The policy engine supports the use of PIPs to dynamically retrieve data from external services at runtime. In these cases, the policy engine can use a client certificate contained in a Java KeyStore (JKS) or PKCS12 key store.
When using embedded PDP mode, the key store containing the client certificate is represented in the PingAuthorize Server configuration as a Key Manager Provider, which is then assigned to the Policy Decision Service.
The following example creates a Key Manager Provider named
MyClientCertKeystore
and makes it available to the policy
engine.
dsconfig create-key-manager-provider \
--provider-name MyClientCertKeystore \
--type file-based \
--set enabled:true \
--set key-store-file:<full path to a key store> \
--set key-store-type:JKS \
--set key-store-pin:<key store password>
dsconfig set-policy-decision-service-prop \
--set service-key-store:MyClientCertKeystore
When
you define the PIP in the Trust Framework, you can refer to the key store that you
configured, using the name MyClientCertKeystore
.