Installing and configuring the Verify Bridge on the Microsoft server
After you configure Verify Bridge on your IBM® Security Verify tenant, you must install and configure Verify Bridge on the Microsoft server.
Before you begin
- Windows Server 2016
- Windows Server 2019
- Windows Server 2012 R2
- Verify Bridge API client ID and secret.
About this task
Ensure that the Verify Bridge agent is configured in IBM Security Verify. That configuration generates the Verify Bridge API client ID and secret that you need for the installation.
Procedure
- Download the
IBMVerifyBridgeForAuthentication_<version>.zipfrom the
APP Exchange.
- Go to https://exchange.xforce.ibmcloud.com/hub.
- Log in to the App Exchange.
- Search for IBM Security Bridge.
- Select IBM Security Verify Bridge.
- Download the application.
- Decompress the IBMVerifyBridgeForAuthentication_<version>.zip file that was downloaded from the APP Exchange into a temporary folder.
- In the temporary folder, run the binary file setup_bridge.exe.
- Click Yes to allow the application to make changes to your device.
- At the Choose Setup Language screen, select the setup language and click Next.
- At the Welcome screen, click Next.
- Accept the license agreement and click Next.
- Provide the installation destination folder. The default folder is c:\Program Files\IBM\BridgeAgent.
- Click Next and then Install to start the installation.
- Provide the default instance tenant configuration values. Note: The client-id and client-secret are the API client-id and client-secret that were created during the configuration creation.
- At the IBM Security Verify administrator console, click Configuration > Identity agents.
- Select your identity agent and click the edit icon.
- Scroll down to find the client ID and secret that were generated when you configured the identity agent.
- Click Next to validate the values. If an error occurs, select OK to close the error and return to the default instance Tenant Configuration screen so that you can correct the erroneous value. After correct values are provided, click Next to continue.
- Select whether to enable tracing.
The Enable Program Trace screen allows you to enable low level trace output from the tool for diagnosing any issues along with the Application Event Log entries.
- Select the Enable tracing checkbox.
- Modify or accept the default directory.
- Provide a name for the trace file.
- Specify a rollover size.
- Click Next.
- Select Finish to complete the installation.
The instance service is set to automatically start and the service is started.
If you skipped the default instance configuration in the install application, perform these additional manual steps.
- After the installation is completed, go to the installation directory to perform these
additional manual steps. After the installation is completed, the installation directory contains these files:
- onprem.exe
- The Verify Bridge executable file.
- tenant_ca.pem
- The sample certificate authority (CA) file. This file must contain the signing certificate for the tenant HTTPS URI.
- ibm_bridge_agent.json
- The startup configuration file for the onprem.exe file.
- Ensure that tenant_ca.pem file contains the signing certificates
for your tenant. The Verify Bridge communicates with the IBM Security Verify tenant by using HTTPS. The default tenant_ca.pem file has all major certificate authority certificates. If you are using your own signing certificate, replace the existing ones with your subset for the production installations.
- Edit the ibm_bridge_agent.json file. Replace the following values.
- "tenant-uri": "https://<yourtenant>.verify.ibm.com"
- "client-id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
- "client-secret": "xxxxxxxxxx"
Note: The client-id and client-secret are the API client-id and client-secret that were created during the configuration creation.- At the Verify administrator console, click Configuration > Identity agents.
- Select your identity agent and click the edit icon.
- Scroll down to find the client ID and secret that were generated when you configured the identity agent.
- The installer automatically creates the default instance of the bridge agent. The
following entry is created in the Windows Services.
IBM Verify Bridge (ibm_bridge_agent)
- Optional: You can use a command window to configure and run more instances
of the Verify Bridge on the same
host.
The Verify Bridge typically has a one-to-one relationship with an agent configuration on the cloud. However, you can also deploy multiple instances of the Verify Bridge that share the API client of a single agent configuration. Such a clustered setup can be used to achieve scalability and high availability especially when the instances are set up on separate computers.
- Open a command window and change directory to c:\Program Files\IBM\BridgeAgent.
- Run the onprem command with install and
instance options.
The .sample configuration files are copied toonprem -install -instance {inst_name}
- ibm_bridge_agent_{inst_name}.json
- tenant_ca_{inst_name}.pem
Note:- Instance names must be alphanumeric characters without any special characters. Both uppercase and lowercase characters can be used.
- You can cluster the instances by using the same client ID and secret that were generated during the identity agent configuration or you can configure more identity agents to create separate client IDs and secrets.
The instance_id_{inst_name}.txt is created in the installation directory. The Verify Bridge (ibm_bridge_agent_{inst_name} Windows Service is also created.