Manual Chapter :
Adding BIG-IP
DataSafe to the BIG-IP System
Applies To:
Show VersionsBIG-IP ASM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Adding BIG-IP
DataSafe to the BIG-IP System
BIG-IP
DataSafe
to the BIG-IP SystemOverview: Adding BIG-IP DataSafe to the
BIG-IP system
BIG-IP DataSafe
to the
BIG-IP systemBIG-IP®DataSafe™ provides two main types of security for
protecting your data:
- Encrypting Data on the Application Level:BIG-IP DataSafe allows you to configure data encryption on the application level, so that sensitive data entered by a user on the client-side is protected against attempted fraud attacks that occur in the web application. Application Layer Encryption protects against credential theft from man-in-the-middle (MITM) and man-in-the-browser (MITB) attacks, verifies whether a user is trying to use a fabricated password, and encrypts credentials in real-time, at the time that data is entered.
- Detecting automated manipulation of data in URL parameters and AJAX requests:BIG-IP DataSafe protects against MITB attacks where data is changed when sent from the client to the web application server, by determining if parameter values were changed by malware after they left the user's web browser for the server.
In order to use BIG-IP DataSafe in the BIG-IP system, you need to provision Fraud Protection
Service (FPS) for BIG-IP DataSafe, create a BIG-IP DataSafe profile, create a virtual server,
and associate the profile with that virtual server.
- The DataSafe Main JavaScript protects web applications with the content typetext/html. If your web application is based on a different content type, you cannot apply the DataSafe Main JavaScript protection on it.
- In most cases, the virtual server that you will create for your profile will be an SSL virtual server.
Provisioning Fraud Protection Service for BIG-IP DataSafe using the Configuration utility
You must provision Fraud Protection Service (FPS) for BIG-IP DataSafe before performing any of the other tasks for adding BIG-IP DataSafe to the BIG-IP System. You can provision FPS either from the Configuration utility in the BIG-IP system, or from the TMSH TMOS Shell command line interface. The following steps explain how to provision FPS from the Configuration utility in the BIG-IP system.
- On the Main tab, click.
- Go to the Fraud Protection Service (FPS) row in the list of modules, and in the Provisioning column select the check box and select one of the options from the list:
- Dedicated:Specifies that the system allocates all CPU, memory, and disk resources to one module. When you select this option, the system sets all other modules toNone(Disabled).
- Nominal:Specifies that, when first enabled, a module gets the least amount of resources required. Then, after all modules are enabled, the module gets additional resources from the portion of remaining resources.
- Minimum:Specifies that when the module is enabled, it gets the least amount of resources required. No additional resources are ever allocated to the module.
- ClickSubmit.
Provisioning Fraud Protection Service for BIG-IP DataSafe using TMSH
You must provision Fraud Protection Service (FPS) for BIG-IP DataSafe before performing any of the other tasks for adding BIG-IP DataSafe to the BIG-IP System. You can provision FPS either from the Configuration utility in the BIG-IP system, or from the TMSH TMOS Shell command line interface. The following steps explain how to provision FPS from TMSH.
- Open TMSH (tmsh).
- View the current provisioning of the system by typinglist sys provisionin the command line.The system displays the provision configuration. In this example, the system has nominal provisioning for LTM and the other modules are not provisioned.sys provision afm { } sys provision am { } sys provision apm { } sys provision asm { } sys provision avr { } sys provision dos { } sys provision fps { } sys provision gtm { } sys provision ilx { } sys provision lc { } sys provision ltm { level nominal } sys provision pem { } sys provision sslo { } sys provision swg { } sys provision urldb { }
- Modify provisioning for the FPS module by typingmodify sys provision fps <level_type>in the command line, where<level_type>is one of the following:
- dedicated: Specifies that the system allocates all CPU, memory, and disk resources to one module. When you select this option, the system sets all other modules to None (Disabled).
- nominal: Specifies that, when first enabled, a module gets the least amount of resources required. Then, after all modules are enabled, the module gets additional resources from the portion of remaining resources.
- minimum: Specifies that when the module is enabled, it gets the least amount of resources required. No additional resources are ever allocated to the module.
For example, to set FPS provisioning to nominal, typemodify sys provision fps level nominalThe system displays the provision configuration. In this example, the system now has nominal provisioning for FPS.sys provision afm { } sys provision am { } sys provision apm { } sys provision asm { } sys provision avr { } sys provision dos { } sys provision fps { level nominal } sys provision gtm { } sys provision ilx { } sys provision lc { } sys provision ltm { level nominal } sys provision pem { } sys provision sslo { } sys provision swg { } sys provision urldb { } - Save the changes to the stored configuration by typingsave sys configin the command line.
- Verify the current provisioning of the system by typinglist sys provisionin the command line.
Creating
a node for a remote syslog
server
a node for a remote syslog
server
Before creating a node for a remote syslog server, you must first provision FPS for
BIG-IP DataSafe.
Creating a node for a remote syslog server only
necessary if you want alerts sent to a remote syslog server. If you don't want
alerts sent to a remote syslog server, skip this section
An alternate way to create a node is to create a pool member. When you create a
pool member, the BIG-IP system
automatically creates the corresponding node. For example, if you create pool member
10.10.20.30:80
, the
system automatically creates a node with the address 10.10.20.30
.- On the Main tab, expandLocal Traffic, and clickNodes.The Node List screen opens.
- Click theCreatebutton.The New Node screen opens.
- In theNamefield, type a descriptive label for the node.Names are case-sensitive.
- In theAddressfield, types the IP address of the remote Syslog server.
- ClickFinished.The screen refreshes, and the new node appears in the node list.
Creating
a pool for a remote syslog server
a pool for a remote syslog server
Before creating a pool for a remote syslog server, you should create a node for the
remote syslog server.
Creating a pool for a remote syslog server only
necessary if you want alerts sent to a remote syslog server. If you don't want
alerts sent to a remote syslog server, skip this section.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- At theNew Memberssetting, selectNode List.
- In theAddressfield, select the IP address of the remote Syslog server.
- In theService Portfield, selectHTTPorHTTPSfrom the list.
- ClickAdd.
- ClickFinished.
The new pool appears in the Pools list.
Creating a web application server node
Before creating a web application server node, you must first provision FPS for
BIG-IP DataSafe.
Local traffic pools use nodes as resources for load balancing. A
node
is an IP address that represents a
server resource, which hosts applications.- If you plan to add yourBIG-IP DataSafeprofile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application node.
- An alternate way to create a node is to create a pool member. When you create a pool member, the BIG-IP system automatically creates the corresponding node. For example, if you create pool member10.10.20.30:80, the system automatically creates a node with the address10.10.20.30.
- On the Main tab, expandLocal Traffic, and clickNodes.The Node List screen opens.
- Click theCreatebutton.The New Node screen opens.
- In theNamefield, type a descriptive label for the node.Names are case-sensitive.
- In theAddressfield, type the IP address of the web application server.
- ClickFinished.The screen refreshes, and the new node appears in the node list.
Creating a web application pool
Before creating a web application server pool, you must first create a web
application server node.
You can create a pool of servers that you can group together to receive and process
traffic.
- If you plan to add yourBIG-IP DataSafeprofile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application pool.
- Repeat the following steps for each desired pool.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the web application pool.
- Using theNew Memberssetting, add each resource that you want to include in the pool:
- SelectNode List.
- For theAddressoption, select the IP address of the web application server.
- For theService Portoption, selectHTTPorHTTPSfrom the list.
- ClickAdd.
- ClickFinished.
The new pool appears in the Pools list.
Creating a remote high-speed log destination
Before creating a remote high-speed log destination, ensure that at least one pool
of remote log servers exists on the BIG-IP system.
Create
a log destination of the
Remote High-Speed Log
type if you want to have alerts
sent to a remote syslog server. If you don't want alerts sent to a remote
syslog server, skip this section.- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, selectRemote High-Speed Log.
- From thePool Namelist, select the remote syslog server pool that you defined previously.
- From theProtocollist, select the TCP protocol.
- ClickFinished.
Creating a log
publisher
Create a log publisher to specify where the BIG-IP
system sends alert messages.
If you
want alerts sent to a remote syslog server, you need to create two log publishers,
one for the local syslog server and one for the remote syslog
server.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, selectlocal-syslogfrom theAvailablelist, and click<<to move the destination to theSelectedlist.
- ClickFinished.The list of Log Publishers appears, showing the Log Publisher you just created.
- If you want to have alerts sent to a remote syslog server, repeat steps 2-5, and at step 4 select the log destination that you created previously from theAvailablelist.
Creating an initial BIG-IP DataSafe
profile
Overview: Creating an initial profile
Typically, when you create your initial profile, you will want to:
- Set general properties for the profile in the Profile Properties screen
- Define URLs to be included in the profile
- Set one of the URLs to be a login page
- Configure a post-login URL (in certain situations)
Therefore, the instructions for creating an initial profile are presented according to these
four stages.
The
DataSafe
Main JavaScript protects web applications with
the content type text/html
and
application/xhtml+xml
. If your web application is based on a
different content type, you cannot apply the DataSafe
Main JavaScript protection on
it.Configuring general properties for a BIG-IP DataSafe profile
BIG-IP DataSafe
profileConfigure general properties for a
BIG-IP DataSafe
profile to ensure proper encryption of data on
your web site.- On the Main tab, click.The BIG-IP DataSafe screen opens.
- ClickCreate.The Create New DataSafe Profile screen opens.
- Select theCustomize Allcheck box.
- In theProfile Namefield, type a unique name for the profile.
- From theParent Profilelist, choose which parent profile you want to base your profile on.
- All undefined properties in the profile you are creating will be inherited from the parent profile. And any future changes to those properties in the parent profile will be automatically inherited by the profile you are creating.
- URL properties are not inherited.
- If you previously created a Log Publisher for a remote Syslog server, select it from theLog Publisherlist.
- From theLocal Syslog Publisherlist, select the Log Publisher that you previously created for the local Syslog server.
- If your web application is case-sensitive to URLs and SPA views, do the following:
- ClickAdvancedin the General Settings section.The Advanced settings appear.
- For theURLs are case sensitivesetting, select theEnabledcheck box.
- You should enable this setting only if your web application is case-sensitive to URLs and SPA views.
- This setting cannot be changed after initial creation of your profile and does not affect URL parameters in the profile.
- ClickCreate.The BIG-IP DataSafe profile has been created.
After creating your the profile, you
should define the URLs that you want to include in your profile.
Defining URLs in the profile
Define
URLs in your
BIG-IP DataSafe
profile to ensure proper protection of your
web site.- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the profile on which you want to define a URL.TheDataSafeProfile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Click theAdd URLbutton.The Create New URL screen opens.
- In theURL Pathfield, choose one of the following types for the URL path:
- Explicit: Assign a specific URL path.
- Wildcard: Assign a wildcard expression URL. Any URL that matches the wildcard expression is considered legal and will receive protection. For example, typing the wildcard expression/*specifies that any URL is allowed.
All URLs must start with a slash (/), for both Explicit and Wildcard types.- If you choseExplicit, type the URL path.
- If you choseWildcard, type the wildcard expression URL and if you want it to include a query string, select theInclude Query Stringcheck box.The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.Wildcard characterMatches*All characters?Any single character[abcde]Exactly one of the characters listed[!abcde]Any character not listed[a-e]Exactly one character in the range[!a-e]Any character not in the rangeIf a wildcard character is actually used as part of a real URL and you don't want it to be treated as a wildcard character, use\and then the character to indicate that it should not be used as a wildcard character.Regular expressions should not be used in Wildcard URLs.
- ClickAdvanced.
- If you want theBIG-IP DataSafeMain JavaScript to run on the web page of the URL, select theEnabledcheck box forInject Main JavaScript(selected by default).When this setting is enabled, theBIG-IP DataSafeMain JavaScript also runs on all SPA views on this URL that are configured in the profile.
- TheDataSafeMain JavaScript protects web applications with the content typestext/htmlandapplication/xhtml+xml. If your web application is based on a different content type, you cannot apply theDataSafeMain JavaScript protection on it.
- Inject Main JavaScriptcan be disabled for web pages that do not require fraud protection and only receive data from a protected page.
- If you want to change the default location where theBIG-IP DataSafeMain JavaScript is injected in the URL's web page, atLocation of Main JavaScript Injection, do the following:
- Select a position for the Main JavaScript (either before or after the tag you define).
- In theTagfield, type the tag for determining where the Main JavaScript is placed.
TheBIG-IP DataSafeMain JavaScript must be injected into the web page HTML before the CSS Element. - If you want to change the default location of the Disabled JavaScript Detection Tag, atLocation of Disabled JavaScript Detection Tagdo the following:
- Select a position for the Disabled JavaScript Detection Tag (either before or after the tag you define).
- In theTagfield, type the tag for determining where the Disabled JavaScript Detection Tag is placed.
The Disabled JavaScript Detection Tag detects if JavaScript has been disabled in your web browser.- For Internet Explorer browsers 9.0 and later versions, Disabled JavaScript Detection is not supported if the content type of your web application response isxhtml.
- For web browsers other than Internet Explorer, if the content type of your web application response isxhtmlyou must use the default settingsAfterandbody.
- Leave theAdditional function to be run before JavaScript loadfield blank unless instructed otherwise by F5.
- ClickCreateto save your initial URL settings.
Setting a URL or SPA view to be a login page
Set a URL or Single Page Application (SPA) view
in your profile to be a login page if you want to encrypt data on a login page in
your web site.
- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Click the URL or view that you want to set as the login page, or clickAdd URL(orAdd View) if you want to create a new URL or view to be a login page.
- In the URL Configuration (or View Configuration) area, selectParameters.The Parameters list is displayed.
- Click theAddbutton.The Parameter Settings screen opens.
- In theParameter Namefield, choose one of the following types for the parameter name:
- Explicit: Assign a specific parameter name.
- Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
- If you choseExplicit, type the parameter name.
- If you choseWildcard, type the wildcard expression.The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.Wildcard characterMatches*All characters?Any single character[abcde]Exactly one of the characters listed[!abcde]Any character not listed[a-e]Exactly one character in the range[!a-e]Any character not in the rangeIf a wildcard character is actually used as part of a parameter name and you don't want it to be treated as a wildcard character, use\and then the character to indicate that it should not be used as a wildcard character.A regular expression should not be used as part of the wildcard expression for a parameter name.
- SelectIdentify as Username.Only one parameter per URL can have the attributeIdentify as Username.
- ClickCreateand thenBack to URL(orBack to View).
- Under URL Configuration (or View Configuration) selectLogin Page Properties.Configuring theLogin Page Propertiesis not required but recommended because a login cannot be verified as successful unless at least one of the criteria in theLogin Page Propertiesis configured.
- For theURL is Login Pagesetting, select theYescheck box.The Login Page Properties appear.IfURL is Login Pageis enabled, you must configure at least one of the Login Page Properties. If you configure more than one Login Page Property, then all the criteria for all properties must be fulfilled for the BIG-IP system to consider the login successful.
- In theA string that should appear in the response bodyfield, type a string that should appear in the successful response to the login URL.
- In theA string that should NOT appear in the response bodyfield, type a string that should not appear in the successful response to the login URL.
- In theExpected HTTP response status codefield, selectSpecifyand type the HTTP response status code that the server must return to the user upon successful login, or selectNone.If you selectNone, HTTP response code is not used to determine a successful login.
- In theExpected response headerfield, type a header name that the successful response to the login URL must match.
- In theExpected cookie namefield, type a cookie name that the successful response to the login URL must include.
- ClickSave.The Login Page and Parameter settings are saved.
If the
form action in the HTTP request from the login page does not refer to the login page
URL, you need to also configure a post-login URL.
Configuring a post-login URL
You need to configure a post-login URL only if the login page sends the login
request to a URL that is different from the login URL. (For example, the login page URL
is
/login.jsp
, but it sends the user name and password to
/validate.jsp
).Configure a post-login URL to ensure
that the BIG-IP system can retrieve the user name and decrypt the
password.
- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Select the check box next to the login URL.
- Click theClonebutton.The Clone URL pop-up screen opens.
- In theURL Pathfield, type the URL that is referred to in the form action of the HTTP request.
- Optional: In theDescriptionfield, type a description for the URL.
- If you don’t want detection of automated data manipulation to run on the web page of the post-login URL disable theInject JavaScriptsetting.
- If the login URL contains SPA views and you want the post-login URL to inherit those views, select theEnabledcheck box by Views.
- Select theEnabledcheck box by Parameters.
- Click theClonebutton in the Clone URL pop-up screen.Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.
The
BIG-IP system creates the post-login URL.
Creating a custom
HTTP profile
This procedure should be performed only if SNAT or Auto Map is used for Source Address
Translation in the virtual server.
An HTTP profile defines the way that you want
the BIG-IP system to manage HTTP traffic.
- On the Main tab, click.The HTTP profile list screen opens.
- ClickCreate.The New HTTP Profile screen opens.
- In theNamefield, type a unique name for the profile.
- Select theCustomcheck box.
- In theInsert X-Forwarded-Forfield, selectEnabled.
- ClickFinished.
The custom HTTP profile now appears in the HTTP profile list screen.
Creating a virtual
server
You can create a virtual server on the BIG-IP system, where clients send application
requests. The virtual server manages the network resources for the web application that
you are securing with a security policy.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type an address, as appropriate for your network.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.
- In theService Portfield, type80, or selectHTTPfrom the list.
- From theHTTP Profilelist:
- If you previously created an HTTP profile, then select the profile you created.
- Otherwise, selecthttp.
- From theSource Address Translationlist, select the appropriate translation.
- From theDefault Poollist, select the pool that is configured for the application server.
- ClickFinished.
Associating a profile with a virtual
server
In order to complete the process of adding
BIG-IP DataSafe™
to a virtual server, you need to
associate the profile with the virtual server.If the virtual
server that you associate with your
BIG-IP DataSafe
profile also has an HTTP compression
profile associated with it, you must perform the instructions in the following
section Configuring
.BIG-IP DataSafe
with an
HTTP compression profile- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- On the menu bar, from the Security menu, choose Policies.
- From theAnti-Fraud Profilelist, selectEnabled, and then from theProfilelist, select the profile you created previously.
- ClickUpdateto save the changes.
If the virtual server that you associated
with your
BIG-IP DataSafe
profile also has
an HTTP compression profile associated with it, you must perform the instructions in the
following section Configuring
.BIG-IP DataSafe
with an HTTP compression profileConfiguring BIG-IP DataSafe
with an HTTP compression profile
BIG-IP DataSafe
with an HTTP compression profileThe instructions in this section are relevant only if
your
BIG-IP DataSafe™
profile is associated with a virtual
server that also has an HTTP compression profile associated with it.If your
BIG-IP DataSafe
profile is associated with a virtual server
that also has an HTTP compression profile associated with it, you must perform the
following steps to ensure that your web site is not disabled.- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the General Settings area of the DataSafe Profile Properties screen, clickAdvanced.The Advanced settings appear.
- AtJavaScript Configuration Directory, copy the path.
- On the Main tab, go to.
- In the list of profiles, click on the HTTP compression profile that is associated with the same virtual server as yourBIG-IP DataSafeprofile.
- In the URI List section, at URI paste the path of the JavaScript Configuration Directory.
- In the URI List section, clickExclude.
- At the bottom of the screen, clickUpdate.
- In the BIG-IP command line, set the BigDB variable for Datasync with the following command:tmsh modify sys db variable datasync.gzip_fpm value enable