diff --git a/doc/tooling/tcm/index.rst b/doc/tooling/tcm/index.rst index 1251bf6bf..2c22f851b 100644 --- a/doc/tooling/tcm/index.rst +++ b/doc/tooling/tcm/index.rst @@ -46,4 +46,5 @@ to read data. LDAP authorization is supported as well. tcm_backend_store tcm_dev_mode tcm_configuration_reference + tcm_integrity_check Releases diff --git a/doc/tooling/tcm/tcm_integrity_check.rst b/doc/tooling/tcm/tcm_integrity_check.rst new file mode 100644 index 000000000..9ef1b2595 --- /dev/null +++ b/doc/tooling/tcm/tcm_integrity_check.rst @@ -0,0 +1,56 @@ +.. _tcm_integrity_check: + +Integrity check +================ + +.. include:: index.rst + :start-after: ee_note_tcm_start + :end-before: ee_note_tcm_end + +|tcm| supports the integrity check mechanism. +The integrity check mechanism in TCM verifies the digital signature of centralized configuration files. +It ensures that TCM only applies configurations that are signed with a trusted private key. + +This mechanism allows TCM to: + +* Allows updating the configuration with integrity check support. +* Detect unauthorized changes in centralized configuration. + +.. _tcm_integrity_check_configure: + +Configure integrity check +------------------------- + +Configuration parameters +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. list-table:: + :header-rows: 1 + :widths: 35 45 10 10 + + * - Parameter + - Description + - Type + - Default + * - :ref:`security.integrity-check ` + - Enables signature validation + - ``bool`` + - ``false`` + * - :ref:`security.signature-private-key-file ` + - Path to the private key for signing configuration + - ``string`` + - ``""`` + + +Example configuration +~~~~~~~~~~~~~~~~~~~~~ + +Integrity check in |tcm| can be enabled and customized using several methods. +You can configure it directly in the |tcm| configuration file: + +.. code-block:: yaml + + # tcm.yaml + security: + integrity-check: true + signature-private-key-file: /etc/tcm/private_key.pem