Step 1 Click Virtual Web Applications on the navigation menu.
Step 2 Select the basic virtual service object or handler for the service for which you would like to secure traffic.
Step 3 Click Edit next to the Consumer Interface heading of the properties page for the virtual service.
Step 4 For the Port value, choose the port you just configured for SSL from the list.
Step 5 Click Save Changes to commit the changes to the active subpolicy.
This completes the client side SSL configuration. Deploy the policy to have the changes take effect at the Firewall.
Securing the Service Provider Connection
You can configure SSL encryption for connections between the ACE Web Application Firewall and backend service providers.
To secure the backend server connection, you’ll need to have the appropriate security resource for verifying the server certificate, either a remote server certificate or the certificate of the trusted CA used by the remote server. To specify trust for a CA, you need to import its certificate in the policy. By default, the policy contains no preloaded CA certificates.
Note that the ACE Web Application Firewall also supports bilateral SSL, in which the ACE Web Application Firewall authenticates itself to the backend system. To use bilateral SSL, you’ll need to have the ACE Web Application Firewall’s public/private keypair loaded to the ACE Web Application Firewall Manager.
To configure bilateral SSL:
Step 1 Click the Destination HTTP Servers link in the navigation menu.
Step 2 If the server for which you want to configure SSL already exists, click the view link for that server. If the server does not appear in the server list, click the Add a New Server button and configure the backend server as described in “Adding a Destination HTTP Server” section on page 9-76.
Step 3 In the Edit Server page, click the Edit link next to the general settings heading.
Step 4 To have communication with the server occur over an SSL channel, enable the SSL option. The controls for configuring the SSL channel are enabled.
Step 5 In bilateral SSL, the server asks clients (the ACE Web Application Firewall, in this case) to authenticate itself as part of the SSL negotiation. If it does, you can specify the client public/private keypair to use from the If requested, use client public/private keypair menu.
Step 6 Specify how the ACE Web Application Firewall should verify certificates that the server presents:
• To accept any certificate the web service presents, leave the Require remote server certificate signed by this CA certificate option at its default value, none. This setting is the default. The ACE Web Application Firewall will accept any certificate the server presents.
• To accept any certificate that a specified Certificate Authority (CA) has signed, with the Require remote server certificate signed by this CA certificate option selected, choose one or more CA’s listed in the menu. If the certificate does not appear in the menu, choose Upload and add the certificate to the ACE Web Application Firewall Manager’s list of Trusted Certificate Authorities.
Chapter 10 Securing Traffic with SSL/TLS Securing the Service Provider Connection
• To accept a certificate identical to a particular certificate, click Require a certificate from the remote server that is identical to this certificate and choose the certificate from the menu. If the certificate does not appear in the menu, choose Upload and add the certificate to the ACE Web Application Firewall Manager’s list of remote server certificates.
Step 7 During SSL connection setup, the ACE Web Application Firewall and backend server negotiate various parameters of the connection, including which SSL Cipher Suite to use for message encryption or authentication. By default, the ACE Web Application Firewall is not selective about which cipher suite it will accept. It will accept most encryption algorithms, including those using 64- or 56-bit keys. You can limit the cipher suites that the ACE Web Application Firewall will accept in establishing the connection to the backend server by choosing custom in the SSL Cipher Suite menu. In the text field that appears, enter the cipher suites to use for the server connection in standard OpenSSL Cipher string format, as described here: http://www.openssl.org/docs/apps/ciphers.html
For example, to permit only algorithms that only keys that have a length of 128 bits or greater and not anonymous DH, enter the following in the text field:
HIGH:MEDIUM:!ADH
This is equivalent to specifying the following:
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH- DSS-DES-CBC3-SHA: DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:
DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA: KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:
RC2-CBC-MD5:RC4-MD5:KRB5-DES-CBC3-MD5: KRB5-DES-CBC3-SHA
If the server is not capable of using one of the SSL Cipher Suites you configure, connection negotiation fails and the incident is recorded in the event log.
Note Use care in typing the cipher suite in the field. The ACE Web Application Firewall Manager web console does not verify the value you enter. If you mistype or otherwise enter a meaningless value, the Firewall will be unable to connect to the server.
Step 8 Click Save Changes to finish the server configuration.
The SSL configuration is now complete. After deploying the policy, virtual services that rely on the configured server will now use SSL to communicate with the backend server.
C H A P T E R