Signed deployment packages ensure a PingAuthorize Server uses only deployment packages from a certain PingAuthorize Policy Editor, allowing you to avoid the use of packages intended for a different context or to use packages from only a designated source.
Use case: Distinct PingAuthorize deployments
Consider an organization with two distinct PingAuthorize deployments: healthcare and banking.
Each deployment has a unique set of policies. Using the healthcare policies for the
banking deployment, or vice versa, would make the deployment ineffective. Signed
deployment packages avoid this issue. To set up signed deployment packages for these
two deployments, the steps are outlined next.
- Set up the healthcare configuration.
- Create a signing key pair with a private key and a public key for healthcare.
- Set up a Policy Editor to create all healthcare policies. Configure that GUI to sign its deployment packages with the healthcare private key.
- Configure the healthcare PingAuthorize Server to use the healthcare public key to verify deployment packages. Now the healthcare deployment only accepts healthcare policies and does not accept banking policies.
- Set up the banking configuration.
- Create a signing key pair with a private key and a public key for banking.
- Set up a Policy Editor to create all banking policies. Configure that GUI to sign its deployment packages with the banking private key.
- Configure the banking PingAuthorize Server to use the banking public key to verify deployment packages. Now the banking deployment only accepts banking policies and does not accept healthcare policies.
Use case: Designated source for deployment packages
An organization has several people who write policies. Each policy writer has their own Policy Editor to develop and test policies. However, to ensure the organization fully verifies each deployment package before it goes into preproduction or production, only one Policy Editor can actually sign deployment packages with the key accepted by the PingAuthorize Server.