We are integrating with secured govt. services wherein for compliance reason we are required to ensure that our code is signed. The integrations are through Fuse and using HTTP / SOAP based interfaces. Can you please guide us on how to implement code signing and ensure that Fuse validates that only signed code is deployed? We will procure code signer certificate during the implementation.
We have a simple OSGi bundle which is packaged as a JAR and available in the maven local repos, and we need to sign this jar.
- Before deploying this JAR to Fuse, we will sign the jar with some signature pattern and algorithms used.
Once we deploy the JAR files to Fuse, the Fuse container should validate the signature that's used in the jar file and check if the user is allowed to deploy it or not. Any internal users who is trying to deploy a normal unsigned jar file should not be allowed to deploy.
We want to deploy only the signed jars to Fuse, and not the unsigned ones.
- Red Hat JBoss Fuse
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.