Container image for Configuration

Edit online

The Verify Identity Access Configuration container image contains the services that are used to configure the Verify Identity Access environment for a containerized environment.

Consider the following points when you start a container.

The container is designed so that it can run as any user who is a member of the root group. In a standard containerized environment, the container is automatically started using the pre-created 'isam' user (UID: 6000).

The following environment variables are used by the container:

ADMIN_PWD

The password for the built-in 'admin' user that is used when the configuration service is accessed. If this parameter is not specified, the default password 'admin' is used.

Note: If this environment variable is not supplied, it is highly recommended to change the password by using the local management interface or REST API after the container first starts.

ADMIN_PWD_MODE

The mode in which the supplied ADMIN_PWD environment variable is used. Valid values for this property are:

SEED: The ADMIN_PWD environment variable is used to seed the environment with the administrator password. This password can be changed by using the web console. This value is the default value if the ADMIN_PWD_MODE environment variable is not specified.
FIXED: The ADMIN_PWD environment variable is used to set the administrator password. This password cannot be changed by using the web console.

CONFIG_SERVICE_TLS_CACERT

The CA certificate bundle that is used to verify the connection when publishing a snapshot to a remote service. Valid values for this property include the following.

file:<file.pem>: The file prefix and the path to a PEM formatted certificate bundle. For example, file:/path/to/ca.pem.
disabled: Disable certificate verification for the configuration service.
operator: Retrieve and use the certificate that is used by the Verify Identity Access operator.

CONFIG_SERVICE_URL

The URL to which the snapshot data is published. When an administrator chooses to publish a snapshot the generated snapshot file is sent, by way of an HTTP POST operation, to the specified service. Multiple services can be specified as a comma-separated list.

CONFIG_SERVICE_USER_NAME

The name of the user that is used when publishing a snapshot to a remote service.

CONFIG_SERVICE_USER_PWD

The password for the user that is used when publishing a snapshot to a remote service.

CONFIG_SNAPSHOT_SECRETS

The ordered list of secrets that is used to encrypt the configuration snapshot file. The list of secrets is separated by the || (two pipe) characters. Each secret must be longer than 16 characters. If more than one secret is defined, the first secret in the list is used to encrypt the configuration snapshot file. Every secret in the list is tried to decrypt the configuration snapshot file. If the configuration snapshot cannot be decrypted, the container fails to bootstrap. If no configuration snapshot secrets are defined, the configuration snapshot file is not encrypted.

Note: If the secret that is used to encrypt a snapshot is lost, the snapshot cannot be recovered.

CONTAINER_TIMEZONE

The time zone that is used by the container. For example, "Australia/Brisbane".

FIXPACKS

A space-separated ordered list of fix packs to be applied when the container is started. If this environment variable is not present, any fix packs present in the fixpacks directory of the configuration volume are applied in alphanumeric order.

LANG

The language in which messages that are sent to the console are displayed. When no language is specified the messages appear in English. The following table lists the supported languages:

Language	Environment Variable Value
Czech	`cs_CZ.utf8`
German	`de_DE.utf8`
Spanish	`es_ES.utf8`
French	`fr_FR.utf8`
Hungarian	`hu_HU.utf8`
Italian	`it_IT.utf8`
Japanese	`ja_JP.utf8`
Korean	`ko_KR.utf8`
Polish	`pl_PL.utf8`
Portuguese (Brazil)	`pt_BR.utf8`
Russian	`ru_RU.utf8`
Chinese (Simplified)	`zh_CN.utf8`
Chinese (Traditional)	`zh_TW.utf8`

LOGGING_CONSOLE_FORMAT

The required format for the log messages. Valid values are basic or json. The default value is json.

SNAPSHOT_ID

The identifier of the snapshot that is used by the container. The full snapshot name is constructed as:

‘isva_<product_version>_<snapshot_id>.snapshot’

If no identifier is specified, an identifier of 'published' is used.

SOURCE_CONFIG_SERVICE_TLS_CACERT

The CA certificate bundle that is used to verify the connection when the initial configuration snapshot is retrieved from a remote service. Valid values for this property are:

file:<file.pem>: The file prefix and the path to a PEM formatted certificate bundle. For example, file:/path/to/ca.pem.
disabled: Disable certificate verification for the configuration service.
operator: Retrieve and use the certificate that is used by the Verify Identity Access operator.

SOURCE_CONFIG_SERVICE_URL

The URL from which the initial snapshot data is retrieved. When an administrator chooses to retrieve a snapshot the generated snapshot file is retrieved during bootstrapping, by way of a HTTP GET operation, from the specified service.

SOURCE_CONFIG_SERVICE_USER_NAME

The name of the user that is used when a snapshot is retrieved from a remote service.

SOURCE_CONFIG_SERVICE_USER_PWD

The password for the user that is used when a snapshot is retrieved from a remote service.

Consider the following points about user registry support when you configure Verify Identity Access in a containerized environment:

The embedded user registry can only be used to house the secAuthority=Default suffix when basic users are being used. If full Verify Identity Access users are required, the secAuthority=Default suffix must be stored in an external user registry.
An external user registry is always required for the user suffix. Configure the external user registry as a federated user registry if the embedded user registry is being used for the secAuthority=Default suffix.

Migrating an appliance to Containers

To migrate your appliance to a containerized environment, you can create a snapshot of the appliance in its original environment and then import the snapshot into a running Verify Identity Access configuration container.

You can import a snapshot from an appliance only if the following conditions are met.

For a Verify Identity Access Base only activation, the snapshot was taken on version 9.0.0.0 or later. For an Advanced Access Control or Federation activation, the snapshot was taken on version 9.0.2.0 or later.
The appliance was configured with an embedded configuration database and an external runtime database.
The appliance runtime environment was using an external LDAP server. Alternatively, if the appliance was running Verify Identity Access 9.0.4.0, an embedded LDAP server can be used if the "wga_rte.embedded.ldap.include.in.snapshot" advanced tuning parameter was set to true before the snapshot is generated.

When a snapshot from an appliance is imported to a configuration container:

The LMI HTTPS port is rewritten to 9443.
Any reverse proxy instances have their HTTPS and HTTP ports rewritten to 9443 and 9080.

Restrictions

Verify Identity Access, when run in a containerized environment, has the following restrictions:

Any configuration changes require the service containers to be reloaded. You can use the CLI to trigger a manual reload. Changes to the Federation configuration and the policy database do not result in any service downtime. Changes to junction definitions and Web Reverse Proxy configuration results in minimal service downtime while the Web Reverse Proxy is restarted. See CLI in a Container environment.
The authorization server (pdacld) is not supported.
The front-end load balancer capability of the Verify Identity Access appliance is not supported.
The remote syslog forwarding capability of the Verify Identity Access appliance is not supported.
The IP reputation policy information point (PIP) capability of Advanced Access Control is not supported.
A sample geo-location database is not provided. If a sample geo-location database is required, obtain it from the downloads area of a running virtual or hardware appliance. See Updating location attributes.
Preinstalled federation partner templates are not provided. See Managing federation partner templates. The connector package is available from the IBM Security® App Exchange site (https://www.ibm.com/security/community/app-exchange) as the ‘IBM Security Access Manager Extension for SAML Connectors’ package.
Web Reverse proxy flow data or PAM statistics are not supported.
The embedded user registry can be used only to hold static data and is not used to hold any user data. As a result the embedded user registry is used with a federated registry to store the user data, and basic users. The Verify Identity Access integration component of the SCIM support is not available if the embedded user registry is in use.
Authentication that uses RSA SecurID tokens is not supported.
A few differences exist when junctions are managed with the configuration container.
- Validation of junction server connectivity does not take place when creating a junction.
- Fine grained authorization checks on junction management operations, and policy object space operations, does not take place. This means that any administrator who is able to authenticate to the policy server (by using, for example, pdadmin) is able to manage junctions and the Web Reverse Proxy policy object space.

Persistent configuration data

The persistent configuration volume is a section of the file system that is reserved for the storage of data that is to be persisted. The data on the persistent configuration volume is persisted even if the containers are deleted.

The persistent configuration volume is mounted in a Verify Identity Access container at '/var/shared'. Snapshots, support files, and fix packs are stored in this volume. To manage these files, you can use the System > Network Settings > Shared Volume page of the configuration container LMI.

Snapshots

Snapshots are located in the snapshots directory of the configuration volume.

When a snapshot is published from the configuration container, it is stored on the persistent volume. Snapshots can be created only by using the configuration container, though an administrator can also manually add or remove snapshots by directly accessing the volume.

Fix packs

Fix packs are located in the fixpacks directory of the configuration volume.

When a container is started, fix packs that are specified in the FIXPACKS environment variable are applied in the order that they are specified. If the FIXPACKS environment variable is not present, any fix packs present in the fixpacks directory of the configuration volume are applied in alphanumeric order.

To manage fix packs, you can either access the container volume manually, or use the System > Network Settings > Shared Volume page of the configuration container LMI. On the Shared Volume page, you can view the contents of the fixpacks directory of the configuration volume, upload, delete, or rename fix packs.

The System > Updates and Licensing > Fixpack LMI page is read-only in a containerized environment. You can use that page to see which fix packs were applied, but cannot use it to apply or roll back fix packs.

Log files

All logging, including the log entries for the system, LMI and policy server, is sent to the console of the container. This allows the logging infrastructure of the container environment itself to manage the log entries. The LOGGING_CONSOLE_FORMAT environment variable controls the formatting of the log messages. By default, all log entries are formatted in JSON.

The Policy Server configuration controls which auditing records are enabled, and where the auditing records are sent. It is recommended that all auditing records are also written to the console of the container in JSON format. This can be achieved by making the following changes to the ivmgrd.conf configuration file:

Changing the logging agent that is used for the auditing, which is controlled by the logcfg configuration entry, to stdout.
Enabling JSON auditing, which is controlled by the audit-json configuration entry.

For example:

[aznapi-configuration] 

audit-json = yes 
logcfg = audit.azn:stdout