Forum Discussion
NimbostratusSSL offload in LTM VS web service security in XML profile
Hello Experts
I am hosting web service on F5 with ASM. To enable encryption between client and F5 for xml web service, I believe if I enable SSL off loading (https) in LTM then all communication will be encrypted so why there is explicit setting like web service security for SOAP? Also I am using mix of both SOAP and JSON. So What should I use? only https or both https and web service security
Hi,
In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.
SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.
It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.
10 Replies
Yann_DesmarestCirrus
Hi,
In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.
SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.
It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.
ghost-rider_124thanks. But XML body will not be in https body? Can you please elaborate more.- Yann_DesmarestYes xml body is in the https payload. SSL is used to encrypt the session (tcpip stack) so you encrypt the full request. When decrypting the full request using ssl profiles, you can view the http request headers and body. XML encryption is an Application level encryption so even if you decrypted the ssl, using xml enc, you can still protect the http body that contains the xml doc
- ghost-rider_124Thanks for your reply. But when we are using SSL to encrypt header + body then whats the point to encrypt again body using XML encryption?
Yann_Desmarest_Nacreous
Hi,
In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.
SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.
It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.
- ghost-rider_124thanks. But XML body will not be in https body? Can you please elaborate more.
- Yann_Desmarest_Yes xml body is in the https payload. SSL is used to encrypt the session (tcpip stack) so you encrypt the full request. When decrypting the full request using ssl profiles, you can view the http request headers and body. XML encryption is an Application level encryption so even if you decrypted the ssl, using xml enc, you can still protect the http body that contains the xml doc
- ghost-rider_124Thanks for your reply. But when we are using SSL to encrypt header + body then whats the point to encrypt again body using XML encryption?
