This is a howto for setting up mutual SSL authentication between Airlock WAF and a back-end server. With mutual SSL authentication both parties, the Airlock WAF and the back-end server, can be certain that they are communicating with the trusted endpoint (man in the middle attack is mitigated).
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAutxnTm+4qp0pO/aqo5u8CMUQFuz2Ee2OdN3GV5dKyHopY1ZE
efiTn9dsSO/XfXQTDBE9cz2qekspTHM/7rdwyhDcMNZoB0Mxm7MnAXA3tWg7SrU4
...
wMwB7LL/cy3BgPz338yOAI4Sg9HpJnAAUBx9AlicqtWxu+vlMVQhWXjAzTiamXgZ
45zeBiPnEbittcDF7QfMCCvVnBWxFowtgp4tK2wNL1iF1wFMcw4Snw==
-----END RSA PRIVATE KEY----
chmod 040 /opt/airlock/custom-settings/gatekeeper/*.pem
chown fown:sg /opt/airlock/custom-settings/gatekeeper/*.pem
The settings below defines whether or not Airlock WAF should verify the back-end server certificate.
BackendSSLServerCA
The file contains one or more CA certificates in the PEM format. To successfully establish a connection, the back-end server certificate must be signed by at least one of those certificate authorities.
BackendSSLVerifyHost
In case that BackendSSLVerifyHost is set to TRUE, the common name (CN) in the back-end server certificate must match the Host header which is sent to the back-end server. Keep in mind that the Airlock WAF Response Action "Rewrite Host Header" directly influences this value and could result in a failed verification. The default of this setting is TRUE.
BackendSSLServerCA "/opt/airlock/custom-settings/gatekeeper/backend_server_ca.pem"
BackendSSLClientCert "/opt/airlock/custom-settings/gatekeeper/backend_client_cert.pem"
BackendSSLClientCertKey "/opt/airlock/custom-settings/gatekeeper/backend_client_cert_key.pem"
BackendSSLVerifyHost "TRUE"
This configuration including the uploaded files are activation-, reboot- and update-resistent. Only in case of a new Airlock WAF installation the uploaded files are no longer available. Since the files are not part of the configuration zip file which can be exported through Airlock WAF configuration center, ensure that those files are properly backed up.