Docker image for Verify Access Distributed Session Cache

Edit online

The Security Verify Access Distributed Session Cache (DSC) Docker image provides the distributed session cache capabilities of Security Verify Access.

Consider the following points when you deploy a DSC container:
  • The DSC container relies on a configuration snapshot which has been generated by the Security Verify Access configuration container.
  • The DSC container should be started as the 'isam' user (UID: 6000). In a standard container environment this will happen automatically but in a Kubernetes environment the security context should be set to allow the container to start as this particular user.
  • The following environment variables are used by the container:
    CONFIG_SERVICE_URL
    The URL that will be used to access the published configuration data. If using the configuration service of the Security Verify Access configuration container, the URL would be of the format: https://<container-ip>:<mapped-port>/shared_volume. A BA header will be supplied to handle authentication to the configuration service. If this environment variable is not specified the container will expect the configuration snapshot to be available in the shared configuration volume, at /var/shared/snapshots.
    CONFIG_SERVICE_USER_NAME
    The name of the user that will be used when accessing the configuration service.
    CONFIG_SERVICE_USER_PWD
    The password for the user that will be used when accessing the configuration service.
    CONFIG_SERVICE_TLS_CACERT
    The CA certificate bundle that is used to verify connection to the configuration snapshot service. Valid values for this property are:
    file:<file.pem>
    The file prefix and the path to a PEM formatted certificate bundle. For example: file:/path/to/ca.pem
    disabled
    Disable certificate verification for the configuration service.
    operator
    Use the Kubernetes service account CA certificate that the Kubernetes/OpenShift PKI infrastructure provides. The service account must have permission to read secrets in the namespace that the Verify Access container is deployed to.
    CONTAINER_TIMEZONE
    The time zone that is used by the container. For example: "Australia/Brisbane".
    SNAPSHOT
    The name of the configuration data snapshot file that is to be used when starting the container. No path information should be included in the filename. The standard snapshot locations will be searched for the specified snapshot file. This variable, if not specified, will default to the latest published configuration.
    SNAPSHOT_ID
    The identifier of the snapshot that is used by the container. The full snapshot name is constructed as:
    ‘isva_<product_version>_<snapshot_id>.snapshot’
    If no identifier is specified, an identifier of 'published' is used. If a full snapshot name is specified by using the SNAPSHOT environment variable, this variable is ignored.
    Note: This environment variable is not available before version 10.0.3.0.
    CONFIG_SNAPSHOT_SECRETS
    The ordered list of secrets that is used to encrypt the configuration snapshot file. The list of secrets is separated by the || (two pipe) characters. Each secret must be longer than 16 characters. If more than one secret is defined, the first secret in the list is used to encrypt the configuration snapshot file. Every secret in the list is tried to decrypt the configuration snapshot file. If the configuration snapshot cannot be decrypted, the container fails to bootstrap. If no configuration snapshot secrets are defined, the configuration snapshot file is not encrypted.
    Note: If the secret that is used to encrypt a snapshot is lost, the snapshot cannot be recovered.​​​​​
    INSTANCE
    The index of the DSC instance to be started (1-4). If no INSTANCE is specified, the instance with the index of ‘1’ will be used.
    LOGGING_CONSOLE_FORMAT
    The required format for the log messages. Valid values are basic or json (default: json).
    TRACE_LEVEL
    The debugging trace level for the container. Valid values consist of the numbers 0 - 9 (default: 0).
    LANG
    The language in which messages which are sent to the console will be displayed. If no language is specified the messages will appear in English. The following table lists the supported languages:
    Language Environment Variable Value
    Czech cs_CZ.utf8
    German de_DE.utf8
    Spanish es_ES.utf8
    French fr_FR.utf8
    Hungarian hu_HU.utf8
    Italian it_IT.utf8
    Japanese ja_JP.utf8
    Korean ko_KR.utf8
    Polish pl_PL.utf8
    Portuguese (Brazil) pt_BR.utf8
    Russian ru_RU.utf8
    Chinese (Simplified) zh_CN.utf8
    Chinese (Traditional) zh_TW.utf8
    FIXPACKS
    A space-separated ordered list of fix packs to be applied when starting the container. If this environment variable is not present, and the CONFIG_SERVICE_URL environment has not been set, any fix packs present in the fixpacks directory of the configuration volume will be applied in alphanumeric order.

Configuration

Edit online
All configuration activities must be completed using the main Security Verify Access image, running as a configuration container. The configuration container supports a scaled-down version of the Security Verify Access appliance LMI. You can use this LMI to manage the configuration data.
Note: To make a configuration available to the DSC container, you must click Publish configuration in the LMI.

Service

Edit online

The container will listen for incoming service and replication requests on the ports specified in the DSC configuration panel of the LMI.

Shared Configuration Data

Edit online

The shared configuration volume is a section of the file system that is reserved for the storage of persistent data.

The shared configuration volume is available in a Security Verify Access DSC container at '/var/shared'.

The shared configuration volume is used to store the following data:
Snapshots
Configuration snapshots are retrieved from the ‘snapshots’ sub-directory of the shared configuration volume if the CONFIG_SERVICE_URL environment variable is not specified.

The configuration data which is used by the Security Verify Access DSC image is fully compatible with the configuration data used by the legacy Security Verify Access image.

Fixpacks
Fix packs are retrieved from the 'fixpacks' sub-directory of the shared configuration volume if the CONFIG_SERVICE_URL environment variable is not specified.

When a DSC container is started, fix packs that are specified in the FIXPACKS environment variable will be applied in the order that they are specified. If the FIXPACKS environment variable is not present, and the CONFIG_SERVICE_URL environment variable has not been specified, any fix packs present in the 'fixpacks' directory of the configuration volume will be applied in alphanumeric order. If the CONFIG_SERVICE_URL environment variable has been specified the required 'fixpacks' must be specified using the FIXPACKS environment variable.

Logging

Edit online

The logging of the DSC process will be sent to the console of the container, in JSON format. This allows the logging infrastructure of the container environment itself to manage the message logs.