Installing and configuring the Verify Bridge on Docker

After you configure Verify Bridge on your IBM® Security Verify tenant, you must install and configure Verify Bridge on Docker.

Before you begin

You must satisfy the following requirements.
Operating System
A Linux®-based operating system that supports Docker Engine Community Edition (CE) containers. See https://docs.docker.com/install/.
Docker engine
19.03.0 or higher
Docker Compose
See https://docs.docker.com/compose/install/.
CPU
Four cores reserved.
System memory
8 GB reserved.
Disk space
At least 50 GB free hard disk space.
Connectivity to a IBM®Security Verify tenant
Verify Bridge Tenant URL, API client ID, and secret.

About this task

Perform the following steps to deploy the IBM Security Verify Bridge.

If you are upgrading an existing Verify Bridge installation on Docker, see Upgrading Verify Bridge on Docker.

Procedure

  1. Pull the image from the IBM Container Registery to view the license.
    Issue the following commands.
    docker pull icr.io/isv-saas/verify-bridge:latest

docker run --rm  icr.io/isv-saas/verify-bridge:latest license
    Note: You must accept the license for deploying IBM Security Verify Bridge with [parameter - LICENSE_ACCEPT: "yes"] in the docker-compose.yml file.
  2. Create a file docker-compose.yml with the following content. 
    version: "3"
services:
    verify-bridge:
         image: icr.io/isv-saas/verify-bridge:latest
         container_name: verify-bridge
         environment:
                TRACE: "false"
                LICENSE_ACCEPT: "yes"
                TENANT_URI: "<tenantURL>"
                TENANT_PROXY: "<proxyURL>"
                CLIENT_ID: "<clientID>"
                OBF_CLIENT_SECRET: "<obfClientSecret>"
                
         restart: always
    Note: When GOLANG_FIPS: "1" is added, the Verify Bridge process that is running in the container operates in FIPS 140-2 mode. This environment variable is optional.

    TENANT_PROXY is optional environment value that allows the tenant to be accessed via a proxy server. The proxy type is determined by the proxyURL scheme. The protocols "http", "https", and "socks5" are supported.

    The TENANT_URI, CLIENT_ID, and CLIENT_SECRET are generated when the agent configuration is done in the IBM Security Verify Configuration page. After the configuration the CLIENT_SECRET can be obfuscated.

    The OBF_CLIENT_SECRET value, can be obtained from the client secret by running the following docker command: 
    docker run -e "LICENSE_ACCEPT=yes" --rm icr.io/isv-saas/verify-bridge:latest obfuscate"<clientSecret>"
    For example,
    docker run -e "LICENSE_ACCEPT=yes" --rm icr.io/isv-saas/verify-bridge:latest obfuscate "passw0rd"
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
INFO: Found end user license acceptance.
ccxDMMPSE62AYi3o7y+cNCE+xCtTLOyEHZ5MCw4IUzA=
    The final line of output contains the obfuscated secret (<obfClientSecret>) for OBF_CLIENT_SECRET. For backward compatibility the CLIENT_SECRET environment value is supported.

    The Tenant URI must include the full URI scheme and domain name, for example https://tenant.verify.ibm.com.

    The client ID and client secret are provided to you after the configuration is complete. See Configuring the Verify Bridge and the identity source.

  3. To deploy Verify Bridge on Docker, run the following command. 
    docker-compose -f docker-compose.yml up -d
  4. Verify that the containers started properly.
    Type the following command and observe the state of the containers.
    docker ps -a
  5. Optional: To view the Verify Bridge log and for troubleshooting, issue the following command. 
    docker logs -f  verify-bridge