In this example, you configure a PingAuthorize Policy Editor to sign its deployment packages for a PingAuthorize Server dedicated to healthcare policies.
This example uses the manage-certificates tool that comes with PingAuthorize. The tool provides many of the same features as the Java keytool utility. If you prefer to use keytool, running manage-certificates --display-keytool-command shows a command that you can use to obtain a similar result.
-
Generate a signing key pair for the Policy Editor:
-
Create a key pair consisting of a private key and the corresponding
public key and put the key pair in a key store so that the Policy Editor can use it.
The following command performs both of these actions by generating a key store with a self-signed certificate:
$ manage-certificates generate-self-signed-certificate \ --keystore "healthcare-pap-signing.jks" \ --keystore-type jks \ --keystore-password "<keystore-password>" \ --private-key-password "<private-key-password>" \ --alias "healthcare-pap" \ --subject-dn "cn=Healthcare PAP,dc=example,dc=com" \ --days-valid 90
- This command creates a key store with the name healthcare-pap-signing.jks, containing the Policy Editor's private signing key and the corresponding public key.
- The Policy Editor uses this key store to sign deployment packages.
- The key store itself and the private key each have passwords.
- The signing key pair has the alias
healthcare-pap
. - The subject DN is arbitrary.
- The keys are valid for 90 days.
-
Create a key pair consisting of a private key and the corresponding
public key and put the key pair in a key store so that the Policy Editor can use it.
-
Export a public certificate from the Policy Editor's key store.
$ manage-certificates export-certificate \ --keystore "healthcare-pap-signing.jks" \ --keystore-password "<keystore-password>" \ --alias "healthcare-pap" \ --export-certificate-chain \ --output-format pem \ --output-file "healthcare-pap.pem"
This command creates a public certificate file with the name healthcare-pap.pem. This file becomes an input during the next step, and it is not used directly by either the Policy Editor or PingAuthorize. The public certificate specified by the
--alias
argument represents the public key created in the previous step. -
Create a trust store for PingAuthorize
Server for the public certificate from the previous step.
$ manage-certificates import-certificate \ --keystore "healthcare-pap-verification.jks" \ --keystore-password "<keystore-password>" \ --keystore-type jks \ --alias "healthcare-pap" \ --certificate-file "healthcare-pap.pem" \ --no-prompt
This command creates a trust store with the name healthcare-pap-verification.jks, containing the Policy Editor's public certificate. PingAuthorize Server uses this trust store to verify that deployment packages created by the Policy Editor were actually created by that GUI.
-
Configure the Policy Editor to use the key
store to sign the deployment packages it creates:
-
Make a copy of the default options file.
$ cp config/options.yml my-options.yml
-
Edit the new options file for your policy deployment method,
uncommenting the appropriate block and substituting your passwords and
other values.
Note:
Using
deploymentPackageData
to define the signing key configuration only affects exported deployment packages. Deployment packages published to a store only use their store-specfic configurations defined in thedeploymentPackageStores
block to apply a signing key. -
Use the
deploymentPackageData
block to configure signing for exported deployment packages.deploymentPackageData: # contentType: json # keystore: # resource: /path/to/healthcare-pap-signing.jks # password: keystore-password # securityLevel: signed # signingKey: # alias: healthcare-pap # password: private-key-password
-
Under the
deploymentPackageStores
block, use the appropriate store type to configure signing for deployment packages published to a deployment package store.deploymentPackageStores: # Define deployment package store publishing targets here. # # - name: Signed filesystem store # description: Signed file system directory store # type: filesystem # path: /path/to/signed-deployment-package-store/ # securityLevel: signed # keystore: # resource: /path/to/healthcare-pap-signing.jks # password: keystore-password # signingKey: # alias: healthcare-pap # password: private-key-password # Other deployment package store types omitted for brevity...
-
Stop the Policy Editor.
$ bin/stop-server
-
Run setup using the
--optionsFile my-options.yml
argument.Customize all other options as appropriate for your needs.
-
Start the Policy Editor.
$ bin/start-server
-
Make a copy of the default options file.
-
Configure the PingAuthorize Server to use
the trust store for verification so that it accepts only deployment packages
created by this Policy Editor:
-
Create a trust manager provider and include the path to the trust store
file and the trust store's password.
The trust manager provider is how the PingAuthorize Server configuration refers to a trust store file.
$ dsconfig create-trust-manager-provider \ --provider-name "Healthcare PAP Verification Store" \ --type file-based \ --set enabled:true \ --set "trust-store-file:/path/to/healthcare-pap-verification.jks" \ --set trust-store-type:JKS \ --set "trust-store-pin:<truststore-password>"
-
Configure the policy decision service.
$ dsconfig set-policy-decision-service-prop \ --set pdp-mode:embedded \ --set "deployment-package</path/to/deployment-package.deploymentpackage" \ --set deployment-package-security-level:signed \ --set "deployment-package-trust-store:Healthcare PAP Verification Store" \ --set "deployment-package-verification-key-nickname:healthcare-pap"
Deployment packages are only for the embedded PDP mode, so this command sets the
pdp-mode
property accordingly. The other properties are described in the following table.Property Description deployment-package-security-level
Determines whether PingAuthorize Server require a deployment package to be signed.
Valid values are:
unsigned
- PingAuthorize Server does not check a deployment package for a trusted signature. This value is set by default.
signed
- PingAuthorize Server checks a deployment package for a trusted signature and rejects a deployment package that fails that check. Whenever a deployment package fails a check, PingAuthorize Server continues to use the last accepted deployment package.
deployment-package-trust-store
Specifies a trust manager provider, which specifies in turn a trust store containing a Policy Editor's public certificate.
This property is required if the value of
deployment-package-security-level
issigned
.deployment-package-verification-key-nickname
Specifies the alias of the Policy Editor's public certificate.
This property is required if the value of
deployment-package-security-level
issigned
.Note:For more information about the properties, see the Configuration Reference located in the server's docs/config-guide directory.
-
Create a trust manager provider and include the path to the trust store
file and the trust store's password.