> For the complete documentation index, see [llms.txt](https://docs.bluerock.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bluerock.io/policy-configuration/policy-builder.md). # Policy Builder The BlueRock Secure MCP Server consumes a signed policy blob generated using the TREX tool. The TREX tool performs the following operations: 1. Generate a policy template 2. Manually edit the generated policy template JSON file to define the required policy rules 3. Sign the policy and generate a signed policy blob (.tar) After the signed policy blob is generated, the following manual steps are required: 4. Extract the signed policy blob to obtain the policy file (policy.json) and signature file (policy.json.sig) 5. Upload the extracted policy files to the configured cloud storage bucket for UC retrieval UC verifies the policy signature during startup before loading it. *** ### TREX Tool Location On BlueRock Node AMI (Amazon Linux 2023 and Ubuntu 24.04): ```shellscript /opt/bluerock/trex ``` *** ### Step 1: Create Signing Key and Certificate Navigate to the TREX tool directory: ```shellscript cd /opt/bluerock/trex ``` Generate a private key and self-signed certificate: ```shellscript openssl req -x509 -newkey rsa:4096 \ -keyout dynpol_key.pem \ -out dynpol_cert.pem \ -sha256 -days 3650 -nodes \ -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" ``` Extract the public key from the certificate: ```shellscript openssl x509 -pubkey -noout -in dynpol_cert.pem > dynpol_pubkey.pem ``` *** ### Step 2: Configure trex.toml Create a `trex.toml` file under `/opt/bluerock/trex` with the following configuration: ```yaml [incoming] sig_required = false sig_hash = "sha256" public_key_pem = "dynpol_cert.pem" [outgoing] sig_required = true sig_hash = "sha256" private_key_pem = "dynpol_key.pem" private_key_passphrase = "" ``` This enables TREX tool to sign outgoing policies using SHA256. *** ### Step 3: Activate TREX Python Environment The TREX Python virtual environment is pre-created on the BlueRock node: ```shellscript source /opt/bluerock/trex/py312/bin/activate ``` *** ### Step 4: Generate Policy Template Generate a policy model file for EC2 deployments: ```shellscript python trex/models/customerpolicymodel.py -d > bru_policy.json ``` The generated JSON file contains the policy template with default values. Edit the generated JSON file to define required policy rules. Example MCP Protection Configuration: ```shellscript "mcp": { "enable": true, "remediate": false } ``` Policy enforcement behavior is controlled using the `remediate` flag. * `remediate: false` → observe mode * `remediate: true` → enforce mode *** ### Step 5: Generate Signed Policy Blob Generate the signed policy package: ```shellscript python trex.py .json Example: python trex.py bru_policy.json ``` This produces: ```shellscript bru_policy.tar ``` Extract the archive: ```shellscript tar xvf bru_policy.tar ``` The extracted files include: * `policy.json` * `policy.json.sha256` * `policy.json.sig` These files are required for policy verification by UC. **Note:** The policy filename can be any valid JSON file name. There is no mandatory naming requirement. *** #### Step 6: Upload Policy Files to S3 The EC2 instance hosting the BlueRock runtime must be associated with an **IAM role that allows access to the S3 bucket storing the policy files**.\ This IAM role must allow the instance to **read policy artifacts during runtime policy retrieval**. Example IAM policy: ```shellscript { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ] } ] } ``` This policy allows the EC2 instance to: * list objects in the policy storage bucket * download the policy file and signature file required for runtime verification After configuring the IAM role, upload the policy files to the configured S3 bucket. Example: ```shellscript aws s3 cp policy.json s3://buv-dynamic-policy/bru_policy.json aws s3 cp policy.json.sig s3://buv-dynamic-policy/bru_policy.json.sig aws s3 cp dynpol_pubkey.pem s3://buv-dynamic-policy/dynpol_pubkey.pem ``` *** ### Policy Verification During UC startup: 1. Policy files are downloaded from S3 2. SHA256 hash is verified 3. Digital signature is validated using the public key 4. Policy is loaded if verification succeeds If verification fails: * The invalid policy is not applied * An error is logged * The service continues running ### Policy Package Content Every valid policy deployment requires the following files in the Cloud Storage: | File | Purpose | | ----------------- | --------------------------- | | `policy.json` | Policy Blob | | `policy.json.sig` | Cryptographic signature | | `public.pem` | Public key for verification | The private key used for signing must never be uploaded. If there is a mismatch in the policy signature/ Wrong PUB key uploaded, Policy signature file is missing, or an incorrect version of TREX tool is used for the upload, the BlueRock Control Plane will reject the policy. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bluerock.io/policy-configuration/policy-builder.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.