Signing security policies

Before integrating a security policy into an installation package, you must sign the policy to guarantee its authenticity and integrity. You then become the policy signatory.

Stormshield provides a utility that allows you to sign your policies.

The signature is based on the JWT standard. The algorithm used by default is PS256, but you can configure it.

The signature utility makes it possible to sign several policies at the same time if needed.

When the policy signatory is changed, refer to the section Modifying the signatory of a security policy.

To sign a security policy, you need:

  • A file in the .p12 format containing a private signature key. We recommend that you protect the file with a strong password.

  • To download the signature utility SDSPolicySignCLI.exe from the Downloads menu in SDMC.

  • To download the policy in .JSON format if you have already configured it in SDMC. To download the policy, refer to Downloading security policies.

  1. Run the SDSPolicySignCLI.exe tool in command line. To display the list of commands, type --help:

    -k or --key Mandatory parameter. Indicates the relative or absolute path to the folder of the .p12 file that allows the signature.
    -p or --password Password that protects the .p12 file. If the file is protected with a password and you do not enter the parameter manually, you will be automatically asked to enter the password (recommended method).
    -f or --file Mandatory parameter. Indicates the relative or absolute path to the folder of the .json file of the policy to be signed. You can indicate several files by separating them with commas or spaces.
    -a or --algo Indicate the algorithm to use to sign the policy. The possible values are PS256 and RS256. By default if the parameter is not specified, the PS256 algorithm is used. Choose the RS256 algorithm to sign a policy for agents with a version below 11.1.
    --help Shows help.
    --version Shows the version of the utility.

  2. When the file is being signed, a sub-folder with the name of the policy will be created at the same location as the policy file. This folder contains the signed policy.jwt file. Retrieve this file to include it in the agent installation package, as shown in the following section.

EXAMPLE
C:\Myfolder\SDSPolicySignCLI.exe --key C:\Keys\MyPrivateKey.p12 --file C:\Policies\Policy1.json C:\Policies\Policy2.json --algo RS256
Replace the names of folders and files with those on your own workstation. In this example, the two policies are signed in the C:\Policies\Policy1\policy.jwt and C:\Policies\Policy2\policy.jwt files respectively, using the RS256 algorithm.