Security Considerations

The public keys, certificates, and certificate chains that are required for verifying the Transformation Advisor signatures are available for download here: taPublicKeys.zip

Unzip the archive to access the following files:

• PRD0004063key.pem.cer
• PRD0004063key.pem.chain
• PRD0004063key.pem.pub.key
• PRD0004063key.pub.asc

Subsequent sections describe how to use these files to verify the Transformation Advisor artifact signatures.

The Transformation Advisor AMD64 images are signed using GPG simple signing. The signature can be verified by the skopeo or podman tools as follows:

1. Create a policy.json file that configures the verification. For example:

{
   "default":  [{"type": "reject"}],
   "transports": {
        "docker": {
            "cp.icr.io/cp/icpa": [{
                "type": "signedBy",
                "keyType": "GPGKeys",
                "keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc"
            }],
            "icr.io/cpopen": [{
                "type": "signedBy",
                "keyType": "GPGKeys",
                "keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc"
            }],
            "icr.io/appcafe": [{
                "type": "signedBy",
                "keyType": "GPGKeys",
                "keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc"
            }]
        }
    }
}

For more information on Transformation Advisor Local, and how to download the zip file, see Installing IBM Transformation Advisor on RHEL. When downloading the zip, you should also download the <filename>.zip.cosign.sig file to allow you to verify the integrity of the zip file.

There are three ways to verify the signature, according to preference. The public keys, certificates, and certificate chains needed for the following steps can be downloaded from the links at the start of this section.

By default, the Transformation Advisor instance is automatically configured to use the OpenShift Container Platform OAuthClient. You can configure Transformation Advisor to use a third-party authentication source.

For more information on how to configure a third-party authentication source, see Configuring IBM Transformation Advisor .

Transformation Advisor does not differentiate roles.

Routes are used to provide external access to cluster resources. Transformation Advisor creates three dynamic routes based on the project that it is installed in and the cluster domain. The routes are as follows:

You can provide custom certificates for internal TLS communications between the Transformation Advisor pods.

For more information, see Enable Bring Your Own Key (BYOK).

Network policies control the ingress and egress traffic to and from the Transformation Advisor pods.

Transformation Advisor securely stores the necessary credentials for its operation by using a Secret. Transformation Advisor automatically generates the Secret during installation with unique and random values. Users can also provide their own Secret, partially or fully, for the necessary values. Transformation Advisor automatically generates any values that are not supplied by the user.

For instance, users need to provide the OAuth client ID and secret on setting up third-party authentication. For more information, see Configuring IBM Transformation Advisor .