Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Jun 01, 2016
Solved

SSL offload in LTM VS web service security in XML profile

Hello Experts

 

I am hosting web service on F5 with ASM. To enable encryption between client and F5 for xml web service, I believe if I enable SSL off loading (https) in LTM then all communication will be encrypted so why there is explicit setting like web service security for SOAP? Also I am using mix of both SOAP and JSON. So What should I use? only https or both https and web service security

 

  • Hi,

     

    In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.

     

    SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.

     

    It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.

     

10 Replies

  • Hi,

     

    In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.

     

    SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.

     

    It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      thanks. But XML body will not be in https body? Can you please elaborate more.
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Yes xml body is in the https payload. SSL is used to encrypt the session (tcpip stack) so you encrypt the full request. When decrypting the full request using ssl profiles, you can view the http request headers and body. XML encryption is an Application level encryption so even if you decrypted the ssl, using xml enc, you can still protect the http body that contains the xml doc
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Thanks for your reply. But when we are using SSL to encrypt header + body then whats the point to encrypt again body using XML encryption?
  • Hi,

     

    In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.

     

    SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.

     

    It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      thanks. But XML body will not be in https body? Can you please elaborate more.
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Yes xml body is in the https payload. SSL is used to encrypt the session (tcpip stack) so you encrypt the full request. When decrypting the full request using ssl profiles, you can view the http request headers and body. XML encryption is an Application level encryption so even if you decrypted the ssl, using xml enc, you can still protect the http body that contains the xml doc
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Thanks for your reply. But when we are using SSL to encrypt header + body then whats the point to encrypt again body using XML encryption?