Example: Configure a trust store for a policy information provider
The policy engine supports the use of policy information providers (PIPs) to dynamically retrieve data from external services at runtime. You can configure a trust store for a PIP in PingAuthorize.
By default, the policy engine determines whether it should accept a PIP’s server certificate using the Java Runtime Environment’s (JRE’s) default trust store, which contains public root certificates for common certificate authorities. If your PIP uses a server certificate issued by some other certificate authority, such as a private certificate authority operated by your organization, then you can provide a custom Java KeyStore (JKS) or PKCS12 trust store. Configure details about the trust store in an options file in the truststores
section. A JKS trust store file should use the extension .jks
, while a PKCS12 trust store file should use the extension .p12
.
Example
Given a JKS trust store named my-ca-truststore.jks
with the password password123
and a trusted root certificate with the alias my-ca
, create an options file with details about the trust store.
To set up this trust store, complete the following steps.
-
Make a copy of the default options file.
$ cp config/options.yml my-options.yml
-
Edit the new options file to define the key store details by adding an item under the
truststores
section.truststores: - name: MyCATruststore resource: /path/to/my-ca-truststore.jks password: password123 # Other options omitted for brevity...
-
Run
setup
using the--optionsFile
argument. Customize all other options as needed.$ bin/setup demo \ --adminUsername admin \ --generateSelfSignedCertificate \ --decisionPointSharedSecret pingauthorize \ --hostname <pap-hostname> \ --port <pap-port> \ --adminPort <admin-port> \ --licenseKeyFile <path-to-license> \ --optionsFile my-options.yml
After you define the policy information provider in the Trust Framework, you can see the trust store that you configured using the name MyCATruststore
.