Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Jun 02, 2016

ASM and Web Service Security

Hello

 

I am planning to put web service (XML) on F5 for LTM/ASM. But web service security (encryption/hashing of XML payload) already implemented on server. So there is any benefit of ASM here bcs it will see only the encrypted payload.

 

application delivery
ASM Advanced WAF
BIG-IP
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jun 02, 2016

    Hi,

     

    Is the full xml payload encrypted or just some parts ?

     

    If you import key used for enc on the ASM, you will be able to parse the payload and apply related security check with the use of xml profile.

     

    Otherwise, ASM will not be able to check content but only url, headers and method

     

13 Replies

Sort By
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 02, 2016

    Hi,

     

    Is the full xml payload encrypted or just some parts ?

     

    If you import key used for enc on the ASM, you will be able to parse the payload and apply related security check with the use of xml profile.

     

    Otherwise, ASM will not be able to check content but only url, headers and method

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jun 02, 2016
      thank you. There is option in XML profile, web security service, use client/server certificate. This certificate will be single certificate from server? Then what about on server, should I disable encryption if I am doing on F5?
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Jun 02, 2016
      It's up to you. But yes that's a possibility. F5 can be the endpoint that decrypt the xml content and forward it in clear text to the backend
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jun 02, 2016
      If I want encryption also between f5 and server, what I need to do? I mean where I have to install the server certificate as client on F5
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 02, 2016

    Hi,

     

    Is the full xml payload encrypted or just some parts ?

     

    If you import key used for enc on the ASM, you will be able to parse the payload and apply related security check with the use of xml profile.

     

    Otherwise, ASM will not be able to check content but only url, headers and method

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jun 02, 2016
      thank you. There is option in XML profile, web security service, use client/server certificate. This certificate will be single certificate from server? Then what about on server, should I disable encryption if I am doing on F5?
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Jun 02, 2016
      It's up to you. But yes that's a possibility. F5 can be the endpoint that decrypt the xml content and forward it in clear text to the backend
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jun 02, 2016
      If I want encryption also between f5 and server, what I need to do? I mean where I have to install the server certificate as client on F5
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 05, 2016

    Hi,

    Here is sentence that best describe the use of client and server certificate in web services security : 

    Server Certificates
Decrypt SOAP messages from a web client to a web service, or sign SOAP messages from a web service back to a web client.
Client Certificates
Encrypt SOAP messages from a web service to a web client, or verify SOAP messages from a web client to a web service.

    In the server certificates part, you need to put the private key and certificate that is currently on your backend server

    In the client certificates part, you need to upload the certificate used by the client to sign the xml body.

    If, in your case there is no signature, just encryption, you need to use server certificates only.