S ECURING WITH SSL

The final steps in this section will be to show how you can easily secure your multi-protocol gateway service using mutual (two-way) SSL.

The basic process involves adding an HTTPS Front Side Handler to your multi-protocol gateway. The primary difference between an HTTP and HTTPS front side handlers is that the HTTPS FSH requires an SSL Proxy Profile object.

The preceding image shows the relationships of various crypto objects that work together to provide mutual SSL services.

The Crypto Identification Credential object is used when providing an identity to connecting clients. When a client connects, it requests a certificate. The crypto ID credential references which certificate should be returned to the client. It also references a private key which is used by SSL in later steps.

Earlier, you created a crypto validation credential for use when verifying a digital signature. When a crypto validation credential is used for mutual (two-way) SSL communication, it contains all certificates that should be accepted. In other words, if during the SSL handshake, the client provides a certificate that is not found in the crypto valcred, the SSL handshake will fail. If a crypto valcred is omitted from the configuration, one-way SSL will be used.

The Crypto Profile object ties together a Crypto ID credential and a Crypto Validation credential.

The SSL Proxy Profile provides some protocol-specific options and references a crypto profile. The SSL Proxy Profile thus contains every bit of information needed to establish one or two-way SSL handshaking.

This may seem like a lot of pieces to configure, but keep in mind that a single WebSphere DataPower appliance can host multiple services and may need to have multiple identities. This object relationship provides the maximum flexibility and object re-use.

3.6.1 Create the Crypto Identification Credential

__142. In the left navigation pane, under the Objects menu, in the Crypto Configuration section, click on the Crypto Identification Credentials.

__143. Click the Add button.

__144. In the Name field, type: MyIdCred

__145. In the Crypto Key dropdown, select: DataPowerCryptoKey

__146. In the Certificate dropdown, select: DataPowerCryptoCert

__147. Click the Apply button to create the Crypto Identification Credentials.

3.6.2 Update the Crypto Validation Credentials

When a client connects to a service using mutual SSL, the client will be required to provide a certificate during SSL handshaking. If that certificate (or its root certificate) does not exist in the crypto validation credential, handshaking will fail. In this step, you’ll upload another certificate into which represents the partner who will be connecting to your service.

__148. In the same section in the navigation pane, click on Crypto Validation Credentials.

__149. Click on MyValcred.

__150. Click the plus (+) button in the Certificates field to add another certificate to the list.

__151. In the Name field, type: PartnerCert

__152. In the File Name field, click on the Upload button.

__153. In the Upload window, click the Browse button. In the lab3 directory, select: partner-sscert.pem __154. Click the Upload button; then click the Continue button.

__155. Click the Apply button to save the new Crypto Certificate. When you return to the validation credential configuration page, you’ll see that the new PartnerCert has been added to the list of certificates.

__156. Click the Apply button in the Configure Crypto Validation Credentials form.

3.6.3 Create the Crypto Profile

The crypto profile object will now tie together the crypto identification credential and the crypto validation credential to form a relationship between the two.

__157. In the same Crypto Configuration section of the navigation pane, locate and click Crypto Profile.

__158. Click the Add button.

__159. In the Name field, type: MyCryptoProfile

__160. In the ID Credentials dropdown, select: MyIdCred

__161. In the Validation Credentials dropdown, select: MyValcred __162. Click the Apply button to save the Crypto Profile.

3.6.4 Create the SSL Proxy Profile

The proxy profile object provides the SSL-specific configuration parameters, and references the crypto profile for any required crypto keys and certificates.

__163. In the same Crypto Configuration section of the navigation pane, locate and click SSL Proxy Profile.

__164. Click the Add button.

__165. In the Name field, type: MySslProxyProfile

__166. In the Reverse (Server) Crypto Profile dropdown, select: MyCryptoProfile __167. Click the Apply button to save the new SSL Proxy Profile.

__168. Click the Control Panel link to redisplay the control panel.

3.6.5 Create an HTTPS Front Side Handler

The final steps are to create the HTTPS front side protocol handler and add it to the multi-protocol gateway service. The HTTPS front side handler will identify which SSL Proxy Profile to use as well as a TCP port for communications.

__169. Click the Multi-Protocol Gateway icon.

__170. Click MyService to open the configuration for your multi-protocol gateway service.

__171. In the Front Side Protocol field, click the plus (+) button to create a new front side protocol handler.

__172. From the pop-up menu, select HTTPS (SSL) Front Side Handler __173. In the Name field, type: MyHttpsFSH

__174. In the Port field, type: 443nn where nn is your student number.

__175. Towards the bottom of the configuration window, locate the SSL Proxy field and select MySslProxyProfile from the dropdown list.

__176. Click the Apply button to save the front side handler configuration.

__177. Click the Apply button at the top of the Configure Multi-Protocol Gateway form.

The configuration is complete. Now your multi-protocol gateway service is listening on two ports, one being HTTP and the other HTTPS.

__178. In the command window, type the following command. Make sure to use the secured port number.

post soapMsg.xml http://datapower:443nn/xml This should fail because port 443nn requires an SSL connection.

__179. Now try the command again, but this time using the SSL protocol. Notice this time the protocol is https and not http. Also, you will use the sslpost command instead of post.

sslpost soapMsg.xml https://datapower:443nn/xml

__180. If your configuration is working properly, click the Save Config link in the upper right corner of the window to save your configuration to the flash memory.

3.7 Summary

In this lab, you saw a variety of ways in which WebSphere DataPower appliances can help secure your XML data from malicious threats, tampering and unauthorized access. You learned:

● How crypto certificates and crypto keys are used to dereference key and certificate files for maximum flexibility and ease of maintainability.

● Crypto keys and certificates are used when creating and verifying digital signatures, as well as during encryption and decryption.

● You can add a digital signature to an XML message simply by dragging a sign action onto the processing rule and identifying which key to use.

● Field level, as well as message level encryption and decryption can be performed without sacrificing performance as a result of hardware encryption technology.

● The transaction probe is a powerful tool that allows you to visually inspect every aspect of a transaction, helping to identify configuration or communication problems.

● Access Control Policies, also known as AAA policies, are a powerful and flexible way to prevent unauthorized access to your services. Through the point-and-click WebGUI, you can easily configure access policies to contact external authentication and policy servers.

● AAA policies can also do security mediation, such as converting between HTTP Basic Authentication and Kerberos/SPNEGO. AAA policies can also create a SAML assertion based on authenticated credentials extracted from the message.

● SSL leverages several reusable crypto objects and is easily applied to a service by simply assigning an SSL Proxy Profile to an HTTPS front side handler.