Signing security policies
Before integrating a security policy into an installation package, you must sign the policy to guarantee its authenticity and integrity.
Stormshield provides a utility that allows you to sign your policies.
The signature is based on the JWT standard. The algorithm used is HS256.
The signature utility makes it possible to sign several policies at the same time if needed.
To sign a security policy, you need:
A .p12 file containing a private signature key. We recommend that you protect the file with a strong password.
To download a the utility SDSPolicySignCLI.exe from the Downloads menu in SDMC.
To download the policy in .JSON format if you have already configured it in SDMC. To download the policy, refer to Downloading security policies.
Run the SDSPolicySignCLI.exe tool in command line. To display the list of commands, type --help:
-k or --key Mandatory parameter. Indicates the relative or absolute path to the folder of the .p12 file that allows the signature. -p or --password Password that protects the .p12 file. If the file is protected with a password and you do not enter the parameter manually, you will be automatically asked to enter the password (recommended method). -f or --file Mandatory parameter. Indicates the relative or absolute path to the folder of the .json file of the policy to be signed. You can indicate several files by separating them with commas or spaces. --help Shows help. --version Shows the version of the utility.
When the file is being signed, a sub-folder with the name of the policy will be created at the same location as the policy file. This folder contains the signed policy.jwt file. Retrieve this file to include it in the agent installation package, as shown in the following section.
C:\Myfolder\SDSPolicySignCLI.exe --key C:\Keys\MyPrivateKey.p12 --file C:\Policies\Policy1.json C:\Policies\Policy2.json
Replace the names of folders and files with those on your own workstation. In this example, the policies are signed in the files C:\Policies\Policy1\policy.jwt and C:\Policies\Policy2\policy.jwt respectively.