Security Considerations

The following sections describe the key considerations to successfully secure your deployments on Red Hat OpenShift.

Verifying Signatures of Transformation Advisor Artifacts

The public keys, certificates and certificate chains that are required for verifying the Transformation Advisor signatures are available for download here: taPublicKeys.zip

Unzip the archive to access the following files:

  • PRD0004063key.pem.cer
  • PRD0004063key.pem.chain
  • PRD0004063key.pem.pub.key
  • PRD0004063key.pub.asc

Subsequent sections describe how to use these files to verify the Transformation Advisor artifact signatures.

Verifying Transformation Advisor Image Signatures

The Transformation Advisor AMD64 images are signed using GPG simple signing. The signature can be verified by the skopeo OR podman tools as follows:

  1. Create a policy.json file that configures the verification. For example:
{
   "default":  [{"type": "reject"}],
   "transports": {
        "docker": {
            "cp.icr.io/cp/icpa": [{
                "type": "signedBy",
                "keyType": "GPGKeys",
                "keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc"
            }],
            "icr.io/cpopen": [{
                "type": "signedBy",
                "keyType": "GPGKeys",
                "keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc"
            }],
            "icr.io/appcafe": [{
                "type": "signedBy",
                "keyType": "GPGKeys",
                "keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc"
            }]
        }
    }
}
  1. Method 1: Verify using skopeo copy...
skopeo copy --policy ~/policy.json docker://cp.icr.io/cp/icpa/transformation-advisor-ui@sha256:1234... dir:./image-dir --src-creds iamapikey:myapikey
  1. Method 2: Verify using podman pull...
podman pull --signature-policy ~/policy.json cp.icr.io/cp/icpa/transformation-advisor-ui@sha256:1234..

Please see Red Hat OpenShift Container Platform docs for information configuring your OpenShift cluster to verify the image signatures.

Verifying Transformation Advisor Local Zip Signature

For more information on Transformation Advisor Local, and how to download the zip file, see Installing IBM Cloud Transformation Advisor on RHEL. When downloading the zip, you should also download the <filename>.zip.cosign.sig file to allow you to verify the integrity of the zip file.

There are three ways to verify the signature, according to preference. The public keys, certs and chains needed for the following steps can be downloaded from the links at the start of this section.

Method 1: Using the PEM encoded public key

Prerequisites:

  • cosign utility. To install see here: https://github.com/sigstore/cosign/releases
  • The PEM public key: PRD0004063key.pem.pub.key
  • The signature file: transformationAdvisor-${VERSION}.zip.cosign.sig
  • The zip artifact: transformationAdvisor-${VERSION}.zip
cosign verify-blob --key PRD0004063key.pem.pub.key --signature transformationAdvisor-${VERSION}.zip.cosign.sig transformationAdvisor-${VERSION}.zip

Method 2: Using the PEM encoded public certificate

Prerequisites:

  • cosign utility. (To install see here: https://github.com/sigstore/cosign/releases). It is recommended to use version 1.x of cosign. If using version 2+, then you must add the flag --insecure-ignore-tlog=true when verifying.
  • The PEM public certificate: PRD0004063key.pem.cer
  • The certificate chain: PRD0004063key.pem.chain
  • The signature file: transformationAdvisor-${VERSION}.zip.cosign.sig
  • The zip artifact: transformationAdvisor-${VERSION}.zip
cosign verify-blob --cert PRD0004063key.pem.cer --cert-chain PRD0004063key.pem.chain --signature transformationAdvisor-${VERSION}.zip.cosign.sig transformationAdvisor-${VERSION}.zip

Method 3: Using the PEM encoded public key with openssl

Prerequisites:

  • openssl
  • The PEM public key: PRD0004063key.pem.pub.key
  • The signature file: transformationAdvisor-${VERSION}.zip.cosign.sig
  • The zip artifact: transformationAdvisor-${VERSION}.zip
openssl enc -d -A -base64 -in transformationAdvisor-${VERSION}.zip.cosign.sig -out ./transformationAdvisor-${VERSION}.zip.bytes.sig
openssl dgst -verify PRD0004063key.pem.pub.key -keyform PEM -sha256 -signature ./transformationAdvisor-${VERSION}.zip.bytes.sig -binary transformationAdvisor-${VERSION}.zip

User Management

By default, the Transformation Advisor instance is automatically configured to use the OpenShift Container Platform OAuthClient. You can configure Transformation Advisor to use a third-party authentication source.

For more information on how to configure a third-party authentication source, see Configuring IBM Cloud Transformation Advisor.

Transformation Advisor does not differentiate roles. All authenticated users have access to all actions in the product.

Routes

Routes are used to provide external access to cluster resources. Transformation Advisor creates three dynamic routes based on the project that it is installed in and the cluster domain. The routes are as follows:

Route Description Example URL
<ta instance>-openapi-route Access the API via Swagger UI https://openapi.myproj-ta.apps.kgta.cp.fyre.ibm.com/openapi/ui
<ta instance>-server-route Access the liberty server. Not to be used directly by end users. https://myproj-ta.apps.kgta.cp.fyre.ibm.com/lands_advisor
<ta instance>-ui-route Access the UI. Main entry point for end users. https://openshift-operators-ta.apps.kgta.cp.fyre.ibm.com

Internal TLS Certificates

You can provide custom certificates for internal TLS communications between the Transformation Advisor pods.

For more information, see Enable Bring Your Own Key (BYOK).

Network Policies

Network policies control the ingress and egress traffic to and from the Transformation Advisor pods.

Egress Network Policy

If your cluster uses the OpenShift SDN default Container Network Interface (CNI) network provider, Transformation Advisor automatically configures an EgressNetworkPolicy to limit egress traffic from the Transformation Advisor pods. The default configuration is suitable for most cases, but you can customize the allowed egress or disable it altogether.

For more information, see Configuring IBM Cloud Transformation Advisor.

Ingress Network Policy

Transformation Advisor automatically configures ingress network policies to restrict incoming traffic to only essential traffic.

For more information, see Network policy.

Secrets

Transformation Advisor securely stores the necessary credentials for its operation by using a Secret. Transformation Advisor automatically generates the Secret during installation with unique and random values. Users can also provide their own Secret, partially or fully, for the necessary values. Transformation Advisor automatically generates any values that are not supplied by the user.

For instance, users need to provide the OAuth client ID and secret on setting up third-party authentication. For more information, see Configuring IBM Cloud Transformation Advisor.