Manual Chapter :
Configuring F5 DataSafe Profiles
Applies To:
Show Versions
BIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Configuring F5 DataSafe Profiles
F5 DataSafe Overview
F5
DataSafe™ protects web sites from Trojan attacks by
encrypting data at the application layer on the client-side. Encryption is performed on the
client-side using a public key generated by the BIG-IP®
system and provided uniquely per session. When the encrypted information is received by the
BIG-IP system, it is decrypted using a private key that is kept on the server-side. Users can
view alerts on potential encryption attacks in the Data Protection log in the BIG-IP system or in
a remote Syslog Server if you choose to configure one for receiving alerts.
The F5 BIG-IQ® system improves the usability of
DataSafe profiles by allowing configuration of a single DataSafe profile that can be used on
multiple BIG-IP systems. In order to apply F5 DataSafe protection on your web site, you need to
perform the following preliminary configurations in the BIG-IQ system:
- Configure a virtual server for the DataSafe profile.
- Create an initial DataSafe profile.
- Associate that profile with the virtual server.
In most cases, the virtual server that you
create for your profile will be an SSL virtual server.
F5 DataSafe profiles
containing SPA views or wildcard parameters are not deployable on BIG-IP versions 13.x and lower.
When performing
Evaluate and Deploy
for Fraud Protection, check the
Critical Errors column to ensure that your DataSafe profile does not contain any features
rendering it undeployable on your BIG-IP devices.Create a web application server
node
Local traffic pools use nodes as
resources for load balancing. A
node
is an IP address that represents a
server resource, which hosts applications.If you plan to add your
F5 DataSafe profile to an existing virtual server (that is, you are not going to
create a new virtual server for your profile), you do not need to create a new web
application node.
- At the top of the screen, clickConfiguration.
- On the left, click.The Nodes list appears.
- Click theCreatebutton.The New Node screen opens.
- In theNamefield, type a descriptive label for the node.Names are case-sensitive.
- In theDevicefield, select the BIG-IP device of the node.
- In theAddressfield, type the IP address of the web application server.
- ClickSave & Close.The Nodes list screen opens, showing the node you just created.
Create a web application pool
You can create a pool of servers
that you can group together to receive and process traffic.
If you plan to add your
F5 DataSafe profile to an existing virtual server (that is, you are not going to
create a new virtual server for your profile), you do not need to create a new web
application pool.
- At the top of the screen, clickConfiguration.
- On the left, click.The Pools list opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the web application pool.
- In theDevicefield, select the BIG-IP device of the pool.
- ClickNew Member.The New Pool Member screen opens.
- ForNode Type, selectExisting Node.
- From theNodelist, select the IP address of the web application server.
- From thePortlist, selectHTTPorHTTPS.
- ClickSave & Closein the New Pool Member screen.
- ClickSave & Closein the New Pool screen.
The new pool appears in the Pools
list.
Create a log publisher
You create a log publisher to specify where the BIG-IP system sends alert messages.
- At the top of the screen, clickConfiguration.
- On the left, click.The Log Publishers list screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- Log Destinations, from theAvailablelist selectlocal-syslog, and use the Move button->to move the destination to theSelectedlist.
- ClickSave & Close.The Log Publishers list screen opens, showing the log publisher you just created.
Create a custom HTTP profile
You should perform this procedure
only if SNAT or Auto Map is used for Source Address Translation in the virtual
server.
You create an HTTP profile to define
the way that you want the system to manage HTTP traffic.
- At the top of the screen, clickConfiguration.
- On the left, click.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theTypelist, selectProfile HTTP.
- For theInsert X-Forwarded-Forsetting, selectEnabled.
- ClickSave & Close.
The custom HTTP profile now appears
in the HTTP profile list screen.
Create a virtual server
You create a virtual server to
receive application requests from the clients. The virtual server manages the network
resources for the web application that you are securing with a security policy.
- At the top of the screen, clickConfiguration.
- On the left, click.
- Click theCreatebutton.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDevicefield, choose a BIG-IP device for the virtual server.
- In theDestination Addressfield, type an address, as appropriate for your network.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a/32prefix.
- In theService Portfield, type80, or selectHTTPfrom the list.
- From theHTTP Profilelist:
- If you previously created an HTTP profile, then select the profile you created.
- Otherwise, selecthttp.
- From theSource Address Translationlist, select the appropriate translation.
- From theDefault Poollist, select the pool that is configured for the application server.
- ClickSave & Close.
Configure general properties for an F5
DataSafe profile
Before configuring the profile's
general properties, you must have created a web application server node, a web
application pool, and a log publisher for the profile.
You configure general properties for a F5
DataSafe profile to ensure proper encryption of data on your web site.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- ClickAdd.The Add DataSafe Profile screen opens, with the General Properties area showing.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, choose which parent profile you want to base your profile on.
- All undefined properties in the profile you are creating will be inherited from the parent profile. Any future changes to those properties in the parent profile will be automatically inherited by the profile you are creating.
- URL properties are not inherited.
- In theLog Publisherlist, select the Log Publisher that you created.
- If your web application is case-sensitive to URLs and SPA views, do the following:
- ClickAdvancedin the General Settings section.The Advanced settings appear.
- For theURLs are case sensitivesetting, select theEnabledcheck box.
- You should enable this setting only if your web application is case-sensitive to URLs and SPA views.
- This setting cannot be changed after initial creation of your profile and does not affect URL parameters in the profile.
- ClickSave & Close.The system has created the F5 DataSafe profile.
After creating your the profile, you
should define the URLs that you want to include in your profile.
Define URLs in the profile
You should set the profile's general
properties before defining URLs in the profile.
Define URLs in your profile to
ensure proper protection of your web site.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- From the list of profiles, select the profile on which you want to define a URL.The DataSafe profile properties screen opens.
- ClickURLSand then theAddbutton.The Add URL screen opens.
- In theURL Pathfield, choose one of the following types for the URL path:
- Explicit: Assign a specific URL path.
- Wildcard: Assign a wildcard expression URL. Any URL that matches the wildcard expression is considered legal and will receive protection. For example, typing the wildcard expression/*specifies that any URL is allowed.
All URLs must start with a slash (/), for both Explicit and Wildcard types.- If you choseExplicit, type the URL path.
- If you choseWildcard, type the wildcard expression URL and if you want it to include a query string, select theInclude Query Stringcheck box.The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.Wildcard characterMatches*All characters?Any single character[abcde]Exactly one of the characters listed[!abcde]Any character not listed[a-e]Exactly one character in the range[!a-e]Any character not in the rangeIf a wildcard character is actually used as part of a real URL and you don't want it to be treated as a wildcard character, use\and then the character to indicate that it should not be used as a wildcard character.Regular expressions should not be used in Wildcard URLs.
- If you want the DataSafe Main JavaScript to run on the web page of the URL, select theEnabledcheck box forInject Main JavaScript(selected by default).
- When this setting is enabled, the DataSafe Main JavaScript also runs on all SPA views on this URL that are configured in the profile.
- You should disableInject Main JavaScriptfor web pages that do not require encryption protection and only receive data from a protected page.
- If you want to change the default location where the DataSafe Main JavaScript is injected in the URL's web page, atLocation of Main JavaScript Injection:
- Select a position for the Main JavaScript (either before or after the tag you define).
- In theTagfield, type the tag for determining where the Main JavaScript is placed.
The DataSafe Main JavaScript must be injected into the web page HTML before the CSS Element. - If you want to change the default location of the Disabled JavaScript Detection Tag, atLocation of Disabled JavaScript Detection Tagdo the following:
- Select a position for the Disabled JavaScript Detection Tag (either before or after the tag you define)
- In theTagfield, type the tag for determining where the Disabled JavaScript Detection Tag is placed
The Disabled JavaScript Detection Tag detects if JavaScript has been disabled in your web browser. - ClickSave & Closeto save your initial URL settings.
After defining the URLs in your profile, you
should set a URL or SPA view to be a login page.
Set a URL or SPA
view to be a login page
Set a URL or Single Page Application (SPA) view in
your profile to be a login page if you want to encrypt data on a login page in your web
site.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- Click the URL or view that you want to set as the login page, or clickAdd(orAdd View) if you want to create a new URL or view to be a login page.SPA views are supported only in BIG-IP versions 14.0 and higher.
- On the left, clickPARAMETERS.
- Click theAddbutton.The Add Parameter popup screen opens.
- In theTypefield, choose one of the following parameter types:
- Explicit: Choose this if you want to assign a specific parameter name.
- Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters. - In theNamefield, type a name for the parameter as follows:
- For anExplicitparameter type, type the exact name.
- For aWildcardparameter type, type the wildcard expression.The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.Wildcard characterMatches*All characters?Any single character[abcde]Exactly one of the characters listed[!abcde]Any character not listed[a-e]Exactly one character in the range[!a-e]Any character not in the rangeIf a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use\and then the character to indicate that it should not be used as a wildcard character.Regular expressions should not be used as wildcards.
- Select theIdentify as Usernamecheck box.Only one parameter per URL can have the attributeIdentify as Username.
- ClickAdd.
- ClickLOGIN PAGE PROPERTIES.Configuring the Login Page properties is not required but recommended because a login cannot be verified as successful unless at least one of the criteria in the Login Page Properties screen is configured.
- For theURL is Login Pagesetting, check theEnabledcheck box.The Login Page Properties appear.IfURL is Login Pageis enabled, you must configure at least one of the Login Page properties. If you configure more than one Login Page property, then all the criteria for all properties must be fulfilled for the BIG-IP system to consider the login successful.
- In theA string that should appear in the response bodyfield, type a string that should appear in the successful response to the login URL.
- In theA string that should NOT appear in the response bodyfield, type a string that should not appear in the successful response to the login URL.
- In theExpected HTTP response status codefield, selectSpecifyand type the HTTP response status code that the server must return to the user upon successful login, or selectNone.If you selectNone, HTTP response code is not used to determine a successful login.
- In theExpected response headerfield, type a header name that the successful response to the login URL must match.
- In theExpected cookie namefield, type a cookie name that the successful response to the login URL must include.
- ClickSave & Close.The Login Page and Parameter settings are saved.
If the form action in the HTTP
request from the login page does not refer to the login page URL, you need to also
configure a post-login URL.
Configure a
post-login URL
You need to configure a post-login URL only if the login page sends the login request
to a URL that is different from the login URL. (For example, the login page URL is
/login.jsp
, but it sends the
user name and password to /validate.jsp
).Configure a post-login URL to ensure that the
BIG-IP system can retrieve the user name and decrypt the password.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list appears.
- Select the check box next to the login URL.
- Click.The Clone URL screen opens.
- In theURL Pathfield, type the URL that is referred to in the form action of the HTTP request.
- Optional: In theDescriptionfield, type a description for the URL.
- Ensure thatInject JavaScriptis disabled.
- If the login URL contains SPA views and you want the post-login URL to inherit those views, select theEnabledcheck box by Clone Views.
- Select theEnabledcheck box by Clone Parameters.
- Click theClonebutton in the Clone URL popup screen.
- The new URL inherits the configuration settings of the source URL
- Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.
The BIG-IQ® system creates the new URL and it
appears in the URLs list.
Associate an F5 DataSafe profile with a
virtual server
In order to complete the process of
applying F5 DataSafe protection to your web site, you need to associate the F5 DataSafe
profile that you created with the virtual server that you created.
- At the top of the screen, clickConfiguration.
- On the left, click.The Virtual Servers list appears.
- Click the name of the virtual server on which you want to associate the F5 DataSafe profile.The virtual server properties screen opens.
- From theAttached Profilelist, select the DataSafe profile that you want to associate with this virtual server.
- ClickSave & Close.The Virtual Server list appears, and the DataSafe profile that you chose in the previous step is now listed as being associated with the virtual server.
General Configuration Options for F5
DataSafe Profiles and URLs
Configure advanced
general settings on an F5 DataSafe profile
Configure advanced general settings on an F5
DataSafe profile if you want to change the default settings that the BIG-IQ system
assigns to profiles.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- In theAlert Pathfield, use the automatically generated path, or define your own path.If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
- In theSuggested Username Headerfield, use the default header or type a header that will be added to AJAX requests when the BIG-IP system detects an AJAX login attempt, which is common for Single Page Applications.With this header, the BIG-IP system can detect the username that was used for the login. The client sends this header only for URLs in the profile that have a parameter set as Identify as Username.
- For theJavaScript Directoryfield, use the automatically generated path, or define your own.This path specifies the location of the main F5 DataSafe JavaScript. This path does not include the actual file name of the JavaScript.
- This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
- If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
- For theJavaScript Configuration Directoryfield, use the automatically generated path, or define your own path that specifies the location of the F5 DataSafe JavaScript containing profile configuration settings.This path specifies the location of the configuration JavaScript. This path does not include the actual file name of the JavaScript.
- This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
- If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
- For theJavaScript Removal Locationfield, use the automatically generated path, or define your own path that specifies the location of the image file name that the system uses for detecting a JavaScript removal attack.
- This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
- If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
- If your profile includes one or more URLs that contain SPA views, forReferrer Info Headeruse the default header value or assign your own header value that the BIG-IP system uses to identify SPA views.
- ForJavaScript Grace Threshold, change the default value if you want to raise or lower the maximum amount of time (in seconds) permitted between when a protected web page is loaded and its injected JavaScript activates.
- Leave theAdditional function to be run before JavaScript loadfield blank unless instructed otherwise by F5.
- For thePrevent duplicate alerts from Client Sidesetting, select theEnabledcheck box to prevent the client from sending an alert with information that is identical to an alert previously sent by the client during the past 24 hours.
- ClickSave & Close.The BIG-IQ system saves the changes that you made to the advanced settings.
Enable an iRule to handle logins and
alerts
Enabling iRules®
to handle logins and alerts is only relevant if you have written an iRule to handle the
ANTIFRAUD_ALERT
event, or the ANTIFRAUD_LOGIN
event and the iRule is associated with the same virtual server as your profile.Enable an iRule to handle logins and
alerts if you want to use an iRule to disable alerts or record login events.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- Scroll to the bottom of the screen, and for theTrigger iRule Eventssetting, select theEnabledcheck box.
- ClickSave.iRules are now enabled to handle logins and alerts.
iRule events
iRules® can subscribe to the
ANTIFRAUD_ALERT
event and the
ANTIFRAUD_LOGIN
event in F5
DataSafe™.iRule event |
Description |
---|---|
ANTIFRAUD_ALERT |
Occurs when alerts are sent to the BIG-IP® system. |
ANTIFRAUD_LOGIN |
Occurs when a user successfully logs in to the profile. Or if login validation is
not configured, this event can occur if just the user name is identified. |
iRule Examples
The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to
log all available information about an alert that was sent by the BIG-IP system to the
location /var/log/ltm
.when ANTIFRAUD_ALERT{ log local0. "=========Anti-Fraud Alert=========" log local0. "Alert Identifier: [ANTIFRAUD::alert_id]" log local0. "Alert Type: [ANTIFRAUD::alert_type]" log local0. "Alert Component: [ANTIFRAUD::alert_component]" log local0. "Alert Details: [ANTIFRAUD::alert_details]" log local0. "Alert GUID: [ANTIFRAUD::alert_guid]" log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]" log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]" log local0. "Alert Score: [ANTIFRAUD::alert_score]" log local0. "Alert Username: [ANTIFRAUD::alert_username]" log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]" log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]" }
The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to
disable a specific alert according to its type.when ANTIFRAUD_ALERT{ if {[ANTIFRAUD::alert_type] eq "components_validation"}{ log local0. "Alert Type is components validation" ANTIFRAUD::disable_alert log local0. "Disabled Alert" } }
The following example shows how an iRule uses the
ANTIFRAUD_LOGIN
event
with its commands.when ANTIFRAUD_LOGIN{ log local0. "=========Anti-Fraud Login=========" # read mode log local0. "Username: [ANTIFRAUD::username]" log local0. "GUID: [ANTIFRAUD::guid]" # write mode ANTIFRAUD::username "other_user" }
Values for iRule commands
The
following values can be used in iRule commands:
Value |
Description |
---|---|
alert_id |
For example, d4. |
alert_type |
The type of alert. |
alert_component |
An error type that is determined according to the alert_type. |
alert_details |
Additional information regarding the alert. |
alert_device_id |
Persistent browser identifier. |
alert_license_id |
crc32 of the license id in hex. |
alert_transaction_data |
Key-value list of all parameters marked to be attached. |
alert_username |
When this command is used without any additional arguments, this is the name of
the user who triggered the alert. It is possible to use additional arguments to
override the current user name (write mode), as shown in the
ANTIFRAUD_LOGIN example above. |
alert_http_referrer |
The URL of the site that was visited just before the Alert URL was
visited. |
alert_additional_info |
Shows additional information about the alert, such as the parameter
values too long error message. |
disable_alert |
Disables the current alert. |
https://devcentral.f5.com/irules
).Configuring SPA views
Configuring SPA views on a URL is relevant only if your web site is single-page application (SPA).
Configure SPA views to provide F5 DataSafe protection to the SPA views on a URL.
SPA views are supported only in BIG-IP versions 14.0 and later.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- In the URL List, select the check box next to the URL where you want to add the view and then clickAdd View.The Add View screen opens.
- In theView Namefield, type a name for the view.
- Leave theAdditional function to be run before JavaScript loadfield blank unless instructed otherwise by F5.
- ForDestination URLs, add URLs that you want to receive protected data from this view.Adding URLs here allows you to use the parameters that are configured on this view on the destination URL as well, without having to re-configure them on the destination URL. This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
- ClickSave & Close.The BIG-IQ system creates the view and the profile properties screen opens.
Enhancing data encryption on a URL with SPA views
This task is relevant only if your URL contains SPA views.
If your URL contains SPA views, F5 DataSafe provides some additional settings for enhancing data encryption.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- In the URL List, click the relevant URL.The URL Properties screen opens.
- If this URL has SPA views that are not configured in the profile and you want the F5 DataSafe Main JavaScript to run on those views, forFallback to Base URLselect theEnabledcheck box (selected by default).
- AtDestination URLs, add URLs that should receive encrypted data from this URL.Adding URLs here allows you to use the parameters that are configured on this URL on the destination URL as well, without having to re-configure them on the destination URL.
- This setting appears only for URLs that have SPA views configured in the profile.
- This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
- ClickSave & Close.The URL configuration settings are saved.
Clone a profile
If you want to create a new profile with
settings identical to an existing profile, you can clone the profile. Unlike
parent-child profiles, the cloned profile is not dependent on the original one, and any
changes made to the original profile after cloning are not inherited by the previously
cloned profile.
A cloned profile inherits all properties from the original
profile including all URL properties and SPA views, with the exception of
system-generated random values. Once the cloned profile is created, there is no
further dependency on the original profile and any changes made in the original
profile are not received by the cloned profile, with the following exception:
- In the General Properties screen of a cloned profile, some of the settings have an override check box. If this check box is not checked, then any changes made in the original profile will be copied to the cloned profile. If it is checked, then changes in the original profile are not copied to the cloned profile.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- Select the check box next to the profile that you want clone.
- Click theClonebutton.The Clone Profile pop-up screen opens.
- In the Clone Profile pop-up screen, assign a new profile name.
- ClickClone.The new profile is created and appears in the list of profiles in the DataSafe Profiles screen.
Clone a URL or SPA
view
You can clone a URL or SPA view if you want to
create a new URL or view that inherits the settings on an existing URL or view.
- When cloning a URL, the new URL inherits the configured settings of the source URL. You can choose whether to copy SPA views, parameters, and the DataSafe Main JavaScript injection to the new URL.
- When cloning an SPA view, the new view inherits the configured settings of the source view. You can choose whether to copy parameters to the new URL.
- Once the new URL or view is created, there is no further dependency on the source URL or view and any future changes made to the source URL or view are not inherited by the new URL or view.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- From the list of profiles, select the profile with the URL or view that you want to clone.The DataSafe profile properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- Select the check box next to the URL or view that you want clone.
- Click.The Clone URL (or Clone View) screen appears.
- In the pop-up screen, assign a URL path or view name and (optionally) a description.
- If you are cloning a URL and you want to encrypt data on the web page of the new URL, enable theInject JavaScriptsetting.
- Click theClonebutton in the pop-up screen.
The BIG-IQ® system creates the new URL or view and it appears in the URLs
list.
Encrypting Data on the Application
Level
Overview: Encrypting data on the application
level
Application Layer Encryption protects against credential theft from man-in-the-middle (MITM)
and MITM browser attacks, verifies whether a user is trying to use a fabricated password,
validates the client-side password, and encrypts credentials in real-time upon submission. F5
DataSafe™ allows you to configure data encryption on the
application level, so that sensitive data entered by a user on the client-side is protected
against attempted fraud attacks that occur in the web application.
Encrypt data as it leaves the web
browser
Encrypt data as it leaves the web
browser if you want to protect data that was entered by the user as it leaves the web
browser.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- Select the URL or SPA view on which you want to encrypt data.The URL properties (or View Properties) screen opens.
- On the left, clickAPPLICATION LAYER ENCRYPTION.The Application Layer Encryption settings are displayed.
- Ensure that theEnabledcheck box forApplication Layer Encryptionis selected.
- If you want to use a custom encryption algorithm on parameters (instead of the BIG-IP® default encryption function), in theCustom Encryption Functionfield, type your custom encryption function.The custom encryption function encrypts all parameters whereEncryptis disabled andSubstitute Valueis enabled on the parameter.If you use a custom encryption function, you can not enableReal-Time Encryptionon this URLor view. Real-Time Encryption encrypts passwords as the user types them.
- On the left, clickPARAMETERS.
- Click theAddbutton.The Add Parameter popup screen opens.
- In theTypefield, choose one of the following parameter types:
- Explicit: Choose this if you want to assign a specific parameter name.
- Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters. - In theNamefield, type a name for the parameter as follows:
- For anExplicitparameter type, type the exact name.
- For aWildcardparameter type, type the wildcard expression.The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.Wildcard characterMatches*All characters?Any single character[abcde]Exactly one of the characters listed[!abcde]Any character not listed[a-e]Exactly one character in the range[!a-e]Any character not in the rangeIf a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use\and then the character to indicate that it should not be used as a wildcard character.Regular expressions should not be used as wildcards.
- Select theEncryptcheck box.
- If the parameter is for a password field and you want to use substitute values when the user inputs the password, select theSubstitute Valuecheck box.
- This attribute should be applied only on parameters with the input typepassword.
- If you assignSubstitute Valueto a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
If you want a custom encryption function to be applied to this parameter, do not select the check boxes for bothEncryptandSubstitute Valueon the parameter. If you do this, the custom encryption function will not be applied to this parameter. - ClickAdd.The parameter settings are saved.
- Repeat steps 10-14 for every parameter you want the system to encrypt.
- ClickSave & Close.The URL (or view) configuration settings are saved.
If the form action in the HTTP
request from the web page you created above does not refer to the URL of the web page,
you need to also configure a URL for decrypted data.
Configure a URL for decrypting
data
You need to configure a separate URL
for decrypting data only if the form action in the HTTP request from the client does not
refer to the URL from which the request is being sent.
Configure a URL for decrypting data
to ensure that your server can read and verify encrypted data that was sent from the
client.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- Select the check box next to the URL where the client sends encrypted data.
- Click.The Clone URL screen opens.
- In theURL Pathfield, type the URL that is referred to in the form action of the HTTP request.
- Optional: In theDescriptionfield, type a description for the URL.
- Ensure that theInject JavaScriptsetting is disabled.
- Click theClonebutton in the Clone URL popup screen.
- The new URL inherits the configuration settings of the source URL
- Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.
Apply AJAX encryption on a URL or SPA view
Apply Ajax encryption on your web
page if the web page sends data using AJAX and you want the data to be
encrypted.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- Select the URL or view on which you want to apply AJAX encryption.The URL Properties (or View Properties) screen appears.
- On the left, clickAPPLICATION LAYER ENCRYPTION.The Application Layer Encryption settings are displayed.
- Select theEnabledcheck box forFull AJAX Encryption.
- If your web page uses JSON format for submitting data, do the following for every parameter that you want to have AJAX encryption:
- ClickPARAMETERStab.
- Click theAddbutton.The Add Parameter popup screen opens.
- In theTypefield, choose one of the following parameter types:
- Explicit: Choose this if you want to assign a specific parameter name.
- Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
- In theNamefield, type a name for the parameter as follows:
- For anExplicitparameter type, type the exact name.
- For aWildcardparameter type, type the wildcard expression.The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.Wildcard characterMatches*All characters?Any single character[abcde]Exactly one of the characters listed[!abcde]Any character not listed[a-e]Exactly one character in the range[!a-e]Any character not in the range\and then the character to indicate that it should not be used as a wildcard character.Regular expressions should not be used as wildcards.
- Select both theEncryptcheck box and theSubstitute Valuecheck box.
- In theAJAX Mappingfield, type a mapping key for the parameter that is sent from the client to the server.For example, if you have a single page application form with an input fieldnameorIDcalledAand you want to send it in theBkey in the JSON file, typeBin this text box.If the input fieldnameorIDin the HTML of your web page has the samenameorIDas the key of the JSON file, you do not need to type a mapping key in this text box.
- ClickAdd.The parameter settings are saved and the URL Properties (or View Properties) screen appears.
- ClickSave & Closein the URL/View properties screen.The configuration settings for the URL/View are saved.
Configure HTML field obfuscation
Before you can configure HTML field
obfuscation,
Application Layer
Encryption
must be enabled on the URL or SPA view.Configure HTML field obfuscation if
you want the BIG-IP® system to encrypt the
name
attribute of all defined HTML <input>
fields, and then decrypt
them back to the original name
on the BIG-IP system.- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- Select the URL on which you want to configure HTML field obfuscation.The URL properties screen opens.
- On the left, clickAPPLICATION LAYER ENCRYPTION.The Application Layer Encryption settings are displayed.
- Select theEnabledcheck box for theHTML Field Obfuscationsetting.TheAdd Decoy InputsandRemove Element IDsfields are displayed.
- Select theEnabledcheck box for theAdd Decoy Inputssetting if you want the system to randomly, and continuously, generate and remove decoy<input>fields that are added to the web page.EnablingAdd Decoy Inputsmakes it harder for an attacker to identify sensitive information with either JavaScript or a proxy.
- Select theEnabledcheck box for theRemove Element IDssetting if you want the system to remove the ID attribute from URL parameters that have theObfuscateproperty.
- On the left, clickPARAMETERS.
- Click theAddbutton.The Add Parameter popup screen opens.
- In theTypefield, choose one of the following parameter types:
- Explicit: Choose this if you want to assign a specific parameter name.
- Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters. - In theNamefield, type a name for the parameter as follows:
- For anExplicitparameter type, type the exact name.
- For aWildcardparameter type, type the wildcard expression.The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.Wildcard characterMatches*All characters?Any single character[abcde]Exactly one of the characters listed[!abcde]Any character not listed[a-e]Exactly one character in the range[!a-e]Any character not in the rangeIf a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use\and then the character to indicate that it should not be used as a wildcard character.Regular expressions should not be used as wildcards.
- Select theObfuscatecheck box.
- ClickAdd.The parameter settings are saved.
- Repeat steps 11-14 for every parameter you want the system to obfuscate.
- ClickSave & Closein the URL/View Properties screen.The configuration settings for the URL or view are saved.
Remove JavaScript event listeners from
parameters
Before you can remove JavaScript event listeners from
parameters, Application Layer Encryption must be enabled on the URL or SPA
view.
You can remove JavaScript event
listeners from parameters to protect sensitive data in parameters from being obtained by
potential attackers.
Some web
applications add non-malicious event listeners that improve functionality. If you
choose to activate removal of event listeners on parameters, this will remove all
event listeners, including non-malicious ones added by the web application. Take
this into account before deciding to activate removal of event
listeners.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- Select the URL or view on which you want to remove JavaScript event listeners.The URL Properties (or View Properties) screen opens.
- On the left, clickAPPLICATION LAYER ENCRYPTION.The Application Layer Encryption settings are displayed.
- Select theEnabledcheck box for theRemove Event Listenerssetting.
- On the left, clickPARAMETERS.
- Click theAddbutton.The Add Parameter popup screen opens.
- In theTypefield, choose one of the following parameter types:
- Explicit: Choose this if you want to assign a specific parameter name.
- Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters. - In theNamefield, type a name for the parameter as follows:
- For anExplicitparameter type, type the exact name.
- For aWildcardparameter type, type the wildcard expression.The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.Wildcard characterMatches*All characters?Any single character[abcde]Exactly one of the characters listed[!abcde]Any character not listed[a-e]Exactly one character in the range[!a-e]Any character not in the rangeIf a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use\and then the character to indicate that it should not be used as a wildcard character.Regular expressions should not be used as wildcards.
- Select theObfuscatecheck box or theSubstitute Valuecheck box.If you assign theSubstitute Valueattribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
- ClickAdd.The parameter settings are saved.
- Repeat steps 9-12 for every parameter on which you want to remove JavaScript event listeners.
- ClickSave & Closein the URL/View Properties screen.The configuration settings for the URL/view are saved.
Configure advanced encryption on a URL or SPA view
Before configuring advanced encryption on a URL
or SPA view,
Application Layer
Encryption
must be enabled on the URL or view.Configure advanced encryption on a URL or SPA view
if you want to apply F5 DataSafe advanced encryption methods on your web page.
- At the top of the screen, clickConfiguration.
- On the left, click.The DataSafe Profiles list screen opens.
- In the list of profiles, click the relevant profile.The DataSafe Profile Properties screen opens.
- On the left, clickURLS.The URLs list screen opens.
- Select the URL or view on which you want to apply advanced encryption methods.The URL/View Properties screen appears.
- On the left, clickAPPLICATION LAYER ENCRYPTION.The Application Layer Encryption settings are displayed.
- Select theEnabledcheck box for theIdentify Stolen Credentialssetting.When this setting is enabled, the system examines whether the user is trying to use a password that was stolen from a parameter whereSubstitute Valueis enabled.
- Select theEnabledcheck box for theHide Password Revealer Iconsetting.When this setting is enabled, the system hides the password revealer icon on a web page, for browsers that use a password revealer icon (for example, Internet Explorer versions 10 and later).If you are usingJavaScript Function for Substitute ValuesorCustom Encryption Function, you must enableHide Password Revealer Icon. Otherwise, the user will see the actual substitute value if the user clicks the Password Revealer icon in the browser.
- Select theEnabledcheck box for theKeylogger Protectionsetting.When this setting is enabled, the system protects against in-browser key loggers.
- Select theEnabledcheck box for theReal-Time Encryptionsetting.Real-Time Encryption encrypts input field parameters as the user types them.
- TheReal-Time Encryptionsetting does not appear if you don't have at least one parameter with theEncryptattribute.
- Real-Time Encryption cannot be enabled if you are also using a custom encryption function on the URL or view.
- If you do not want to use the default F5 DataSafe JavaScript function for assigning substitute values for HTML password input fields and prefer to use your own JavaScript function, in theJavaScript Function for Substitute Valuesfield, type your JavaScript function.The JavaScript function you type here must return substitute values for all passwords input field parameters whereSubstitute Valueis enabled on the parameter. If you leave this field blank, the default F5 DataSafe JavaScript function is used.
- ClickSave & Closein the URL/View Properties screen.The configuration settings for the URL/view are saved.