Downloading and signing a security policy

Agent installation packages are supplied with a default security policy. You can then add your own security policy.

Before deploying a custom security policy, you must download it for it to be signed by a signatory account, to guarantee its authenticity and integrity.

Stormshield provides a utility that allows you to sign your policies.

The signature is based on the JWT standard. The default algorithm used is RSASSA-PSS SHA256 (PS256), but you can configure this.

The signature utility makes it possible to sign several policies at the same time if needed.

When the policy signatory is changed, refer to the section Modifying the signatory of a security policy.

To sign a security policy, you need:

  • A file in the .p12 format containing a private signature key. We recommend that you protect the file with a strong password. For information on how to create a security policy signatory account if you are using the Microsoft public key infrastructure solution, see Creating a SDS Enterprise security policy signatory account.

  • To download the signature utility SDSPolicySignCLI.exe from the Downloads menu in SDMC.

  1. Select the Policies menu on the left,

  2. In the list of policies, click on the icon of a policy that you want to download.

  3. Click on Download.

  1. Run the SDSPolicySignCLI.exe tool in command line. To display the list of commands, type --help:

    -k or --key Mandatory parameter. Indicates the relative or absolute path to the folder of the .p12 file that allows the signature.
    -p or --password Password that protects the .p12 file. If the file is protected with a password and you do not enter the parameter manually, you will be automatically asked to enter the password (recommended method).
    -f or --file Mandatory parameter. Indicates the relative or absolute path to the folder of the .json file of the policy to be signed. You can indicate several files by separating them with commas or spaces.
    -a or --algo Indicate the algorithm to use to sign the policy. The possible values are PS256 and RS256. By default if the parameter is not specified, the PS256 algorithm is used. Choose the RS256 algorithm to sign a policy for agents with a version below 11.1.
    --help Shows help.
    --version Shows the version of the utility.

  2. When the file is being signed, a sub-folder with the name of the policy will be created at the same location as the policy file. This folder contains the signed policy.jwt file. Retrieve this file to include it in the agent installation package, as shown in the following section.

EXAMPLE
C:\Myfolder\SDSPolicySignCLI.exe --key C:\Keys\MyPrivateKey.p12 --file C:\Policies\Policy1.json C:\Policies\Policy2.json --algo RS256
Replace the names of folders and files with those on your own workstation. In this example, the two policies are signed in the C:\Policies\Policy1\policy.jwt and C:\Policies\Policy2\policy.jwt files respectively, using the RS256 algorithm.