Signing asset policies

Asset policies control access to your data and are stored on the Federation Orchestrator. The Apheris product offers the option for you to sign those policies if this option has been selected for this Compute Gateway upon deployment.

Signing is a cryptographic operation that ensures the policies used on your Compute Gateway cannot be tampered with.

The Apheris team provides a signing tool for your convenience to create these signing keys.

Requirements for using asset policy signing

• You have a signing key
• The certificate to verify signatures is configured on the Compute Gateway that contains the dataset
• You have the Owner role within your organization

Signing an asset policy

Signing steps

1. You use your private signing key (existing or freshly generated) to create the digital signature either with the Apheris signing tool or the Governance Portal.
2. The policy and signature are sent to the Orchestrator via the Governance Portal.
3. Upon evaluation of an asset policy, the Compute Gateway retreives the asset policy and it's signature from the Orchestrator.
4. The Gateway verifies the integrity of the asset policy by verifying the signature with the respective certificate.

Obtaining Signing Keys

We require signing keys to be RSA in PKSC 8 format.

The easiest way to create signing keys is the Apheris signing tool.

Viewing Signatures in the Governance Portal

Navigate to the Asset Policy Overview tab.

Within the overview tab, a closed black lock icon will indicate a properly signed asset policy (see image below).

If an asset has not been properly signed, you will see an open lock icon colored red.

Signing via the Governance Portal

The most convenient way is to sign via the “in the browser” option. For this option, you must upload your private key to the Apheris Governance Portal. The private key is stored via the native web crypto API in a read-only storage. It is never uploaded to a server.

The key will be stored in your browser until you delete it. You can sign multiple asset policies without uploading the key again. Please make sure that your browser is secure when using this option.

Signing via Apheris signing tool (external app)

With the Apheris signing tool (tab: external app) you can securely sign your asset policy outside of your browser. You can do this by clicking on the “Copy asset policy” button.

Important

Please always use the "Copy Asset Policy" button (see screenshot below) and do not copy the Asset Policy from the JSON tab in the UI. The key-value pairs of the asset policy JSON are the same in both, hence the asset policy is the same. However the string you copy to clipboard when you click "Copy Asset Policy" is what is actually stored on the Orchestrator, while what is displayed in the JSON tab differs from that in formatting and ordering of the key-value pairs as it shows a prettified version of the JSON. The Apheris signing tool is agnostic of JSON and will generate the signature for the string that is inserted, but will not validate the JSON structure before doing so. That means if the JSON key-value pairs are ordered differently, the generated signature will differ. Hence it is important that you use the "Copy Asset Policy" button.

This will copy the JSON version of the asset policy to your clipboard (Please do not copy directly from the JSON tab. Always use the “Copy asset policy” button!).

Paste the copied asset policy into the Apheris signing tool. Use the following command to create a signature.

./crypto\_tool sign -k <private\_key.pem> -t '{"key1": "value1", "key2": "value2"}'

You should see a similar output as shown below. Mind that the signature is different each time the script is run because of the algorithm used!

Paste the created signature into the Governance Portal and make sure, that the pasted signature is the same as the one created with the signing tool.

If the signature is valid the red lock will change to a closed green lock with “signature verified”. Once this is in place, you can click “Save”. Congratulations, you successfully signed an asset policy.

Updating signed asset policies

You can update signed asset policies at any time.

For asset policy signing via the Governance Portal “In the browser”, asset policies will be signed automatically.

For asset policies signed with the Apheris signing tool, you have to create a new valid signature before being able to save the changes.