• Securing the Service Provider Connection, page 10-85
About SSL/TLS Traffic Encryption
The Secure Sockets Layer (SSL) and subsequent standardization of SSL, Transport Layer Security (TLS), are a widely used method of securing network traffic. You can use SSL with the ACE Web Application Firewall to secure communication between the ACE Web Application Firewall and service consumer or between the ACE Web Application Firewall and backend service provider.
To use SSL with consumer connections, you need to upload and specify a public/private keypair to be used to establish the SSL session. For information on loading keypairs, see “Uploading a Keypair Resource” section on page 11-89
Note that SSL is used in the system for purposes other than securing service traffic as well. The ACE Web Application Firewall Manager serves the web console over SSL, for instance. Also, log and administration information is passed between the ACE Web Application Firewall and Manager by SSL. Therefore, there are several areas in the web console for configuring SSL certificates. This chapter describes how to set up the ACE Web Application Firewall to use SSL specifically for service traffic.
Securing the Service Consumer Connection
To use SSL for the consumer connection, the ACE Web Application Firewall needs to have a
public/private keypair. The keypair can be either a self-signed certificate or one signed by a Certificate Authority. A self-signed certificate is normally sufficient if the consumer is internal to your organization. For other purposes, you should use a CA-signed certificate.
For compatibility with certain types of clients, a certificate used for a port at the ACE Web Application Firewall (as described here) may need to be configured as a server certificate. That is, the certificate needs to have an X509v3 Extended Key Usage attribute of TLS Web Server authentication. This is only a
potential requirement for certain clients, however; the ACE Web Application Firewall system does not require you to use server certificates and non-server certificates may work in many instances.
Chapter 10 Securing Traffic with SSL/TLS Securing the Service Consumer Connection
Step 1 Click the HTTP Ports & Hostnames link in the navigation menu.
Step 2 If the port on which you want to configure SSL connections already exists, click the edit link for that port. If the port does not exist, open the port as described in Chapter 8, “Working with Ports and Hostnames.”
Conventionally, port number 443 is used for SSL. However, you can use any port number you like, including port 80, the default port number for non-secured HTTP communication.
Step 3 In the Edit Port page, click the SSL check box. When this option is selected, SSL encryption is used for communication on that port.
Step 4 In the Public/Private Keypairs menu, choose the keypair you want to use for the connection.
If the keypair you want to use is not already uploaded in the ACE Web Application Firewall Manager, follow the directions in “Uploading a Keypair Resource” section on page 11-89 to upload the keypair.
Step 5 During SSL connection setup, the ACE Web Application Firewall and client negotiate various parameters of the connection, including the SSL Cipher Suite to be used for message encryption or authentication. By default, the ACE Web Application Firewall is not selective about the cipher suite it will accept on a port. It will accept most encryption algorithms, including those using 64 or 56 bit keys. Specifically, the default Cipher Suite list it uses is:
ALL:!ADH:!EXPORT:!SSLv2:!LOW:+HIGH:+MEDIUM
You can limit the cipher suites that are accepted by the ACE Web Application Firewall on the port by choosing custom from the SSL Cipher Suite menu. In the text field that appears, enter the set of cipher suites to be permitted in standard OpenSSL Cipher string format, as described here:
http://www.openssl.org/docs/apps/ciphers.html
For example, to permit only algorithms that use keys that have a length of 128 bits or greater and not anonymous DH, use:
HIGH:MEDIUM:!ADH
This is equivalent to specifying:
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA :EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA: DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA: DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA: KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5: RC2-CBC-MD5:RC4-MD5:KRB5-DES-CBC3-MD5: KRB5-DES-CBC3-SHA
If the client is not capable of using any of the SSL Cipher Suites specified, the connection is not permitted. The event log will show a warning level event similar to: “Terminating HTTP session: 400 Bad request.”
Note Use care when entering the cipher suite string. The ACE Web Application Firewall Manager interface does not verify the value you enter. If you mistype or enter a meaningless value, the port will be unusable.
Step 6 Click Save Changes to finish the port configuration.
Now you can configure the virtual web application or virtual service object to use the port. For example, for a virtual web application, perform these steps:
Chapter 10 Securing Traffic with SSL/TLS