Encryption error - SAML assertion: response is not encrypted
We are trying to configure out APM with Azure SAML authentication. After login on and succedded we can an error and the logs show the following: modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 5374: Verification of SAML signature #2 succeeded ----------------------- SAML2Websak_act_saml_auth_ag failed to parse assertion, error: Response is not encrypted ...................... a6559abf: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny' As a result the login is Denied. Is this related to the certificate or RSA encryption? We have tried various options but it comes back to the same error
encryption with AES/CRYPTO - how to securely store the encryption key
Dear All, I need to encrypt/decrypt some sensitive data which is permanently stored in a datagroup. Is there a way to store the encryption key so that it remained accessible from an iRule but at the same time was not present in the code? I anticipate that absolute security is problematic here (if such a thing exists at all :)) but what would be the most secure way of doing this on BigIP? Ideal scenario would be to generate a key programmatically and store it somewhere on the BigIP file system (or separate admin partition) so that it was accessible to a specific iRule (ideally just one rule) but was not accessible from GUI/CLI. The iRule then could be signed with a certificate stored on HSM and any modifications to the iRule would be captured in the audit log, syslog and eventually SIEM which is ran by our SOC. The key needs to be hidden if not from all user accounts but at least from all except one "break-glass" account whose use and credentials would be strictly controlled (administratively). Or maybe I'm trying to invite a bicycle and it may be possible to easily use HSM to store symmetric keys? Any thoughts would be very much appreciated!
ICAP Over HTTPS
So we have some conflicting requirements where our applications that require end to end encryption are also required to ICAP uploaded files to our Content Analysis platform. The Content Analysis platform will sandbox and scan files for malicious content and supports ICAP over HTTPS through port 11344. However as far as I can tell the F5 ASM only supports sending traffic over HTTP to ICAP on 1344 (or other HTTP ports). Is anyone aware of a work around to do ICAP over HTTPS so that these files are never sent in the clear? This is critical if we are going to be able to meet customer requirements. Can any F5 employees chime in if this is a planned future feature? We are currently on 12.1.2.
Enterprise Manager - UCS Archive Encryption
Hi all When Enterprise Manager creates a UCS archive of a managed device is there a way to encrypt this file as you can on the other BIG-IP products? From what I can see you can't, which is a pain as our security governance team has stated that if we wish to backup the UCS archives on EM and also backup the private keys, then the UCS archive must at a minimum be encrypted itself. From what I gather EM does not fetch a precompiled UCS archive from the managed device but rather creates a UCS archive itself, yet doesn't provide an option to decrypt. Perhaps I've missed something so would appreciate some advice. Thank youcookie encyption passphrase
I realize this is a pretty basic question so don't skewer me. I want to enable cookie encryption which seems like a very painless process, but I'm just curious as to what the cookie encryption passphrase is used for? is this going to be needed to be given out to users? whats the use and when is it utilized? further configuration needed on other devices for it? any and all help is always appreciated.Reencryption, what if the certificate on the server expires ?
We use Re-encryption to a web site. SSL offload and then re-encrypt to web server. The re-encryption is not that important but a requirement, wondered what would happen if the Server certificate should expire ( the last certificate ) client --> LTM --> Server Would LTM still re-encrypt using the expired certificate on the server?Encrypting local cookies
Hi We're testing a new switcboard solution. It uses a webpage that stores a cookie on clients with information that we want to be encrypted. Found an option in the http profile and another iRule option, but both options require a cookie-name. These cookies comes with different names depeding on the client that receives it, so I wonder if it was possible to encrypt all cookies. This is not the same as secure cookie response, in this case we want to actually encrypt the cookie stored on clients with a passphrase.
128 bit encryption for citrix connections
We'd like to up the TLS encryption key size to 256 from 128 for our citrix connections. I'm assuming a change needs to be made to the client SSL profile, specifically the cipher, which is currently set to DEFAULT. I understand this setting to be defined as COMPAT+HW:@SPEED, the speed option possibly telling the client to use aes 128 instead of 256 for faster speeds (I am not entirely familiar with the string definitions here). Is this as simple as separating preferences by a colon, and then !sslv2? How to force 256 bit? -GR
