Installing and configuring the Verify Bridge on the Microsoft server

After you configure Verify Bridge on your IBM® Security Verify tenant, you must install and configure Verify Bridge on the Microsoft server.

Before you begin

  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2012 R2
  • Verify Bridge API client ID and secret.

About this task

Ensure that the Verify Bridge agent is configured in IBM Security Verify. That configuration generates the Verify Bridge API client ID and secret that you need for the installation.

Procedure

  1. Download the IBMVerifyBridgeForAuthentication_<version>.zipfrom the APP Exchange.
    1. Go to https://exchange.xforce.ibmcloud.com/hub.
    2. Log in to the App Exchange.
    3. Search for IBM Security Bridge.
    4. Select IBM Security Verify Bridge.
    5. Download the application.
  2. Decompress the IBMVerifyBridgeForAuthentication_<version>.zip file that was downloaded from the APP Exchange into a temporary folder.
  3. In the temporary folder, run the binary file setup_bridge.exe.
  4. Click Yes to allow the application to make changes to your device.
  5. At the Choose Setup Language screen, select the setup language and click Next.
  6. At the Welcome screen, click Next.
  7. Accept the license agreement and click Next.
  8. Provide the installation destination folder.
    The default folder is c:\Program Files\IBM\BridgeAgent.
  9. Click Next and then Install to start the installation.
    After the product files are installed, you are asked to provide the default instance tenant configuration values. Continue to step 10. You can skip this step by selecting the Skip Tenant Configuration checkbox and go to step 14.
  10. Provide the default instance tenant configuration values.
    Note: The client-id and client-secret are the API client-id and client-secret that were created during the configuration creation.
    1. At the IBM Security Verify administrator console, click Configuration > Identity agents.
    2. Select your identity agent and click the edit icon.
    3. Scroll down to find the client ID and secret that were generated when you configured the identity agent.
  11. Click Next to validate the values.
    If an error occurs, select OK to close the error and return to the default instance Tenant Configuration screen so that you can correct the erroneous value. After correct values are provided, click Next to continue.
  12. Select whether to enable tracing.

    The Enable Program Trace screen allows you to enable low level trace output from the tool for diagnosing any issues along with the Application Event Log entries.

    1. Select the Enable tracing checkbox.
    2. Modify or accept the default directory.
    3. Provide a name for the trace file.
    4. Specify a rollover size.
  13. Click Next.
  14. Select Finish to complete the installation.

    The instance service is set to automatically start and the service is started.

    If you skipped the default instance configuration in the install application, perform these additional manual steps.

  15. After the installation is completed, go to the installation directory to perform these additional manual steps.
    After the installation is completed, the installation directory contains these files:
    onprem.exe
    The Verify Bridge executable file.
    tenant_ca.pem
    The sample certificate authority (CA) file. This file must contain the signing certificate for the tenant HTTPS URI.
    ibm_bridge_agent.json
    The startup configuration file for the onprem.exe file.
    1. Ensure that tenant_ca.pem file contains the signing certificates for your tenant.
      The Verify Bridge communicates with the IBM Security Verify tenant by using HTTPS. The default tenant_ca.pem file has all major certificate authority certificates. If you are using your own signing certificate, replace the existing ones with your subset for the production installations.
    2. Edit the ibm_bridge_agent.json file.
      Replace the following values.
      • "tenant-uri": "https://<yourtenant>.verify.ibm.com"
      • "client-id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      • "client-secret": "xxxxxxxxxx"
      Note: The client-id and client-secret are the API client-id and client-secret that were created during the configuration creation.
      1. At the Verify administrator console, click Configuration > Identity agents.
      2. Select your identity agent and click the edit icon.
      3. Scroll down to find the client ID and secret that were generated when you configured the identity agent.
    3. The installer automatically creates the default instance of the bridge agent. The following entry is created in the Windows Services.
      IBM Verify Bridge (ibm_bridge_agent)
    4. Optional: You can use a command window to configure and run more instances of the Verify Bridge on the same host.

      The Verify Bridge typically has a one-to-one relationship with an agent configuration on the cloud. However, you can also deploy multiple instances of the Verify Bridge that share the API client of a single agent configuration. Such a clustered setup can be used to achieve scalability and high availability especially when the instances are set up on separate computers.

      1. Open a command window and change directory to c:\Program Files\IBM\BridgeAgent.
      2. Run the onprem command with install and instance options.
        onprem -install -instance {inst_name}
        The .sample configuration files are copied to
        • ibm_bridge_agent_{inst_name}.json
        • tenant_ca_{inst_name}.pem
        Edit those files with the appropriate configuration details.
        Note:
        • Instance names must be alphanumeric characters without any special characters. Both uppercase and lowercase characters can be used.
        • You can cluster the instances by using the same client ID and secret that were generated during the identity agent configuration or you can configure more identity agents to create separate client IDs and secrets.
      The instance_id_{inst_name}.txt is created in the installation directory. The Verify Bridge (ibm_bridge_agent_{inst_name} Windows Service is also created.