the following steps to manually verify the image signature:
  1. Import the public key from the IBM package to the customer on prem keyring and note the fingerprint.
    
sudo gpg2 --import <b2bpublickey.gpg>
  2. Pull the image locally.
    
sudo skopeo copy docker:// cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.0 dir:<imagedir> --src-creds iamapikey:key
  3. Verify the signature manually.
    
sudo skopeo standalone-verify <imagedir>/manifest.json <local image reference 
/repo:tag> <gpgkeyfingerprint> <imagedir>/signature #verify that the image 
pulled was signed by the private pair of the gpg public key. Remove spaces from 
gpgkeyfingerprint
#The gpgkeyfingerprint can be retrieved using  
sudo gpg2 --fingerprint
  4. Compare the certificate to contain the public key.
    
openssl x509 -text -in <certificate.pem> #shows the certificate details, e.g. it is       
signed by IBM and Digicert
gpg2 -v --list-packets <public.gpg> #shows the public key details

    You can compare the exponent/data of the public key and the certificate to see that the public key is indeed the one within the certificate.

    Certificate Modulus:
    
00:e2:45:27:25:e9:a3:1f:c2:37:27:ac:4c:89:86:
ae:32:d5:2a:84:69:3b:01:cb:54:34:b0:b3:1b:6d: .......
Exponent: 65537 (0x10001)
Public key:
pkey[0]:
E2452725E9A31FC23727AC4C8986AE32D52A84693B01CB5434B0B31B6D
pkey[1]: 010001
    Note: You can use the following command to validate that the certificate used for signing the image is not expired:
    
openssl ocsp -no_nonce -issuer <chain0.pem> -cert <certificate.pem> -VAfile 
<chain0.pem> -text -url http://ocsp.digicert.com -respout ocsptest
    Important: The certificate is refreshed once in two years.