4.3. Rule Package Signing
4.3.1. Rule Package Signing Copier lienLien copié sur presse-papiers!
4.3.2. Configuring the Server for Rule Package Signing Copier lienLien copié sur presse-papiers!
- Create a private signing key and a corresponding public digital certificate.
- Make the private signing key and the digital certificate available to the server in keystores.
- Configure the server to use the keystores.
Procedure 4.6. Configure Rule Package Signing
- Use the
keytool
command to create the private keystore:keytool -genkey -alias ALIAS -keyalg RSA -keystore PRIVATE.keystoreThe-alias
parameter specifies the name used to link the related entities in the keystore. Use the same alias for each of these steps. The alias is not case-sensitive. The-keystore
parameter supplies the name of the file which will be created to hold the private key.keytool
will prompt you for identifying information as well as two passwords. The first password, the keystore password, secures the keystore. The second password, the key password, secures the key that is being created.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Use the
keytool
command to create a digital certificate:keytool -export -alias ALIAS -file CERTIFICATE.crt -keystore PRIVATE.keystoreUse the same alias and keystore as the previous step. The-file
parameter is the filename of the new certificate that will be created. The-keystore
parameter supplies the filename of the private keystore.Enter the keystore password at the prompt.keytool -export -alias BRMSKey -file BRMSKey.crt -keystore PrivateBRMS.keystore
[localhost ]$ keytool -export -alias BRMSKey -file BRMSKey.crt -keystore PrivateBRMS.keystore Enter keystore password: Certificate stored in file <BRMSKey.crt>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Use the
keytool
command to import the digital certificate into a keystore:keytool -import -alias ALIAS -file CERTIFICATE.crt -keystore PUBLIC.keystoreThis will create a new keystore, the truststore, which contains the digital certificate. The truststore makes the digital certificate available to client applications.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - The private keystore needs to be kept in a secure location where only the JBoss Enterprise BRMS Platform server is able to access it. This could be on the same machine or in a secured network location that is available to that machine.
Important
The JBoss Enterprise BRMS Platform is not able to supply authentication credentials to network resources. If the private keystore is stored in a secure network location, then any authentication procedures must be performed on the behalf of the JBoss Enterprise BRMS server to make the private keystore available to it. For example, the operating system can authenticate and mount a file share that holds the private keystore as a local directory for the JBoss Enterprise BRMS Platform server to access. - The truststore needs to be accessible to client applications. This can be done by putting the truststore on network share or hosting it on a webserver.
- The Drools serialization system properties need to be set on the server. These are the properties that store the information required to access the keystores. Because JBoss Enterprise BRMS Platform also contains client components, both the private keystore and truststore properties have to be set on the server. The properties only need to be set in one location and will be available to all applications running on the same application server instance regardless of where they are set.Set the serialization properties by editing the
preferences.properties
file, which is located inserver/profile/deploy/jboss-brms.war/WEB-INF/
to include the following properties:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - The keystore password is currently stored in plain text.Refer to https://access.redhat.com/kb/docs/DOC-47247 for instructions to mask the keystore credentials.
4.3.3. Configuring the Client for Rule Package Signing Copier lienLien copié sur presse-papiers!
System.setProperty
method. The class org.drools.core.util.KeyStoreHelper
class contains several constants that represent these properties.
- A JBoss Enterprise BRMS Platform Server already installed and correctly configured for Rule Package Signing.
- The URL for the truststore that contains the Digital Certificate used by the JBoss Enterprise BRMS Platform Server.
- The password for the truststore, if one is set.
Procedure 4.7. Client Configuration for Rule Package Signing
- Enable signing by setting the
drools.serialization.sign
property totrue
.System.setProperty( KeyStoreHelper.PROP_SIGN, "true" );
System.setProperty( KeyStoreHelper.PROP_SIGN, "true" );
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Set the
drools.serialization.public.keyStoreURL
property to the URL where the TrustStore is located. If the TrustStore is in the classpath of the client then this can be done using thegetClass().getResource()
method.Example 4.1. When the TrustStore is located on the client's classpath
URL trustStoreURL = getClass().getResource( "BRMSTrustStore.keystore" ); System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL, trustStoreURL.toExternalForm() );
URL trustStoreURL = getClass().getResource( "BRMSTrustStore.keystore" ); System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL, trustStoreURL.toExternalForm() );
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example 4.2. When the TrustStore is located on a webserver
URL trustStoreURL = new URL("http://brms.intranet/resources/BRMSTrustStore.keystore" ); System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL, trustStoreURL.toExternalForm() );
URL trustStoreURL = new URL("http://brms.intranet/resources/BRMSTrustStore.keystore" ); System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL, trustStoreURL.toExternalForm() );
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example 4.3. When the TrustStore is located on the local file system
URL trustStoreURL = new URL("file:///mnt/fileserve/rules-server/BRMSTrustStore.keystore" ); System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL, trustStoreURL.toExternalForm() );
URL trustStoreURL = new URL("file:///mnt/fileserve/rules-server/BRMSTrustStore.keystore" ); System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL, trustStoreURL.toExternalForm() );
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Set the
drools.serialization.public.keyStorePwd
property to the password for the truststore. This is only required if a password is required to access the truststore.System.setProperty( KeyStoreHelper.PROP_PUB_KS_PWD, "sekretPasswordHere" );
System.setProperty( KeyStoreHelper.PROP_PUB_KS_PWD, "sekretPasswordHere" );
Copy to Clipboard Copied! Toggle word wrap Toggle overflow