Manual Chapter :
Configuring Credential Protection
Applies To:
Show VersionsBIG-IP APM
- 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Configuring Credential Protection
Overview: Configuring credential protection
You can use Access Policy Manager (APM) together with a DataSafe profile to
protect logon credentials from potential man-in-the-middle attacks.
When you configure credential protection, credentials that users type on the login page are not
visible in browser developer tools.
In the example shown here, the password variable name is obfuscated, and the password value is
encrypted within the browser itself.
Here we describe how to add credential protection manually to a system that has an access
policy with a logon page specified.
For a simpler, automated setup procedure, you can instead follow the steps in
the Guided Configuration template for Credential Protection (
). You can still customize the components when you use Guided
Configuration.Before you begin configuring credential protection...
To configure advanced credential protection on BIG-IP Access Policy Manager,
you need to have Fraud Protection (FPS) provisioned.
You also need to have a system with
- A working access policy
- An access profile with a logon page for the policy
- An external virtual server with the access profile associated with it
For details on creating access policies, refer to the BIG-IP APM documentation
on AskF5 at support.f5.com.
Creating a service profile
You create a service profile to connect Access Policy
Manager with another F5 Module, in this case, to allow for credential protection using
DataSafe in access policies.
- On the Main tab, click.The Service profile list screen opens.
- ClickCreate.
- In theNamefield, typefps-service.
- ForParent Profile, leave it set to the default unless you want to inherit settings from another service profile. Then select the parent profile.
- Click theCustomcheck box to enable settings.
- From theTypelist, selectF5 Moduleto connect to another F5 service, in this case, Credential Protection.
- ClickFinished.
The
fps-service
profile is created. Later, you specify this service profile
on the internal virtual server.Next, you create a DataSafe
profile.
Creating a DataSafe profile for credential protection
To ensure proper application layer protection of
logon credentials for Access Policy Manager, you need a DataSafe profile with a URL
called
/my.policy
, and the
profile cannot allow login if encryption fails. To simplify your
work, Access Policy Manager includes a default profile called
access-logonpage-protection-datasafe
that protects all Access logon
pages. You can skip this task and just use the default. Here we show you where to
find the profile, describe its contents, and mention settings that you can
optionally edit.- On the Main tab, click.The DataSafe Profiles screen opens.
- In the list, clickaccess-logonpage-protection-datasafe.The DataSafe Profile Properties screen opens.
- You can review and edit the properties, however, you can use this profile as is to protect logon credentials.
- Optional: Click theCustomize Allcheck box to make the settings editable.
- Optional: If you previously created a Log Publisher for a remote Syslog server, select it from theLog Publisherlist.
- Optional: If you previously created a Log Publisher for the local Syslog server, select it from theLocal Log Publisherlist.
- You do not need to change any of theAdvancedsettings on the General Settings screen.The paths in the Advanced settings are automatically generated and only need to be changed if they conflict with paths used by your application (which is highly unlikely).The default DataSafe profile does not treat URLs as case-sensitive, and the Advanced setting that controls this cannot be changed after the policy is created. If you want to make URLs case-sensitive, you need to create a new DataSafe profile. In the Advanced settings, selectURLs are case sensitive.
- ClickURL List.The one URL listed/my.policy*is required for logon protection in Access policies. Do not change it.
- Click/my.policy*to see how it is configured.Values forusername,password,_F5_challenge, and_F5_verify_passwordparameters are set to be encrypted and obfuscated.
- In the my.policy URL, for theParameterssection, disable theObfuscatefor all paramaters.
- On the left, click.
- Ensure theis enabled.
- Ensure theis disabled.
- Copy the following function toto be run before JavaScript load:function(C){var org_submit = HTMLFormElement.prototype.submit;HTMLFormElement.prototype.submit = function(){var pass = this.elements.password;var oldFormPass = document.forms[0].elements.__password;if(pass && oldFormPass){pass.setAttribute('name', '__' + pass.name);pass.value = oldFormPass.value;}return org_submit.apply(this, arguments)}}
- Ensure thatAllow Login on Encryption Failureis not selected.Clearing this option sets the DataSafe profile to fail-close. This means that if, during the submit operation, DataSafe is unable to encrypt or decrypt the protected fields, credential protection remains in effect for the current user session. Also, all subsequent operations of sending credentials will be encrypted.When this option is disabled as it is for credential protection, it increases the risk of user account lockout in case of encryption/decryption failure of user credentials.
- If you changed any settings, clickSave.The DataSafe profile is saved.
You have viewed and optionally edited the
default DataSafe profile that you can use for credential protection in Access policies.
For more details on creating DataSafe profiles, refer to
BIG-IP DataSafe
Configuration
. Next, create an internal virtual server with which
you associate the DataSafe profile and other profiles required for credential
protection.
Creating an internal virtual server for credential
protection
Before you can perform this task, you need to have created a service profile of type
F5 Module.
An
internal
virtual server
provides a method for sending a request to another service. On
the BIG-IP system, you create an internal virtual server and assign the TCP, HTTP, and
service profiles to set up credential protection.- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a name for the virtual server, such asfps-service-vs.
- From theTypelist, selectInternal.
- Next toConfiguration, selectAdvancedto display additional options.
- From theProtocollist, selectTCP.
- From theProtocol Profile (Client)list, selecttcp.
- From theHTTP Profile (client)list, selecthttp.
- From theService Profilelist, selectfps-service, the service profile of typeF5 Modulecreated previously.
- ForSource Address Translation, selectAutomap.
- Clear theAddress Translationcheck box to disable it.
- Clear thePort Translationcheck box to disable it.
- ClickFinished.
The internal virtual server for credential
protection is created.
Next, you associate the DataSafe profile with
the internal virtual server.
Associating a DataSafe profile with the internal virtual
server
Part of configuring credential protection on
Access Policy Manager requires that you associate a DataSafe profile with the internal
virtual server you created. Here we associate the default DataSafe profile included with
the system.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the internal virtual server created for credential protection, such asfps-service-vs.
- On the menu bar, from the Security menu, choose Policies.
- From theAnti-Fraud Profilelist, selectEnabled, and then from theProfilelist, selectaccess-logonpage-protection-datasafe, the default DataSafe profile (or one you created for credential protection).
- ClickUpdateto save the changes.
The DataSafe profile is associated with the
internal virtual server.
Next, you create a connector profile to which
you can associate the internal virtual server.
Creating a connector profile for credential protection
You create a connector profile to connect
credential protection to both the internal and external virtual servers.
- On the Main tab, click.The New Connector Profile screen opens.
- In theNamefield, specify a unique name for the connector profile, such asfps-connector.
- From theParent Profilelist, retain the default value (connector), or select another existing profile of the same type.
- Click theCustomcheck box.
- From theEntry Virtual Serverlist, selectfps-service-vs, or the internal virtual server created for credential protection.
- Use defaults for the other settings.
- ClickFinished.
The connector profile is created.
Next, you associate this connector profile
with the standard (external) virtual server associated with the access
profile.
Associating the connector profile with the virtual server
You need to have a virtual server set up with an access profile associated with it.
The access profile needs to have a logon page for an access policy.
You associate a connector profile with the
standard (external) virtual server that requires credential protection.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the standard access policy virtual server that needs credential protection.
- In the Configuration area, selectAdvanced.
- From theConnector Profilelist, select the profile you created for credential protection, such asfps-connector.
- ClickUpdateto save the changes.
The connector profile is associated with the
external virtual server that is protected by an access policy. The logon page in the
policy now has credential protection. The application is protected from
man-in-the-middle attacks.
You can test whether the credentials are
protected by inspecting the logon page while it is displayed in the browser. The
credentials that users type on the login page are not visible in browser inspection
tools.