Container image for Verify Identity Access Web Reverse Proxy

Edit online

The Verify Identity Access Web Reverse Proxy (WRP) container image provides the Web Reverse Proxy capabilities of Verify Identity Access.

Consider the following points when you deploy a WRP container:
  • The WRP container relies on a configuration snapshot that is generated by the Verify Identity Access configuration container.
  • Start the WRP container as the 'isam' user (UID: 6000). In a standard container environment, the 'isam' user is used automatically, but in a Kubernetes environment the security context must be set to allow the container to start as this particular user.
  • The wrpadmin command can be used as an alternative to the legacy pdadmin command to manage aspects of the running Web Reverse Proxy process.
  • The following environment variables are used by the container:
    CONFIG_SERVICE_URL

    The URL that will be used to access the published configuration data. If using the configuration service of the Verify Identity Access configuration container, the URL would be of the format: https://<container-ip>:<mapped-port>/shared_volume. A BA header will be supplied to handle authentication to the configuration service. If this environment variable is not specified the container will expect the configuration snapshot to be available in the shared configuration volume, at /var/shared/snapshots.

    CONFIG_SERVICE_TLS_CACERT
    The CA certificate bundle that is used to verify connection to the configuration snapshot service. This property has the following valid values.
    file:<file.pem>
    The file prefix and the path to a PEM formatted certificate bundle. For example: file:/path/to/ca.pem
    disabled
    Disable certificate verification for the configuration service.
    operator
    Use the Kubernetes service account CA certificate that the Kubernetes/OpenShift PKI infrastructure provides. The service account must have permission to read secrets in the namespace that the Verify Identity Access container is deployed to.
    CONFIG_SERVICE_USER_NAME
    The name of the user that is used to access the configuration service.
    CONFIG_SERVICE_USER_PWD
    The password for the user that is used to access the configuration service.
    CONFIG_SNAPSHOT_SECRETS
    The ordered list of secrets that is used to encrypt the configuration snapshot file. The list of secrets is separated by the || (two pipe) characters. Each secret must be longer than 16 characters. If more than one secret is defined, the first secret in the list is used to encrypt the configuration snapshot file. Every secret in the list is tried to decrypt the configuration snapshot file. If the configuration snapshot cannot be decrypted, the container fails to bootstrap. If no configuration snapshot secrets are defined, the configuration snapshot file is not encrypted.
    Note: If the secret that is used to encrypt a snapshot is lost, the snapshot cannot be recovered.​​​​​
    CONTAINER_TIMEZONE
    The time zone that is used by the container. For example: "Australia/Brisbane".
    HTTP_PORT
    The port on which the container listens for HTTP request (default: 9080).
    Note: If the port number is less than 1024, the NET_BIND_SERVICE capability is required for the container.
    HTTPS_PORT
    The port on which the container listens for HTTPS request (default: 9443).
    Note: If the port number is less than 1024, the NET_BIND_SERVICE capability is required for the container.
    FIXPACKS
    A space-separated ordered list of fix packs to be applied when the container is started. If this environment variable is not present, and the CONFIG_SERVICE_URL environment is not set, any fix packs present in the fixpacks directory of the configuration volume are applied in alphanumeric order.
    INSTANCE
    The name of the WRP instance to be started. If no INSTANCE is specified, the instance with the name of 'default' is used.
    LANG
    The language in which messages that are sent to the console are displayed. If no language is specified the messages appear in English. The following table lists the supported languages:
    Language Environment Variable Value
    Czech cs_CZ.utf8
    German de_DE.utf8
    Spanish es_ES.utf8
    French fr_FR.utf8
    Hungarian hu_HU.utf8
    Italian it_IT.utf8
    Japanese ja_JP.utf8
    Korean ko_KR.utf8
    Polish pl_PL.utf8
    Portuguese (Brazil) pt_BR.utf8
    Russian ru_RU.utf8
    Chinese (Simplified) zh_CN.utf8
    Chinese (Traditional) zh_TW.utf8
    LOG_TO_CONSOLE
    A space-separated list of logging sources that are sent to the container console. The following table lists the logging sources:
    Source Description
    azn-audit Enable auditing of authorization decisions and send these audit records to the console. This value has the impact of setting the [aznapi-configuration] logcfg configuration entry.
    requests Enable auditing of access requests and send these audit records to the console. This value has the impact of setting the [logging] requests-file configuration entry.
    waf.audit Any audit records generated by the Web Application Firewall are sent to the console.
    waf.log Any logging events generated by the Web Application Firewall are sent to the console.
    LOGGING_CONSOLE_FORMAT
    The format for the log messages. Valid values are 'basic' or 'json' (default: json).
    SNAPSHOT
    The name of the configuration data snapshot file that is used when the container starts. No path information must be included in the file name. The standard snapshot locations are searched for the specified snapshot file. This variable, if not specified, defaults to the latest published configuration.
    SNAPSHOT_ID
    The identifier of the snapshot that is used by the container. The full snapshot name is constructed as:
    ‘isva_<product_version>_<snapshot_id>.snapshot’
    If no identifier is specified, an identifier of 'published' is used. If a full snapshot name is specified by using the SNAPSHOT environment variable, this variable is ignored.
    Note: This environment variable is not available before version 10.0.3.0.

Configuration

Edit online
All configuration activities must be completed by using the main Verify Identity Access image, running as a configuration container. The configuration container supports a scaled-down version of the Verify Identity Access appliance LMI. You can use this LMI to manage the configuration data.
Note: To make a configuration available to the WRP container, you must click Publish configuration in the LMI.

Service

Edit online

The container, by default, listens for incoming requests on port 9443, and optionally port 9080 (if HTTP access is enabled in the configuration snapshot). Use the HTTPS_PORT and HTTP_PORT environment variables to change the ports on which the container listens.

Shared configuration data

Edit online

The shared configuration volume is a section of the file system that is reserved for the storage of persistent data.

The shared configuration volume is available in a Verify Identity Access WRP container at /var/shared '.

The shared configuration volume is data that is used by the legacy Verify Identity Accessimage.
Fixpacks
Fix packs are retrieved from the 'fixpacks' subdirectory of the shared configuration volume if the CONFIG_SERVICE_URL environment variable is not specified.

When a WRP container is started, fix packs that are specified in the FIXPACKS environment variable are applied in the order that they are specified. If the FIXPACKS environment variable is not present, and the CONFIG_SERVICE_URL environment variable is not specified, any fix packs present in the 'fixpacks' directory of the configuration volume are applied in alphanumeric order. If the CONFIG_SERVICE_URL environment variable is specified, the required fixpacks must be specified by using the FIXPACKS environment variable.

Logging

Edit online

The logging of the WRP process will, by default, be sent to the console of the container, in JSON format. This allows the logging infrastructure of the container environment itself to manage the message logs. Additional logging and auditing sources can also be sent to the console by using the LOG_TO_CONSOLE environment variable.

However, some additional log files are still generated on the disk of the container. By default, containers uses a layered file system to help reduce the disk space utilization of the containers. However, this file system has slower write speeds than standard file systems. As such, a standard container practice is to place any files that are updated frequently (for example, log files) on a shared volume. All of the log files that are written by the container are located in the '/var/application.logs' directory. Therefore, the recommended approach is to create this directory as a shared volume when you create your container.
Note: Multiple containers should not reference the same persistent volume for log storage, otherwise multiple containers attempt to write to the same log file at the same time, causing data write and integrity issues. In a Kubernetes environment this problem can be overcome by deploying the containers in a StatefulSet (refer to the official Kubernetes documentation for information on StatefulSets).
The log file directory structure is shown in the following table.
Table 1. Logs Directory Structure
Log file Subdirectory (relative to the root log directory)
WRP trace files wrp/<instance>/trace
WRP statistic files wrp/<instance>/stats
WRP crash files wrp/<instance>/crash