The policy engine supports the use of policy information providers (PIPs) to dynamically retrieve data from external services at runtime. You can configure a trust store for a PIP in PingAuthorize.
By default, the policy engine determines whether it should accept a PIP's server
certificate using the Java Runtime Environment's (JRE's) default trust store, which
contains public root certificates for common certificate authorities. If your PIP
uses a server certificate issued by some other certificate authority, such as a
private certificate authority operated by your organization, then you can provide a
custom Java KeyStore (JKS) or PKCS12 trust store. Configure details about the trust
store in an options file in the truststores
section. A JKS trust
store file should use the extension .jks, while a PKCS12 trust
store file should use the extension .p12.
Example
Given a JKS trust store named my-ca-truststore.jks with the password password123 and a trusted root certificate with the alias my-ca, create an options file with details about the trust store.
- Make a copy of the default options
file.
$ cp config/options.yml my-options.yml
- Edit the new options file to define the key store details by adding an item
under the
truststores
section.truststores: - name: MyCATruststore resource: /path/to/my-ca-truststore.jks password: password123 # Other options omitted for brevity...
- Run setup using the
--optionsFile
argument. Customize all other options as needed.$ bin/setup demo \ --adminUsername admin \ --generateSelfSignedCertificate \ --decisionPointSharedSecret pingauthorize \ --hostname <pap-hostname> \ --port <pap-port> \ --adminPort <admin-port> \ --licenseKeyFile <path-to-license> \ --optionsFile my-options.yml
After you define the policy information provider in the Trust Framework,
you can see the trust store that you configured using the name
MyCATruststore
.