Policy Builder

The BlueRock Secure MCP Server consumes a signed policy blob generated using the TREX tool.

The TREX tool performs the following operations:

Generate a policy template
Manually edit the generated policy template JSON file to define the required policy rules
Sign the policy and generate a signed policy blob (.tar)

After the signed policy blob is generated, the following manual steps are required:

Extract the signed policy blob to obtain the policy file (policy.json) and signature file (policy.json.sig)
Upload the extracted policy files to the configured cloud storage bucket for UC retrieval

UC verifies the policy signature during startup before loading it.

TREX Tool Location

On BlueRock Node AMI (Amazon Linux 2023 and Ubuntu 24.04):

/opt/bluerock/trex

Step 1: Create Signing Key and Certificate

Navigate to the TREX tool directory:

cd /opt/bluerock/trex

Generate a private key and self-signed certificate:

openssl req -x509 -newkey rsa:4096 \
-keyout dynpol_key.pem \
-out dynpol_cert.pem \
-sha256 -days 3650 -nodes \
-subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"

Extract the public key from the certificate:

openssl x509 -pubkey -noout -in dynpol_cert.pem > dynpol_pubkey.pem

Step 2: Configure trex.toml

Create a trex.toml file under /opt/bluerock/trex with the following configuration:

[incoming]
sig_required = false
sig_hash = "sha256"
public_key_pem = "dynpol_cert.pem"

[outgoing]
sig_required = true
sig_hash = "sha256"
private_key_pem = "dynpol_key.pem"
private_key_passphrase = ""

This enables TREX tool to sign outgoing policies using SHA256.

Step 3: Activate TREX Python Environment

The TREX Python virtual environment is pre-created on the BlueRock node:

source /opt/bluerock/trex/py312/bin/activate

Step 4: Generate Policy Template

Generate a policy model file for EC2 deployments:

python trex/models/customerpolicymodel.py -d > bru_policy.json

The generated JSON file contains the policy template with default values. Edit the generated JSON file to define required policy rules.

Example MCP Protection Configuration:

"mcp": {
  "enable": true,
  "remediate": false
}

Policy enforcement behavior is controlled using the remediate flag.

remediate: false → observe mode
remediate: true → enforce mode

Step 5: Generate Signed Policy Blob

Generate the signed policy package:

python trex.py <policy_file>.json

Example:
python trex.py bru_policy.json

This produces:

bru_policy.tar

Extract the archive:

tar xvf bru_policy.tar

The extracted files include:

policy.json
policy.json.sha256
policy.json.sig

These files are required for policy verification by UC.

Note: The policy filename can be any valid JSON file name. There is no mandatory naming requirement.

Step 6: Upload Policy Files to S3

The EC2 instance hosting the BlueRock runtime must be associated with an IAM role that allows access to the S3 bucket storing the policy files. This IAM role must allow the instance to read policy artifacts during runtime policy retrieval.

Example IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::<policybucket>",
        "arn:aws:s3:::<policybucket>/*"
      ]
    }
  ]
}

This policy allows the EC2 instance to:

list objects in the policy storage bucket
download the policy file and signature file required for runtime verification

After configuring the IAM role, upload the policy files to the configured S3 bucket.

Example:

aws s3 cp policy.json s3://buv-dynamic-policy/bru_policy.json
aws s3 cp policy.json.sig s3://buv-dynamic-policy/bru_policy.json.sig
aws s3 cp dynpol_pubkey.pem s3://buv-dynamic-policy/dynpol_pubkey.pem

Policy Verification

During UC startup:

Policy files are downloaded from S3
SHA256 hash is verified
Digital signature is validated using the public key
Policy is loaded if verification succeeds

If verification fails:

The invalid policy is not applied
An error is logged
The service continues running

Policy Package Content

Every valid policy deployment requires the following files in the Cloud Storage:

File

Purpose

policy.json

Policy Blob

policy.json.sig

Cryptographic signature

public.pem

Public key for verification

The private key used for signing must never be uploaded.

If there is a mismatch in the policy signature/ Wrong PUB key uploaded, Policy signature file is missing, or an incorrect version of TREX tool is used for the upload, the BlueRock Control Plane will reject the policy.

PreviousUnderstanding BlueRock Sandbox Policies NextPolicy Structure

Last updated 2 months ago