Container Configuration

This module contains documentation for system level configuration applicable for Container based Verify Identity Access deployments. Container configuration is defined under the container top level key. At a minimum an administrator should define the mgmt_base_url, mgmt_user and mgmt_pwd keys (or define the applicable environment variables). These keys should be defiend at the top level of the configuration file.

Example

mgmt_base_url: "https://127.0.0.1:9443"
mgmt_user: "admin"
mgmt_pwd: "Passw0rd"
container:
  admin_cfg:
    session_timeout: 720
  account_management:
    users:
    - name: "cfgsvc"
      operation: "update"
      password: !secrets/isva-secrets:cfgsvc-passwd
  management_authorization:
    authorization_enforcement: True
    roles:
    - operation: update
      name: "Configuration Service"
      users:
      - name: "cfgsvc"
        type: "local"
      features:
      - name: "shared_volume"
        access: "w"
  ssl_certificates:
  - name: "lmi_trust_store"
    signer_certificates:
    - "postgres.crt"
    - "ldap.crt"
  - name: "rt_profile_keys"
    signer_certificates:
    - "postgres.crt"
  cluster:
    host: "postgresql"
    port: 5432
    type: "Postgresql"
    user: "postgres"
    password: !secrets/isva-secrets:postgres-passwd
    ssl: True
    db_name: "isva"

Container specific configuration

This section covers the Container specific configuration of Verify Identity Access deployments. Typically this involves setting an external HVDB connection; and enabling the management authorization feature to permit a service account to publish configuration snapshots which can be subsequently fetched by other containers in` the deployment.

Managing Container Deployments

Kubernetes / OpenShift

If Verify Identity Access is deployed with Kubernetes, then kubectl cli tool can be used to promote a configuration snapshot. There are two ways to do this: One, use Kubernetes to restart the deployments; Two, use the automated service from the legacy “all-in-one” container. It is recommended to use Kubernetes to rollout restarts to deployments where possible.

The kubectl rollout restart command can be used to restart reverse proxy, runtime and DSC deployments. The configurator can use deployment names to request a restart of all of the pods associated with a deployment. If this functionality is used then the user running the Kubernetes commands must have sufficient privilege to restart the containers. An example of a deployment configuration is:

container:
  k8s_deployments:
    namespace: "default"
    configuration:
    - "isamconfig"
    webseal:
    - "isamwrp_1"
    - "isamwrp_2"
    runtime:
    - "isamruntime"
    dsc:
    - "isamdsc_1"
    - "isamdsc_2"

Docker-Compose

If Verify Identity Access is deployed with Docker-Compose, then docker-compose cli tool can be used to manage runtime containers when a snapshot needs to be promoted. The configurator can use the compose service names to request a restart of runtime containers. If this functionality is used then the user running the configurator should have sufficient privilege to restart docker containers. An example of a compose deployment configuration is:

container:
  compose_services:
    - "isvawrprp1"
    - "isvaruntime"
  docker_compose_yaml: "iamlab/docker-compose.yaml"

Database and Distribued Session Cache Configuration

Type: object

Configuration for config and runtime database connections; and distributed session cache settings in container deployments.
Examples:

cluster:
  runtime_database:
    type: postgresql
    host: postgresql
    port: 5432
    ssl: true
    ssl_keystore: rt_profile_keys
    user: postgres
    password: Passw0rd
    db_name: isva

cluster:
  config_database:
    type: postgresql
    host: postgresql
    port: 5432
    ssl: true
    ssl_keystore: rt_profile_keys
    user: postgres
    password: Passw0rd
    db_name: config
  runtime_database:
    type: postgresql
    host: postgresql
    port: 5432
    ssl: true
    ssl_keystore: rt_profile_keys
    user: postgres
    password: Passw0rd
    db_name: hvdb

Type: object

Configuration for the config database.

Type: enum (of string)

Database type.

Must be one of:

  • "postgresql"
  • "db2"
  • "oracle"
  • "mssql"

Type: string

Hostname or address of database.

Type: integer

Port database is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: boolean

Enable SSL encryption of connections.

Type: string

SSL database to use to verify connections. Only valid if ssl == true.

Type: string

Username to authenticate to database as.

Type: stringFormat: password

Password to authenticate as username.

Type: string

Name of the database instance to use.

Type: object

Database type specific configuration.

Additional Properties of any type are allowed.

Type: object

Type: object

Configuration for the runtime (HVDB) database.

Same definition as config_database

Type: object

Configuration for the distributed session cache runtime containers.

Type: integer

The length of time (in seconds) that a client (aka WebSEAL) has to reconnect before sessions owned by that client are discarded.

Value must be greater or equal to 0

Type: integer

The maximum length of time that a connection from a client can remain idle before it is closed by the server. A value of 0 indicates that connections will not be reused.

Value must be greater or equal to 0

Type: integer

The maximum lifetime (in seconds) of any session stored by the DSC.

Value must be greater or equal to 1

Type: integer

The port number on which the DSC will listen for requests.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: integer

The port number on which the DSC will listen for replication requests.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

The comma separated list of permitted SSL algorithms for TLS connections to the DSC.

Type: string

The comma separated list of permitted TLS 1.2 cipher specs for established TLS connections to the DSC.

Type: string

The comma separated list of permitted TLS 1.3 cipher specs for established TLS connections to the DSC.

Type: integer

The number of worker threads allocated to processing requests.

Value must be greater or equal to 1

Type: array

The external connection data for each instance of the DSC. This corresponds to the IP address and ports to which clients will connect. Up to 4 servers may be defined (primary, secondary, tertiary and quaternary). The role of the server will be determined by the order of elements within the servers array.

Must contain a minimum of 1 items

Must contain a maximum of 4 items

No Additional Items

Each item of this array must be:

Type: object

A Distributed Session Cache server configuration.

Type: string

The name/IP address over which clients can connect to the DSC.

Type: integer

The port which can be used by clients to connect to the DSC for session requests.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: integer

The port which can be used by the DSC to replicate data to a replication DSC.

Value must be greater or equal to 1 and lesser or equal to 65535


The base configurator is responsible for completing the first steps (SLA), activating licensed modules, importing PKI and system wide settings like date/time/networking.

SLA / First steps

The configurator can be used to accept the Service License Agreement as well as the “first steps” LMI prompts, including enabling FIPS compliance. This is always done with the admin account using the default password. Failing this step does not result in autoconfig aborting.

Note

The accept_eula and complete_setup functions are used internally during first-time setup.

Password Update

Admin Password Configuration

Type: object

The password of the management account may be updated once. This account must already exist on the appliance and have sufficient permission to complete all of the configuration required. These properties are overridden by IVIA_MGMT_* environment variables
Example:

mgmt_user: admin
mgmt_pwd: S3cr37Pa55w0rd!
mgmt_old_pwd: administrator

Type: string Default: "admin"

Administrator user to run configuration as.

Type: stringFormat: password

Secret to authenticate as the Administrator user.

Type: stringFormat: password

Password to update for the Administrator user.


Administrator Configuration

Type: object

System wide settings such as LMI log file configuration, account management and tuning parameters for the LMI JVM.
Example:

admin_cfg:
  session_timeout: 7200
  sshd_client_alive: 300
  console_log_level: AUDIT
  accept_client_certs: true

Type: integer

The minimum heap size, in megabytes, for the JVM.

Value must be greater or equal to 1

Type: integer

The minimum heap size, in megabytes, for the JVM.

Value must be greater or equal to 1

Type: integer Default: 120

The length of time, in minutes, that a session can remain idle before it is deleted (valid values 0 - 720). A default value of 120 is used.

Value must be greater or equal to 0 and lesser or equal to 720

Type: integer Default: 30

The length of time, in minutes, that a session can remain idle before it is deleted (valid values = -1 - 720). A default value of 30 is used. A value of -1 disables the inactivity timeout.

Value must be greater or equal to -1 and lesser or equal to 720

Type: integer

The TCP port on which the LMI will listen.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: integer Default: 443

The SSL port on which the LMI will listen. A default value of 443 is used.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: integer Default: 22

The port on which the SSH daemon will listen. A default value of 22 is used. Please note that if using the appliance clustering capability all nodes in the cluster must be configured to use the same port for the SSH daemon.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: integer

The number of seconds that the server will wait before sending a null packet to the client. A value of -1 means using the default timeout settings.

Value must be greater or equal to -1

Type: integer

The amount of allocated swap space, in Megabytes. There must be enough disk space on the active partition to store the swap file, otherwise an error will be logged in the system log file and the default amount of swap space will be used. (only present in the response if a value has been set).

Value must be greater or equal to 0

Type: integer Default: 6

The minimum number of threads which will handle LMI requests. A default value of 6 is used.

Value must be greater or equal to 1

Type: integer Default: 6

The maximum number of threads which will handle LMI requests. A default value of 6 is used.

Value must be greater or equal to 1

Type: integer Default: 100

The maximum number of connections for the connection pool. The default value is 100.

Value must be greater or equal to 1

Type: boolean Default: false

A boolean value which is used to control whether LMI debugging is enabled or not. By default debugging is disabled.

Type: boolean

The console messaging level of the LMI (valid values include INFO, AUDIT, WARNING, ERROR and OFF). A default value of OFF is used.

Type: string

A comma-separated string which lists the users for which CSRF checking should be disabled. Regular expressions are accepted, and any embedded commas should be escaped with the " character. This option is required if you wish to access a Web service, using client certificates for authentication, from a non-browser based client. An example might be cn=scott,o=ibm,c=us,cn=admin,o=dummyCorp,c=*.

Type: string

Specifies which secure protocols will be accepted when connecting to the LMI. The supported options include: TLS, TLSv1, TLSv1.1 and TLSv1.2.

Type: array of enum (of string)

List of Enabled TLS protocols for the local management interface. Valid values include TLSv1, TLSv1.1 and TLSv1.2.

 No Additional Items

Each item of this array must be:

Type: enum (of string)

Must be one of:

  • "TLSv1"
  • "TLSv1.1"
  • "TLSv1.2"
  • "TLSv1.3"

Type: enum (of string) Default: "OFF"

The console messaging level of the LMI (valid values include INFO, AUDIT, WARNING, ERROR and OFF). A default value of OFF is used.

Must be one of:

  • "INFO"
  • "AUDIT"
  • "WARNING"
  • "ERROR"
  • "OFF"

Type: boolean Default: true

A boolean value which is used to control whether SSL client certificates are accepted by the local management interface. By default SSL client certificates are accepted.

Type: integer Default: 2

The maximum number of log files that are retained. The default value is 2.

Value must be greater or equal to 1

Type: integer Default: 20

The maximum size (in MB) that a log file can grow to before it is rolled over. The default value is 20

Value must be greater or equal to 1

Type: string

The proxy <host>:<port> to be used for HTTP communication from the LMI. The port component is optional and will default to 80.

Must match regular expression: ^[^:]+(:d+)?$

Type: string

The proxy <host>:<port> to be used for HTTPS communication from the LMI. The port component is optional and will default to 443.

Must match regular expression: ^[^:]+(:d+)?$

Type: string

This is a customizable header that is displayed when accessing the login page in a web browser and after logging in via SSH. Multiple lines of text can be specified by using the sequence "n", which will be interpreted as a line break.

Type: string

This is a customizable message that is displayed when accessing the login page in a web browser and after logging in via SSH. Multiple lines of text can be specified by using the sequence "n", which will be interpreted as a line break.

Type: string

The template string to use for the LMI access.log file. If not set the access log is disabled (default).

Type: integer Default: 5

This is a timeout (in seconds) for notification messages that appear in the LMI. A value of 0 indicates that the messages should not timeout. The default value is 5 seconds.

Value must be greater or equal to 0

Type: string

This is a space separated list of valid domains for IBM Security Verify. These domains are used by the IBM Security Verify wizard to ensure that only valid hostnames are used.


SSL Certificate Database

Type: object

X509 Certificates and PCKS12 key-files to be imported into Verify Identity Access SSL databases. Each entry in the list can have four keys: database name; personal certificates; certificates loaded from URL's; and signer certificates. Alternatively a SSL Certifiacte Datbase can be imported from a .kdb and corresponding .sth file. If a database does not exist on the appliance then it is created before files are imported.

SSL certificates are imported into the appliance by reading files from the file system. Therefore any PKI which is to be imported into the appliance must specify the fully-qualified path or be a path relative to the IVIA_CONFIG_BASE environment variable.
Example:

ssl_certificates:
- name: lmi_trust_store
  personal_certificates:
  - path: ssl/lmi_trust_store/personal.p12
    secret: S3cr37
  signer_certificates:
  - ssl/lmi_trust_store/signer.pem
- name: rt_profile_keys
  signer_certificates:
  - ssl/rt_profile_keys/signer.pem
- kdb_file: my_keystore.kdb
  stash_file: my_keystore.sth

Type: string

Name of SSL database to configure. If database does not exist it will be created. Either name or kdb_file must be defined.

Type: string

Path to the .kdb file to import as a SSL database. Required if importing a SSL KDB.

Must match regular expression: .*\.kdb$

Type: string

Path to the .sth file for the specified kdbfile. Required if kdbfile is set.

Must match regular expression: .*\.sth$

Type: array of string

List of file paths for signer certificates (PEM or DER) to import.

 No Additional Items

Each item of this array must be:

Type: string
Must match regular expression: .*\.(pem|der|crt|cer)$

Type: array of object

List of file paths for personal certificates (PKCS#12) to import.

 No Additional Items

Each item of this array must be:

Type: object

Type: string

Optional label to include when importing the certificate. If this is not present the CN X.500 attribute is used.

Type: string

Path to PKCS12 file to import as a personal certificate/key.

Must match regular expression: .*\.(p12|pfx)$

Type: stringFormat: password

Optional secret to decrypt personal certificate.

Type: array of object

Load X509 certificates from TCPS endpoints.

 No Additional Items

Each item of this array must be:

Type: object

Type: stringFormat: hostname

Domain name or address of web service.

Type: integer

Port Web service is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

Name of retrieved X509 certificate alias in SSL database.


Administrator Account Management

Type: object

Administrator accounts, groups for the local management interface. Groups are created before users; therefore if a user is being created and added to a group then this should be done in the user configuration entry.
Example:

account_management:
  users:
  - name: cfgsvc
    operation: update
    password: StrongPassword
    groups:
    - aGroup
    - anotherGroup
  groups:
  - name: adminGroup
    operation: update
    users:
    - admin
    - anotherUser

Type: array of object

Optional list of management users to configure

 No Additional Items

Each item of this array must be:

Type: object

Type: enum (of string)

Operation to perform with user. add | update | delete.

Must be one of:

  • "add"
  • "update"
  • "delete"

Type: string

Name of the user to create, remove or update.

Type: stringFormat: password

Password to authenticate as user. Required if creating user.

Type: array of string

Optional list of groups to add user to.

 No Additional Items

Each item of this array must be:

Type: string

Type: array of object

Optional list of management groups to configure.

 No Additional Items

Each item of this array must be:

Type: object

Type: enum (of string)

Operation to perform with group. add | update | delete.

Must be one of:

  • "add"
  • "update"
  • "delete"

Type: string

Name of group to create.

Type: array of string

Optional list of users to add to group.

 No Additional Items

Each item of this array must be:

Type: string


Management Authorization

Type: object

Manage access to Verify Identity Access features and defining Role Based Access Control (RBAC) to the local management interface. This allows for fine-grained control over which accounts are permitted to modify a deployment. Administrators can create roles which contain permissions for one or more features. Each feature in a role has two permission levels: read access (can view but cannot modify); and write access (permission to modify).
Example:

management_authorization:
  authorization_enforcement: true
  roles:
  - operation: update
    name: Configuration Service
    users:
    - name: cfgsvc
      type: local
    features:
    - name: shared_volume
      access: w

Type: boolean

Enable role based authorization for this deployment.

Type: array of object

Optional list of roles to modify for role based authorization.

 No Additional Items

Each item of this array must be:

Type: object

Type: enum (of string)

Operation to perform on authorization role.

Must be one of:

  • "add"
  • "remove"
  • "update"

Type: string

Name of role.

Type: array of object

Optional list of users to add to role.

 No Additional Items

Each item of this array must be:

Type: object

Type: string

Name of user.

Type: enum (of string)

Type of user.

Must be one of:

  • "local"
  • "remote"

Type: array of object

Optional list of groups to add to role.

 No Additional Items

Each item of this array must be:

Type: object

Type: string

Name of group.

Type: enum (of string)

Type of group.

Must be one of:

  • "local"
  • "remote"

Type: array of object

List of features to authorize users/groups for. Each feature has two permission levels: read access (can view but cannot modify) and write access (permission to modify).

 No Additional Items

Each item of this array must be:

Type: object

Type: string

Name of feature.

Type: enum (of string)

Access to grant to feature. 'r' for read access, 'w' for write access.

Must be one of:

  • "r"
  • "w"


Management Authentication

Type: object

Configure how users authenticate to the Verify Identity Access management interface. By default the management interface uses a local user registry, but administrators can configure a LDAP server or integrate a third party identity provider using the OIDC specification.
Example:

management_authentication:
  auth_type: federation
  oidc:
    client_id: 27d55f1c-285a-11ef-81ec-14755ba358db
    client_secret: SDFGc3ffFSD3m4Xtg1
    discovery_endpoint: https://verify.ibm.com/.well-known/openid-configuration
    require_pkce: true
    enable_admin_group: false
    enable_tokenmapping: false

Type: enum (of string)

Specifies whether the local user database or the remote LDAP user registry is used for authentication. If set to 'local', then all other fields are ignored.

Must be one of:

  • "local"
  • "federation"
  • "remote"

Type: object

LDAP specific configuration properties. Only one of LDAP or OIDC should be defined.

Type: stringFormat: hostname

Specifies the name of the LDAP server.

Type: string

Specifies the port over which to communicate with the LDAP server.

Type: boolean

Specifies whether SSL is used when the system communicates with the LDAP server.

Type: string

Specifies the name of the key database file (without any path information). This parameter is required if 'ssl' is 'true'

Type: string

Specifies the name of the certificate within the Key database that is used if client authentication is requested by the LDAP server.

Type: string

Specifies the name of the LDAP attribute which holds the supplied authentication user name of the user.

Type: string

Specifies the name of the LDAP attribute which is used to hold the members of a group.

Type: string

Specifies the base DN which is used to house all administrative users.

Type: string

Specifies the DN of the group to which all administrative users must belong.

Type: boolean

Specifies whether the LDAP user registry supports anonymous bind. If set to false, 'binddn' and 'bindpassword' are required.

Type: string

Specifies the DN of the user which will be used to bind to the registry. This user must have read access to the directory. This parameter is required if anon_bind is 'false'

Type: stringFormat: password

Specifies the password which is associated with the binddn. This parameter is required if anonbind is 'false'.

Type: boolean

Specifies whether the capturing of LDAP debugging information is enabled or not.

Type: boolean

Specifies whether mapping of the incoming client certificate DN is enabled.

Type: string

Specifies the javascript script that will map the incoming client certificate DN. Only valid if 'enable_usermapping' is true.

Type: boolean Default: false

Specifies whether or not users in the LDAP server can log in via SSH using SSH public key authentication. Defaults to false.

Type: string

Specifies the name of the LDAP attribute which contains a user's public key data. This field is required if SSH public key authentication is enabled.

Type: object

OIDC specific configuration properties. Only one of LDAP or OIDC should be defined.

Type: string

The OIDC Client Identifier.

Type: stringFormat: password

The OIDC Client Secret.

Type: stringFormat: uri

The OIDC Discovery (well-known) endpoint.

Type: boolean

Specifies whether the Public key Code Exchange extension is enforced.

Type: boolean

Specifies whether a user must be a member of a particular group to be considered an administrator user.

Type: string Default: "groupIds"

The OIDC token claim to use as group membership. This claim can either be a String, or a list of Strings.

Type: string Default: "adminGroup"

The name of the group which a user must be a member of to be considered an administrator user.

Type: string Default: "sub"

Specifies the OIDC token claim to use as the username.

Type: string Default: "lmi_trust_store"

The SSL Truststore to verify connections to the OIDC OP.

Type: boolean

Specifies whether custom claim to identity mapping is performed using a JavaScript code fragment.

Type: string

The custom JavaScript code fragment to map an identity token to a username/group membership. Only valid if 'enable_tokenmapping' is 'true'.


Module Activation

Type: object

License files to activate the Advanced Access Control, Federation and WebSEAL Reverse Proxy modules are imported in this step. Subsequent module configuration is dependent on one or more of these licenses being applied to a deployment.
Examples:

activation:
  webseal: base_activation_code
  access_control: aac_activation_code
  federation: fed_activation_code

activation:
  trial_license: issued/trial.pem

Type: string

Trial license file issued from https://isva-trial.verify.ibm.com/

Must match regular expression: .*\.pem$

Type: string

License code for the WebSEAL Reverse Proxy module.

Type: string

License code for the Advanced Access Control module.

Type: string

License for the Federations module.


Advanced Tuning Parameters

Type: array of object

Advanced Tuning Parameters can be set on an appliance to configure additional settings not exposed by the LMI. Any required advanced tuning parameters for your deployment will be communicated to you via IBM support.

 No Additional Items

Each item of this array must be:

Type: object

Type: string

Name of the Advanced Tuning Parameter.

Type: string

Value of the Advanced Tuning Parameter.

Type: string

Optional description of the Advanced Tuning Parameter.

Type: enum (of string)

Operation which should be performed on advanced tuning parameter.

Must be one of:

  • "add"
  • "delete"
  • "update"

Example:

advanced_tuning_parameters:
- name: wga.rte.embedded.ldap.ssl.port
  value: '636'
- name: password.policy
  value: minlen=8 dcredit=1 ucredit=1 lcredit=1
  description: Enforced PAM password quality for management accounts.


Configuration Snapshots

Type: object

A snapshot can be applied to both Container and Appliance deployments to restore a previous configuration state. This is done via a signed archive file, generated by the deployment you are trying to preserve/re-create.
Example:

snapshot: snapshots/isva-2023-02-08.snapshot

Type: string

Path to the signed snapshot archive file to apply.

Must match regular expression: .*\.snapshot$


Extensions

Type: array

Extensions are used to install third party applications, such as platform monitoring tools, on a Verify Identity Access deployment.

An extension consists of:
- A signed installation package from IBM Security Verify Identity Access App-Xchange
- Optional configuration properties
- Additional binaries required by the extension

The specific properties required to install an extension will change based on the type of extension being installed. Administrators can use a Web Browser to inspect HTTP requests when uploading an extension to a Verify Identity Access appliance to determine which properties are required for their particular extension.

 No Additional Items

Each item of this array must be:

Type: object

An extension package to install on Verify Identity Access.

Type: string

The signed extension file to be installed on Verify Identity Access.

Must match regular expression: .*\.(ext|zip)$

Type: array of string

An optional list of third party packages to be uploaded to Verify Identity Access as part of the installation process.

 No Additional Items

Each item of this array must be:

Type: string

Type: object

Key-Value properties to give the extension during the installation process. This list of properties will vary with the type of extension being installed.

Additional Properties of any type are allowed.

Type: object

Example:

extensions:
- extension: Instana/instana.ext
  third_party_packages:
  - Instana/agent.rpm
  properties:
    extId: instanaAgent
    instanaAgentKey: api_key_goes_here
    instanaHost: ingress-orange-saas.instana.io
    instanaPort: 443
    mvnRepositoryUrl: https://artifact-public.instana.io
    mvnRepositoryFeaturesPath: artifactory/features-public@id=features@snapshots@snapshotsUpdate=never
    mvnRepositorySharedPath: artifactory/shared@id=shared@snapshots@snapshotsUpdate=never


Remote Syslog

Type: array of object

The remote system logging capabilities of Verify Identity Access deployments. Administrators are able to define external servers where logs for Verify Identity Access sub-components should be forwarded to.

 No Additional Items

Each item of this array must be:

Type: object

Type: stringFormat: hostname

The hostname or IP address of the remote syslog server.

Type: integer Default: 514

The port number on which the remote syslog server is listening.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: boolean Default: false

Enable debug logging for the syslog forwarder.

Type: enum (of string) Default: "udp"

The protocol to use for forwarding logs.

Must be one of:

  • "tcp"
  • "udp"
  • "tls"

Type: enum (of string) Default: "rfc5424"

The format of the syslog messages.

Must be one of:

  • "rfc3164"
  • "rfc5424"

Type: string

The name of the key file which contains the SSL certificates used when communicating with the remote syslog server (e.g. pdsrv). This option is required if the protocol is 'tls'.

Type: string

The label which is used to identify within the SSL key file the CA certificate of the remote syslog server. This option is required if the protocol is 'tls'.

Type: string

The label which is used to identify within the SSL key file the client certificate which will be used during mutual authentication with the remote syslog server.

Type: array of string

List of permitted peer names for TLS certificate validation.

 No Additional Items

Each item of this array must be:

Type: string

Type: array of object

List of log sources (forwarders) to configure for this syslog server.

 No Additional Items

Each item of this array must be:

Type: object

Type: string

Name of the log source/forwarder.

Type: string

Tag to identify the source in syslog messages.

Type: enum (of string)

Syslog facility level.

Must be one of:

  • "kern"
  • "user"
  • "mail"
  • "daemon"
  • "auth"
  • "syslog"
  • "lpr"
  • "news"
  • "uucp"
  • "cron"
  • "authpriv"
  • "ftp"
  • "local0"
  • "local1"
  • "local2"
  • "local3"
  • "local4"
  • "local5"
  • "local6"
  • "local7"

Type: enum (of string)

Minimum severity level to forward.

Must be one of:

  • "emerg"
  • "alert"
  • "crit"
  • "err"
  • "warning"
  • "notice"
  • "info"
  • "debug"

Example:

remote_syslog:
- server: 127.12.7.1
  port: 514
  debug: false
  protocol: udp
  sources:
  - name: WebSEAL:ISAM:request.log
    tag: isva-dev
    facility: local0
    severity: debug
  - name: Runtime Messages
    tag: isva-dev
    facility: syslog
    severity: info


Managment Certificate

Management Interface Certificate Configuration

Type: object

Update the Local Management Interface (LMI) SSL certificate and key. This certificate is used to secure HTTPS connections to the management interface.
Example:

lmi_certificate:
  p12: ssl/lmi_certificate.p12
  password: S3cr37Pa55w0rd!

Type: string

Path to the PKCS12 file containing the LMI certificate and private key.

Must match regular expression: .*\.p12$

Type: stringFormat: password

Password to decrypt the PKCS12 file.


Global Configuration

These configuration properties are common to the Access Control and Federation modules. You must have at least one of these modules activated in order to set these configuration properties.

The global configuration section documents configuration which is shared between the Access Control and Federation modules of Verify Identity Access. This includes Advanced Configuration Properties, HTTP template pages, JavaScript mapping rules, Point of Contact profiles, Access Policies and Server Connections.

Access Policies

Type: array

Configuration for federation access policies that define JavaScript-based policy rules. Access policies can be applied to the deployment types:
- SAML 2.0 identity provider federation
- SAML 2.0 service provider partner to an identity provider federation
- OpenID Connect and API Protection Definition

 No Additional Items

Each item of this array must be:

Type: object

A federation access policy with JavaScript content.

Type: string

A unique name for the access policy. Maximum of 256 bytes.

Must be at most 256 characters long

Type: string Default: "JavaScript"

System default type for each access policy. For example, 'JavaScript'.

Type: enum (of string)

A grouping of related access polices. For example, category 'OAUTH' identifies all the rules associated with the OAUTH flow. Maximum 256 bytes.

Must be one of:

  • "InfoMap"
  • "AuthSVC"
  • "OAUTH"
  • "OTP"
  • "OIDC"
  • "SAML2_0"

Type: string

A file with the JavaScript content of the access policy. Path can be absolute or relative to IVIACONFIGBASE environment variable.

Example:

access_policies:
- name: MyNewAccessPolicy
  type: JavaScript
  policy_file: path/to/policy.file
  category: OTP


Attribute Sources

Type: array

Identity attribute sources for enriching and generating federated identities.

 No Additional Items

Each item of this array must be:

Type: object

An attribute source defining where an attribute value originates.

Type: string

The friendly name of the source attribute. It must be unique.

Type: enum (of string)

The type of the attribute source.

Must be one of:

  • "credential"
  • "value"
  • "ldap"

Type: string

The value of the source attribute. For credential type: The name of a credential attribute from the authenticated context which contains the value. For value type: The plain text to be used as the source attribute value. For LDAP type: The name of the LDAP attribute to be used.

Type: array

The properties associated with an attribute source.

 No Additional Items

Each item of this array must be:

Type: object

A property for an attribute source.

Type: string

The property key. Valid fields for LDAP include 'serverConnection', 'scope', 'selector', 'searchFilter', 'baseDN'.

Type: string

The property value.

Example:

attribute_sources:
- name: username
  type: credential
  value: PrincipalName
  properties:
  - key: searchFilter
    value: (&(ObjectClass=inetOrgPerson)(memberOf=dc=ibm,dc=com))


Advanced Configuration Properties

Type: array

Advanced Configuration Parameters define system wide properties for authentication and authorization components. The list of available properties is dependent on the target version of Verify Identity Access being configured. Administrators are able to use either the Verify Identity Access assigned identifier or the name of the property.

 No Additional Items

Each item of this array must be:

Type: object

An advanced configuration property with its value.

Type: integer

The Verify Identity Access assigned property id. Either the property ID or name must be defined.

Type: string

The name of the advanced configuration property. Either the property ID or name must be defined.

Type: string

The updated value of the advanced configuration property.

Example:

advanced_configuration:
- name: attributeCollection.authenticationContextAttributes
  value: resource,action,ac.uuid,header:userAgent,urn:ibm:demo:transferamount
- name: mmfa.transactionArchival.maxPendingPerUser
  value: '1'


HTTP Template Files

Type: array of string

Upload files or directories containing HTML files which are compatible with the AAC and Federation templating engine. The directory structure of any directories to upload should follow the default top level directories. If you are defining a directory it should contain a trailing /.

 No Additional Items

Each item of this array must be:

Type: string

File path to an HTML template file or ZIP archive containing multiple templates.

Example:

template_files:
- aac/isva_template_files.zip
- login.html
- 2fa.html


JavaScript Mapping Rules

Note

Some types of mapping rules are defined elsewhere, eg OIDC pre/post token mapping rules must be defined with the OIDC definition they are associated with.

Type: array

Configuration for uploading JavaScript mapping rules used in authentication and authorization flows. These rules are typically used to implement custom business logic for a particular integration requirement.

 No Additional Items

Each item of this array must be:

Type: object

A mapping rule configuration specifying the type and files to upload.

Type: enum (of string)

Type of JavaScript rule to create.

Must be one of:

  • "InfoMap"
  • "AuthSVC"
  • "FIDO2"
  • "OAUTH"
  • "OTP"
  • "OIDC"
  • "SAML2_0"

Type: array of string

List of files or directories to upload as JavaScript mapping rules. Path to files can be relative to the IVIACONFIGBASE property or fully-qualified file paths.

Must contain a minimum of 1 items

No Additional Items

Each item of this array must be:

Type: string

File path to a JavaScript mapping rule file.

Example:

mapping_rules:
- type: SAML2
  files:
  - saml20.js
  - adv_saml20.js
- type: InfoMap
  files:
  - mapping_rules/basic_user_email_otp.js
  - mapping_rules/basic_user_sms_otp.js
  - mapping_rules/add_user_mmfa.js
- type: FIDO2
  files:
  - mediator.js


Point Of Contact Profile

The point of contact profile is used to control how the runtime server communicates with the point of contact server (usually WebSEAL).

Point of Contact Profiles Configuration

Type: object

Configuration for Point of Contact (PoC) profiles that define callback modules for federation authentication flows.
Example:

point_of_contact:
  active_profile: MyPoCProfile
  profiles:
  - name: MyPoCProfile
    description: MyPoCProfile description
    authenticate_callbacks:
    - index: 0
      module_reference_id: websealPocAuthenticateCallback
      parameters:
      - name: authentication.level
        value: '1'
    sign_in_callbacks:
    - index: 0
      module_reference_id: websealPocSignInCallback
      parameters:
      - name: fim.user.response.header.name
        value: am-fim-eai-user-id
    local_id_callbacks:
    - index: 0
      module_reference_id: websealPocLocalIdentityCallback
      parameters:
      - name: fim.cred.request.header.name
        value: iv-creds
    sign_out_callbacks:
    - index: 0
      module_reference_id: websealPocSignOutCallback
      parameters:
      - name: fim.user.session.id.request.header.name
        value: user_session_id
    authn_policy_callbacks:
    - index: 0
      module_reference_id: genericPocAuthnPolicyCallback
      parameters:
      - name: authentication.level
        value: '1'

Type: array

List of point of contact profiles to configure.

 No Additional Items

Each item of this array must be:

Type: object

A Point of Contact profile defining callback modules for federation flows.

Type: string

A meaningful name to identify this point of contact profile.

Type: string

A description of the point of contact profile.

Type: array

An array of callbacks for authentication.

 No Additional Items

Each item of this array must be:

Type: object

A callback module configuration for a specific federation flow step.

Type: integer

A number reflects the position in the callbacks array.

Value must be greater or equal to 0

Type: string

The module ID referenced in the callback. It must be one of the supported module IDs.

Type: array

The parameters used by the callback.

 No Additional Items

Each item of this array must be:

Type: object

A parameter for a Point of Contact callback.

Type: string

The name of the parameter.

Type: string

The value of the parameter.

Type: array

An array of callbacks for sign in.

 No Additional Items

Each item of this array must be:

Type: object

A callback module configuration for a specific federation flow step.

Same definition as profiles_items_authenticate_callbacks_items

Type: array

An array of callbacks for local identity.

 No Additional Items

Each item of this array must be:

Type: object

A callback module configuration for a specific federation flow step.

Same definition as profiles_items_authenticate_callbacks_items

Type: array

An array of callbacks for sign out.

 No Additional Items

Each item of this array must be:

Type: object

A callback module configuration for a specific federation flow step.

Same definition as profiles_items_authenticate_callbacks_items

Type: array

An array of callbacks for authentication policy.

 No Additional Items

Each item of this array must be:

Type: object

A callback module configuration for a specific federation flow step.

Same definition as profiles_items_authenticate_callbacks_items

Type: string

The name of the Point of Contact profile which should be the active profile. Only one profile can be active at a time.


Server Connections

Type: array

Configuration for external server connections used by Access Control and Federation components. Server connections are used to connect to third party infrastructure such as LDAP registries, email servers, SMS servers, ect.

 No Additional Items

Each item of this array must be:

Type: object

A server connection configuration.

Type: string

The name of the connection.

Type: string

A description of the connection.

Type: enum (of string)

The type of server connection.

Must be one of:

  • "ci"
  • "ldap"
  • "isamruntime"
  • "jdbc"
  • "redis"
  • "smtp"
  • "ws"

Type: boolean Default: false

Controls whether the connection is allowed to be deleted.


Connection specific properties. The structure depends on the connection type.

Type: object

Connection properties for IBM Security Verify (Cloud Identity) - type: ci

Type: stringFormat: hostname

The IBM Security Verify administration host to connect to.

Type: string

The client ID to authenticate to the IBM Security Verify tenant.

Type: string

The client secret to authenticate to the IBM Security Verify tenant.

Type: boolean

Controls whether SSL is used to establish the connection.

Type: string

The key database to be used as an SSL truststore. This field is required when ssl is true.

Type: string

The name of the key which should be used during mutual authentication with the web server.

Type: string

The versioned endpoint for user requests.

Type: string

The versioned endpoint for authorization requests.

Type: string

The versioned endpoint for authenticator requests.

Type: string

The DEPRECATED versioned endpoint for authentication method requests.

Type: string

The versioned endpoint for factors requests.
Type: object

Connection properties for LDAP server - type: ldap

Type: stringFormat: hostname

The IP address or hostname of the LDAP server.

Type: integer

The port that the LDAP server is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

The distinguished name to use to bind to the LDAP server.

Type: string

The password for bindDN to use when binding to the LDAP server.

Type: boolean

Controls whether SSL is used to establish the connection.

Type: string

The key database to be used as an SSL truststore.

Type: string

The name of the key which should be used during mutual authentication with the LDAP server.

Type: integer

Amount of time, in seconds, after which a connection to the LDAP server times out.

Value must be greater or equal to 1

Type: array

Additional LDAP servers for this connection.

 No Additional Items

Each item of this array must be:

Type: object

Additional LDAP server configuration.

Type: integer

The order of precedence for this server.

Value must be greater or equal to 1

Type: object

The connection properties. This uses the same properties as LDAPConnection.
Type: object

Connection properties for Verify Access Runtime LDAP - type: isamruntime

Type: string

The distinguished name to use to bind to the Verify Identity Access Runtime LDAP server.

Type: string

The password for bindDN to use when binding to the Verify Identity Access Runtime LDAP server.

Type: boolean

Controls whether SSL is used to establish the connection.

Type: string

The key database to be used as an SSL truststore. This field is required when ssl is true.

Type: string

The name of the key which should be used during mutual authentication with the Verify Identity Access runtime LDAP server.
Type: object

Connection properties for JDBC database - type: jdbc

Type: stringFormat: hostname

The IP address or hostname of the database.

Type: integer

The port that the database is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: boolean

Controls whether SSL is used to establish the connection.

Type: string

The user name used to authenticate with the database.

Type: string

The password used to authenticate with the database.

Type: enum (of string)

The Oracle JDBC driver type. Only applicable for Oracle connection.

Must be one of:

  • "thin"
  • "oci"

Type: string

The name of the database service to connect to. Only applicable for Oracle connection.

Type: string

The name of the database to connect to. Only applicable for DB2 and PostgreSQL connections.

Type: integer Default: -1

Amount of time before a physical connection can be discarded by pool maintenance. A value of -1 disables this timeout.

Type: integer Default: 30

Amount of time after which a connection request times out. A value of -1 disables this timeout.

Type: integer

Limits the number of open connections on each thread.

Value must be greater or equal to 0

Type: integer Default: 1800

Amount of time after which an unused or idle connection can be discarded during pool maintenance.

Type: integer Default: 50

Maximum number of physical connections for a pool. A value of 0 means unlimited.

Value must be greater or equal to 0

Type: integer

Minimum number of physical connections to maintain in the pool.

Value must be greater or equal to 0

Type: integer

Caches the specified number of connections for each thread.

Value must be greater or equal to 0

Type: enum (of string) Default: "EntirePool"

Specifies which connections to destroy when a stale connection is detected in a pool.

Must be one of:

  • "EntirePool"
  • "FailingConnectionOnly"
  • "ValidateAllConnections"

Type: string Default: "3m"

Amount of time between runs of the pool maintenance thread. A value of -1 disables pool maintenance.
Type: object

Connection properties for Redis server - type: redis

Type: enum (of string)

The Redis deployment model.

Must be one of:

  • "standalone"
  • "sentinel"

Type: string

The key used in the redis sentinel node to store the master/slave configuration.

Type: stringFormat: hostname

The IP address or hostname of the Redis server. This is only required if the deployment_model is set as standalone.

Type: integer

The port that the Redis server is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

The user name to authenticate to the Redis server.

Type: string

The password used to authenticate with the Redis server.

Type: boolean

Controls whether SSL is used to establish the connection.

Type: string

The key database to be used as an SSL truststore. Only required if ssl is set to true.

Type: string

The key database to be used as an SSL keystore. Only required if ssl is set to true.

Type: integer

Amount of time, in seconds, after which a connection to the Redis server times out.

Value must be greater or equal to 1

Type: integer

Amount of time, in seconds, after which an established connection will be discarded as idle.

Value must be greater or equal to 1

Type: integer

Number of connections which will be pooled.

Value must be greater or equal to 1

Type: integer

The minimum number of idle connections in the pool.

Value must be greater or equal to 0

Type: integer

The maximum number of idle connections in the pool.

Value must be greater or equal to 0

Type: integer

Amount of time, in seconds, after which the connection socket will timeout.

Value must be greater or equal to 1

Type: array

Additional Redis servers for this connection.

 No Additional Items

Each item of this array must be:

Type: object

Additional Redis server configuration.

Type: stringFormat: hostname

The IP address or hostname of the Redis server.

Type: string

The port that the Redis server is listening on.
Type: object

Connection properties for SMTP server - type: smtp

Type: stringFormat: hostname

The IP address or hostname of the SMTP server.

Type: integer

The port that the SMTP server is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

The user name to authenticate to the SMTP server.

Type: string

The password used to authenticate with the SMTP server.

Type: boolean

Controls whether SSL is used to establish the connection.

Type: integer

Amount of time, in seconds, after which a connection to the SMTP server times out.

Value must be greater or equal to 1

Type: object

Connection properties for web service - type: ws

Type: stringFormat: uri

The fully qualified URL of the web service endpoint, including the protocol, host/IP, port and path.

Type: string

The user name to authenticate to the web service.

Type: string

The password used to authenticate with the web service.

Type: boolean

Controls whether SSL is used to establish the connection.

Type: string

The key database to be used as an SSL truststore. This field is required when ssl is true.

Type: string

The name of the key which should be used during mutual authentication with the web server.

Example:

server_connections:
- name: intent-svc
  type: web_service
  description: A connection to the intent service.
  properties:
    url: http://ibmsec.intent.svc:16080
    user: ''
    password: ''
    ssl: false
- name: Cloud Identity tenant connection
  type: ci
  description: A connection to the companion CI Tenant.
  properties:
    ci_tenant: https://my.verify.tenant
    ci_client_id: abcd1234ABCD
    ci_client_secret: abcd1234ABCD
    ssl_truststore: rt_profile_keys.kdb
- name: Local LDAP connection
  type: ldap
  description: A connection to this ISAMs LDAP.
  locked: false
  properties:
    hostname: ibmsec.ldap.domain
    port: 636
    bind_dn: cn=root,secAuthority=Default
    bind_password: bind password
    ssl: true
    ssl_truststore: lmi_trust_store
- name: SCIM web service connection
  type: web_service
  description: A connection to this ISAMs SCIM server.
  locked: false
  properties:
    url: https://ibmsec.runtime.svc
    user: runtime_user
    password: runtime_secret
    ssl: true
    key_file: rt_profile_keys.kdb


Runtime Server Configuration

Type: object

Configuration for the Access Control and Federation runtime environment. Configuration options includes: configuring trace; managing endpoints and interfaces that the runtime server listens on; setting server configuration parameters (such as proxy settings, SSL configuration); and defining users and groups in the runtime user registry.
Example:

runtime_properties:
  users:
  - name: easuser
    password: password
    groups:
    - scimAdmin
    - fidoAdmin
  tuning_parameters:
  - name: https_proxy_host
    value: http://my.proxy
  - name: https_proxy_port
    value: '3128'
  endpoints:
  - interface: '1.1'
    address: 192.168.42.102
    port: 444
    ssl: true
  - interface: '1.2'
    dhcp4: true
    dhcp6: false
    port: 443
    ssl: true

Type: array

List of users to add/update in the AAC/Federation runtime user registry. Users are created before groups.

 No Additional Items

Each item of this array must be:

Type: object

A runtime user account.

Type: string

Name of the user to create or update.

Type: string

The password for the new user. This can contain any ASCII characters.

Type: array of string

A list of groups the new user will belong to.

 No Additional Items

Each item of this array must be:

Type: string

Type: array

List of groups to add/update in the AAC/Federation runtime user registry.

 No Additional Items

Each item of this array must be:

Type: object

A runtime user group.

Type: string

Name of the group to create or update.

Type: array of string

List of users to add to the group.

 No Additional Items

Each item of this array must be:

Type: string

Type: array

List of AAC/Federation runtime JVM tuning parameters.

 No Additional Items

Each item of this array must be:

Type: object

A JVM tuning parameter for the runtime.

Type: string

The tuning parameter to set.

Type: string

The new value for the specified parameter.

Type: array

List of http(s) endpoints that the AAC/Federation runtime is listening on.

 No Additional Items

Each item of this array must be:

Type: object

An HTTP/HTTPS endpoint configuration for the runtime.

Type: string

The interface the runtime endpoint will listen on.

Type: stringFormat: ipv4

The static address that the runtime endpoint will listen on.

Type: boolean

Endpoint should listen on the DHCP IPv4 address for the given interface.

Type: boolean

Endpoint should listen on the DHCP IPv6 address for the given interface.

Type: integer

Port that endpoint will listen on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: boolean

Endpoint should use SSL encryption for connections.

Type: string

Set the runtime trace specification in Liberty.