You are here

Back-end Client Certificates

This is a howto for setting up mutual SSL authentication between Airlock WAF and a back-end server. With mutual SSL authentication both parties, the Airlock WAF and the back-end server, can be certain that they are communicating with the trusted endpoint (man in the middle attack is mitigated).

  • Configure the back-end server to listen for HTTPS and require a SSL client certificate.
  • Create a SSL client certificate in the PEM format for Airlock WAF. The PEM format looks like this (example):

    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAutxnTm+4qp0pO/aqo5u8CMUQFuz2Ee2OdN3GV5dKyHopY1ZE
    efiTn9dsSO/XfXQTDBE9cz2qekspTHM/7rdwyhDcMNZoB0Mxm7MnAXA3tWg7SrU4
    ...
    wMwB7LL/cy3BgPz338yOAI4Sg9HpJnAAUBx9AlicqtWxu+vlMVQhWXjAzTiamXgZ
    45zeBiPnEbittcDF7QfMCCvVnBWxFowtgp4tK2wNL1iF1wFMcw4Snw==
    -----END RSA PRIVATE KEY----

  • Upload the files backend_server_ca.pem, backend_client_cert.pem and backend_client_cert_key.pem to the directory /opt/airlock/custom-settings/gatekeeper/ on Airlock WAF by using scp.
  • Sign in on the Airlock WAF console as root
  • Run the following commands:

    chmod 040 /opt/airlock/custom-settings/gatekeeper/*.pem
    chown fown:sg /opt/airlock/custom-settings/gatekeeper/*.pem

    The settings below defines whether or not Airlock WAF should verify the back-end server certificate.

    BackendSSLServerCA
    The file contains one or more CA certificates in the PEM format. To successfully establish a connection, the back-end server certificate must be signed by at least one of those certificate authorities.

    BackendSSLVerifyHost
    In case that BackendSSLVerifyHost is set to TRUE, the common name (CN) in the back-end server certificate must match the Host header which is sent to the back-end server. Keep in mind that the Airlock WAF Response Action "Rewrite Host Header" directly influences this value and could result in a failed verification. The default of this setting is TRUE.

  • Configure either globally or only in the Back-end Group the following Expert-Settings:
    • An example of a global configuration which can be done in "Airlock WAF Configuration Center -> Expert Settings -> Security Gate / Apache -> Security Gate"

      SecurityGateway * BackendSSLServerCA "/opt/airlock/custom-settings/gatekeeper/backend_server_ca.pem"
      SecurityGateway * BackendSSLClientCert "/opt/airlock/custom-settings/gatekeeper/backend_client_cert.pem"
      SecurityGateway * BackendSSLClientCertKey "/opt/airlock/custom-settings/gatekeeper/backend_client_cert_key.pem"
      SecurityGateway * BackendSSLVerifyHost "TRUE"

      The global setting BackendSSLVerifyHost "TRUE" ensures that Airlock WAF always verify the back-end server certificate even if the factory defaults change.

    • An example of a Back-end Group specific configuration which can be done in "Airlock WAF Configuration Center -> Application Firewall -> <Back-end Group> -> Expert Settings -> Security Gate"

      BackendSSLServerCA "/opt/airlock/custom-settings/gatekeeper/backend_server_ca.pem"
      BackendSSLClientCert "/opt/airlock/custom-settings/gatekeeper/backend_client_cert.pem"
      BackendSSLClientCertKey "/opt/airlock/custom-settings/gatekeeper/backend_client_cert_key.pem"
      BackendSSLVerifyHost "TRUE" 

      The setting BackendSSLVerifyHost "TRUE" ensures that the Back-end server certificate is verified no matter what the global Airlock WAF default of this setting is (either the factory or custom defaults).
  • Activate

    This configuration including the uploaded files are activation-, reboot- and update-resistent. Only in case of a new Airlock WAF installation the uploaded files are no longer available. Since the files are not part of the configuration zip file which can be exported through Airlock WAF configuration center, ensure that those files are properly backed up.

     

Knowledge Base Categories: