SSL offload in LTM VS web service security in XML profile
I am hosting web service on F5 with ASM. To enable encryption between client and F5 for xml web service, I believe if I enable SSL off loading (https) in LTM then all communication will be encrypted so why there is explicit setting like web service security for SOAP? Also I am using mix of both SOAP and JSON. So What should I use? only https or both https and web service security
In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.
SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.
It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.