Manual Chapter : Configuring F5 DataSafe Profiles

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Configuring F5 DataSafe Profiles

F5 DataSafe Overview

F5 DataSafe protects web sites from Trojan attacks by encrypting data at the application layer on the client-side. Encryption is performed on the client-side using a public key generated by the BIG-IP® system and provided uniquely per session. When the encrypted information is received by the BIG-IP system, it is decrypted using a private key that is kept on the server-side. Users can view alerts on potential encryption attacks in the Data Protection log in the BIG-IP system or in a remote Syslog Server if you choose to configure one for receiving alerts.
The F5 BIG-IQ® system improves the usability of DataSafe profiles by allowing configuration of a single DataSafe profile that can be used on multiple BIG-IP systems. In order to apply F5 DataSafe protection on your web site, you need to perform the following preliminary configurations in the BIG-IQ system:
  • Configure a virtual server for the DataSafe profile.
  • Create an initial DataSafe profile.
  • Associate that profile with the virtual server.
In most cases, the virtual server that you create for your profile will be an SSL virtual server.
F5 DataSafe profiles containing SPA views or wildcard parameters are not deployable on BIG-IP versions 13.x and lower. When performing
Evaluate and Deploy
for Fraud Protection, check the Critical Errors column to ensure that your DataSafe profile does not contain any features rendering it undeployable on your BIG-IP devices.

Create a web application server node

Local traffic pools use nodes as resources for load balancing. A
node
is an IP address that represents a server resource, which hosts applications.
If you plan to add your F5 DataSafe profile to an existing virtual server (that is, you are not going to create a new virtual server for your profile), you do not need to create a new web application node.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Nodes
    .
    The Nodes list appears.
  3. Click the
    Create
    button.
    The New Node screen opens.
  4. In the
    Name
    field, type a descriptive label for the node.
    Names are case-sensitive.
  5. In the
    Device
    field, select the BIG-IP device of the node.
  6. In the
    Address
    field, type the IP address of the web application server.
  7. Click
    Save & Close
    .
    The Nodes list screen opens, showing the node you just created.

Create a web application pool

You can create a pool of servers that you can group together to receive and process traffic.
If you plan to add your F5 DataSafe profile to an existing virtual server (that is, you are not going to create a new virtual server for your profile), you do not need to create a new web application pool.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Pools
    .
    The Pools list opens.
  3. Click
    Create
    .
    The New Pool screen opens.
  4. In the
    Name
    field, type a unique name for the web application pool.
  5. In the
    Device
    field, select the BIG-IP device of the pool.
  6. Click
    New Member
    .
    The New Pool Member screen opens.
  7. For
    Node Type
    , select
    Existing Node
    .
  8. From the
    Node
    list, select the IP address of the web application server.
  9. From the
    Port
    list, select
    HTTP
    or
    HTTPS
    .
  10. Click
    Save & Close
    in the New Pool Member screen.
  11. Click
    Save & Close
    in the New Pool screen.
The new pool appears in the Pools list.

Create a log publisher

You create a log publisher to specify where the BIG-IP system sends alert messages.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Logs
    Log Publishers
    .
    The Log Publishers list screen opens.
  3. Click
    Create
    .
  4. In the
    Name
    field, type a unique, identifiable name for this publisher.
  5. Log Destinations
    , from the
    Available
    list select
    local-syslog
    , and use the Move button
    ->
    to move the destination to the
    Selected
    list.
  6. Click
    Save & Close
    .
    The Log Publishers list screen opens, showing the log publisher you just created.

Create a custom HTTP profile

You should perform this procedure only if SNAT or Auto Map is used for Source Address Translation in the virtual server.
You create an HTTP profile to define the way that you want the system to manage HTTP traffic.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Profiles
    .
  3. Click
    Create
    .
    The New Profile screen opens.
  4. In the
    Name
    field, type a unique name for the profile.
  5. From the
    Type
    list, select
    Profile HTTP
    .
  6. For the
    Insert X-Forwarded-For
    setting, select
    Enabled
    .
  7. Click
    Save & Close
    .
The custom HTTP profile now appears in the HTTP profile list screen.

Create a virtual server

You create a virtual server to receive application requests from the clients. The virtual server manages the network resources for the web application that you are securing with a security policy.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Virtual Servers
    .
  3. Click the
    Create
    button.
    The New Virtual Server screen opens.
  4. In the
    Name
    field, type a unique name for the virtual server.
  5. In the
    Device
    field, choose a BIG-IP device for the virtual server.
  6. In the
    Destination Address
    field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a
    /32
    prefix.
  7. In the
    Service Port
    field, type
    80
    , or select
    HTTP
    from the list.
  8. From the
    HTTP Profile
    list:
    1. If you previously created an HTTP profile, then select the profile you created.
    2. Otherwise, select
      http
      .
  9. From the
    Source Address Translation
    list, select the appropriate translation.
  10. From the
    Default Pool
    list, select the pool that is configured for the application server.
  11. Click
    Save & Close
    .

Configure general properties for an F5 DataSafe profile

Before configuring the profile's general properties, you must have created a web application server node, a web application pool, and a log publisher for the profile.
You configure general properties for a F5 DataSafe profile to ensure proper encryption of data on your web site.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. Click
    Add
    .
    The Add DataSafe Profile screen opens, with the General Properties area showing.
  4. In the
    Name
    field, type a unique name for the profile.
  5. From the
    Parent Profile
    list, choose which parent profile you want to base your profile on.
    • All undefined properties in the profile you are creating will be inherited from the parent profile. Any future changes to those properties in the parent profile will be automatically inherited by the profile you are creating.
    • URL properties are not inherited.
  6. In the
    Log Publisher
    list, select the Log Publisher that you created.
  7. If your web application is case-sensitive to URLs and SPA views, do the following:
    1. Click
      Advanced
      in the General Settings section.
      The Advanced settings appear.
    2. For the
      URLs are case sensitive
      setting, select the
      Enabled
      check box.
      • You should enable this setting only if your web application is case-sensitive to URLs and SPA views.
      • This setting cannot be changed after initial creation of your profile and does not affect URL parameters in the profile.
  8. Click
    Save & Close
    .
    The system has created the F5 DataSafe profile.
After creating your the profile, you should define the URLs that you want to include in your profile.

Define URLs in the profile

You should set the profile's general properties before defining URLs in the profile.
Define URLs in your profile to ensure proper protection of your web site.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. From the list of profiles, select the profile on which you want to define a URL.
    The DataSafe profile properties screen opens.
  4. Click
    URLS
    and then the
    Add
    button.
    The Add URL screen opens.
  5. In the
    URL Path
    field, choose one of the following types for the URL path:
    • Explicit
      : Assign a specific URL path.
    • Wildcard
      : Assign a wildcard expression URL. Any URL that matches the wildcard expression is considered legal and will receive protection. For example, typing the wildcard expression
      /*
      specifies that any URL is allowed.
    All URLs must start with a slash (
    /
    ), for both Explicit and Wildcard types.
    1. If you chose
      Explicit
      , type the URL path.
    2. If you chose
      Wildcard
      , type the wildcard expression URL and if you want it to include a query string, select the
      Include Query String
      check box.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used as part of a real URL and you don't want it to be treated as a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      Regular expressions should not be used in Wildcard URLs.
  6. If you want the DataSafe Main JavaScript to run on the web page of the URL, select the
    Enabled
    check box for
    Inject Main JavaScript
    (selected by default).
    • When this setting is enabled, the DataSafe Main JavaScript also runs on all SPA views on this URL that are configured in the profile.
    • You should disable
      Inject Main JavaScript
      for web pages that do not require encryption protection and only receive data from a protected page.
  7. If you want to change the default location where the DataSafe Main JavaScript is injected in the URL's web page, at
    Location of Main JavaScript Injection
    :
    1. Select a position for the Main JavaScript (either before or after the tag you define).
    2. In the
      Tag
      field, type the tag for determining where the Main JavaScript is placed.
    The DataSafe Main JavaScript must be injected into the web page HTML before the CSS Element.
  8. If you want to change the default location of the Disabled JavaScript Detection Tag, at
    Location of Disabled JavaScript Detection Tag
    do the following:
    1. Select a position for the Disabled JavaScript Detection Tag (either before or after the tag you define)
    2. In the
      Tag
      field, type the tag for determining where the Disabled JavaScript Detection Tag is placed
    The Disabled JavaScript Detection Tag detects if JavaScript has been disabled in your web browser.
  9. Click
    Save & Close
    to save your initial URL settings.
After defining the URLs in your profile, you should set a URL or SPA view to be a login page.

Set a URL or SPA view to be a login page

Set a URL or Single Page Application (SPA) view in your profile to be a login page if you want to encrypt data on a login page in your web site.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list screen opens.
  5. Click the URL or view that you want to set as the login page, or click
    Add
    (or
    Add View
    ) if you want to create a new URL or view to be a login page.
    SPA views are supported only in BIG-IP versions 14.0 and higher.
  6. On the left, click
    PARAMETERS
    .
  7. Click the
    Add
    button.
    The Add Parameter popup screen opens.
  8. In the
    Type
    field, choose one of the following parameter types:
    • Explicit
      : Choose this if you want to assign a specific parameter name.
    • Wildcard
      : Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
    Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters.
  9. In the
    Name
    field, type a name for the parameter as follows:
    1. For an
      Explicit
      parameter type, type the exact name.
    2. For a
      Wildcard
      parameter type, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      Regular expressions should not be used as wildcards.
  10. Select the
    Identify as Username
    check box.
    Only one parameter per URL can have the attribute
    Identify as Username
    .
  11. Click
    Add
    .
  12. Click
    LOGIN PAGE PROPERTIES
    .
    Configuring the Login Page properties is not required but recommended because a login cannot be verified as successful unless at least one of the criteria in the Login Page Properties screen is configured.
  13. For the
    URL is Login Page
    setting, check the
    Enabled
    check box.
    The Login Page Properties appear.
    If
    URL is Login Page
    is enabled, you must configure at least one of the Login Page properties. If you configure more than one Login Page property, then all the criteria for all properties must be fulfilled for the BIG-IP system to consider the login successful.
  14. In the
    A string that should appear in the response body
    field, type a string that should appear in the successful response to the login URL.
  15. In the
    A string that should NOT appear in the response body
    field, type a string that should not appear in the successful response to the login URL.
  16. In the
    Expected HTTP response status code
    field, select
    Specify
    and type the HTTP response status code that the server must return to the user upon successful login, or select
    None
    .
    If you select
    None
    , HTTP response code is not used to determine a successful login.
  17. In the
    Expected response header
    field, type a header name that the successful response to the login URL must match.
  18. In the
    Expected cookie name
    field, type a cookie name that the successful response to the login URL must include.
  19. Click
    Save & Close
    .
    The Login Page and Parameter settings are saved.
If the form action in the HTTP request from the login page does not refer to the login page URL, you need to also configure a post-login URL.

Configure a post-login URL

You need to configure a post-login URL only if the login page sends the login request to a URL that is different from the login URL. (For example, the login page URL is
/login.jsp
, but it sends the user name and password to
/validate.jsp
).
Configure a post-login URL to ensure that the BIG-IP system can retrieve the user name and decrypt the password.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list appears.
  5. Select the check box next to the login URL.
  6. Click
    Actions
    Clone
    .
    The Clone URL screen opens.
  7. In the
    URL Path
    field, type the URL that is referred to in the form action of the HTTP request.
  8. Optional: In the
    Description
    field, type a description for the URL.
  9. Ensure that
    Inject JavaScript
    is disabled.
  10. If the login URL contains SPA views and you want the post-login URL to inherit those views, select the
    Enabled
    check box by Clone Views.
  11. Select the
    Enabled
    check box by Clone Parameters.
  12. Click the
    Clone
    button in the Clone URL popup screen.
    • The new URL inherits the configuration settings of the source URL
    • Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.
The BIG-IQ® system creates the new URL and it appears in the URLs list.

Associate an F5 DataSafe profile with a virtual server

In order to complete the process of applying F5 DataSafe protection to your web site, you need to associate the F5 DataSafe profile that you created with the virtual server that you created.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    Virtual Servers
    .
    The Virtual Servers list appears.
  3. Click the name of the virtual server on which you want to associate the F5 DataSafe profile.
    The virtual server properties screen opens.
  4. From the
    Attached Profile
    list, select the DataSafe profile that you want to associate with this virtual server.
  5. Click
    Save & Close
    .
    The Virtual Server list appears, and the DataSafe profile that you chose in the previous step is now listed as being associated with the virtual server.

General Configuration Options for F5 DataSafe Profiles and URLs

Configure advanced general settings on an F5 DataSafe profile

Configure advanced general settings on an F5 DataSafe profile if you want to change the default settings that the BIG-IQ system assigns to profiles.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. In the
    Alert Path
    field, use the automatically generated path, or define your own path.
    If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
  5. In the
    Suggested Username Header
    field, use the default header or type a header that will be added to AJAX requests when the BIG-IP system detects an AJAX login attempt, which is common for Single Page Applications.
    With this header, the BIG-IP system can detect the username that was used for the login. The client sends this header only for URLs in the profile that have a parameter set as Identify as Username.
  6. For the
    JavaScript Directory
    field, use the automatically generated path, or define your own.
    This path specifies the location of the main F5 DataSafe JavaScript. This path does not include the actual file name of the JavaScript.
    • This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
    • If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
  7. For the
    JavaScript Configuration Directory
    field, use the automatically generated path, or define your own path that specifies the location of the F5 DataSafe JavaScript containing profile configuration settings.
    This path specifies the location of the configuration JavaScript. This path does not include the actual file name of the JavaScript.
    • This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
    • If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
  8. For the
    JavaScript Removal Location
    field, use the automatically generated path, or define your own path that specifies the location of the image file name that the system uses for detecting a JavaScript removal attack.
    • This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
    • If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
  9. If your profile includes one or more URLs that contain SPA views, for
    Referrer Info Header
    use the default header value or assign your own header value that the BIG-IP system uses to identify SPA views.
  10. For
    JavaScript Grace Threshold
    , change the default value if you want to raise or lower the maximum amount of time (in seconds) permitted between when a protected web page is loaded and its injected JavaScript activates.
  11. Leave the
    Additional function to be run before JavaScript load
    field blank unless instructed otherwise by F5.
  12. For the
    Prevent duplicate alerts from Client Side
    setting, select the
    Enabled
    check box to prevent the client from sending an alert with information that is identical to an alert previously sent by the client during the past 24 hours.
  13. Click
    Save & Close
    .
    The BIG-IQ system saves the changes that you made to the advanced settings.

Enable an iRule to handle logins and alerts

Enabling iRules® to handle logins and alerts is only relevant if you have written an iRule to handle the
ANTIFRAUD_ALERT
event, or the
ANTIFRAUD_LOGIN
event and the iRule is associated with the same virtual server as your profile.
Enable an iRule to handle logins and alerts if you want to use an iRule to disable alerts or record login events.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. Scroll to the bottom of the screen, and for the
    Trigger iRule Events
    setting, select the
    Enabled
    check box.
  5. Click
    Save
    .
    iRules are now enabled to handle logins and alerts.

iRule events

iRules® can subscribe to the
ANTIFRAUD_ALERT
event and the
ANTIFRAUD_LOGIN
event in F5 DataSafe.
iRule event
Description
ANTIFRAUD_ALERT
Occurs when alerts are sent to the BIG-IP® system.
ANTIFRAUD_LOGIN
Occurs when a user successfully logs in to the profile. Or if login validation is not configured, this event can occur if just the user name is identified.

iRule Examples

The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to log all available information about an alert that was sent by the BIG-IP system to the location
/var/log/ltm
.
when ANTIFRAUD_ALERT{ log local0. "=========Anti-Fraud Alert=========" log local0. "Alert Identifier: [ANTIFRAUD::alert_id]" log local0. "Alert Type: [ANTIFRAUD::alert_type]" log local0. "Alert Component: [ANTIFRAUD::alert_component]" log local0. "Alert Details: [ANTIFRAUD::alert_details]" log local0. "Alert GUID: [ANTIFRAUD::alert_guid]" log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]" log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]" log local0. "Alert Score: [ANTIFRAUD::alert_score]" log local0. "Alert Username: [ANTIFRAUD::alert_username]" log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]" log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]" }
The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to disable a specific alert according to its type.
when ANTIFRAUD_ALERT{ if {[ANTIFRAUD::alert_type] eq "components_validation"}{ log local0. "Alert Type is components validation" ANTIFRAUD::disable_alert log local0. "Disabled Alert" } }
The following example shows how an iRule uses the
ANTIFRAUD_LOGIN
event with its commands.
when ANTIFRAUD_LOGIN{ log local0. "=========Anti-Fraud Login=========" # read mode log local0. "Username: [ANTIFRAUD::username]" log local0. "GUID: [ANTIFRAUD::guid]" # write mode ANTIFRAUD::username "other_user" }

Values for iRule commands

The following values can be used in iRule commands:
Value
Description
alert_id
For example, d4.
alert_type
The type of alert.
alert_component
An error type that is determined according to the alert_type.
alert_details
Additional information regarding the alert.
alert_device_id
Persistent browser identifier.
alert_license_id
crc32 of the license id in hex.
alert_transaction_data
Key-value list of all parameters marked to be attached.
alert_username
When this command is used without any additional arguments, this is the name of the user who triggered the alert.
It is possible to use additional arguments to override the current user name (write mode), as shown in the
ANTIFRAUD_LOGIN
example above.
alert_http_referrer
The URL of the site that was visited just before the Alert URL was visited.
alert_additional_info
Shows additional information about the alert, such as the
parameter values too long
error message.
disable_alert
Disables the current alert.
For more information about iRules, go to F5 Networks DevCentral (
https://devcentral.f5.com/irules
).

Configuring SPA views

Configuring SPA views on a URL is relevant only if your web site is single-page application (SPA).
Configure SPA views to provide F5 DataSafe protection to the SPA views on a URL.
SPA views are supported only in BIG-IP versions 14.0 and later.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list screen opens.
  5. In the URL List, select the check box next to the URL where you want to add the view and then click
    Add View
    .
    The Add View screen opens.
  6. In the
    View Name
    field, type a name for the view.
  7. Leave the
    Additional function to be run before JavaScript load
    field blank unless instructed otherwise by F5.
  8. For
    Destination URLs
    , add URLs that you want to receive protected data from this view.
    Adding URLs here allows you to use the parameters that are configured on this view on the destination URL as well, without having to re-configure them on the destination URL. This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
  9. Click
    Save & Close
    .
    The BIG-IQ system creates the view and the profile properties screen opens.

Enhancing data encryption on a URL with SPA views

This task is relevant only if your URL contains SPA views.
If your URL contains SPA views, F5 DataSafe provides some additional settings for enhancing data encryption.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list screen opens.
  5. In the URL List, click the relevant URL.
    The URL Properties screen opens.
  6. If this URL has SPA views that are not configured in the profile and you want the F5 DataSafe Main JavaScript to run on those views, for
    Fallback to Base URL
    select the
    Enabled
    check box (selected by default).
  7. At
    Destination URLs
    , add URLs that should receive encrypted data from this URL.
    Adding URLs here allows you to use the parameters that are configured on this URL on the destination URL as well, without having to re-configure them on the destination URL.
    • This setting appears only for URLs that have SPA views configured in the profile.
    • This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
  8. Click
    Save & Close
    .
    The URL configuration settings are saved.

Clone a profile

If you want to create a new profile with settings identical to an existing profile, you can clone the profile. Unlike parent-child profiles, the cloned profile is not dependent on the original one, and any changes made to the original profile after cloning are not inherited by the previously cloned profile.
A cloned profile inherits all properties from the original profile including all URL properties and SPA views, with the exception of system-generated random values. Once the cloned profile is created, there is no further dependency on the original profile and any changes made in the original profile are not received by the cloned profile, with the following exception:
  • In the General Properties screen of a cloned profile, some of the settings have an override check box. If this check box is not checked, then any changes made in the original profile will be copied to the cloned profile. If it is checked, then changes in the original profile are not copied to the cloned profile.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. Select the check box next to the profile that you want clone.
  4. Click the
    Clone
    button.
    The Clone Profile pop-up screen opens.
  5. In the Clone Profile pop-up screen, assign a new profile name.
  6. Click
    Clone
    .
    The new profile is created and appears in the list of profiles in the DataSafe Profiles screen.

Clone a URL or SPA view

You can clone a URL or SPA view if you want to create a new URL or view that inherits the settings on an existing URL or view.
  • When cloning a URL, the new URL inherits the configured settings of the source URL. You can choose whether to copy SPA views, parameters, and the DataSafe Main JavaScript injection to the new URL.
  • When cloning an SPA view, the new view inherits the configured settings of the source view. You can choose whether to copy parameters to the new URL.
  • Once the new URL or view is created, there is no further dependency on the source URL or view and any future changes made to the source URL or view are not inherited by the new URL or view.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. From the list of profiles, select the profile with the URL or view that you want to clone.
    The DataSafe profile properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list screen opens.
  5. Select the check box next to the URL or view that you want clone.
  6. Click
    Actions
    Clone
    .
    The Clone URL (or Clone View) screen appears.
  7. In the pop-up screen, assign a URL path or view name and (optionally) a description.
  8. If you are cloning a URL and you want to encrypt data on the web page of the new URL, enable the
    Inject JavaScript
    setting.
  9. Click the
    Clone
    button in the pop-up screen.
The BIG-IQ® system creates the new URL or view and it appears in the URLs list.

Encrypting Data on the Application Level

Overview: Encrypting data on the application level

Application Layer Encryption protects against credential theft from man-in-the-middle (MITM) and MITM browser attacks, verifies whether a user is trying to use a fabricated password, validates the client-side password, and encrypts credentials in real-time upon submission. F5 DataSafe allows you to configure data encryption on the application level, so that sensitive data entered by a user on the client-side is protected against attempted fraud attacks that occur in the web application.

Encrypt data as it leaves the web browser

Encrypt data as it leaves the web browser if you want to protect data that was entered by the user as it leaves the web browser.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list screen opens.
  5. Select the URL or SPA view on which you want to encrypt data.
    The URL properties (or View Properties) screen opens.
  6. On the left, click
    APPLICATION LAYER ENCRYPTION
    .
    The Application Layer Encryption settings are displayed.
  7. Ensure that the
    Enabled
    check box for
    Application Layer Encryption
    is selected.
  8. If you want to use a custom encryption algorithm on parameters (instead of the BIG-IP® default encryption function), in the
    Custom Encryption Function
    field, type your custom encryption function.
    The custom encryption function encrypts all parameters where
    Encrypt
    is disabled and
    Substitute Value
    is enabled on the parameter.
    If you use a custom encryption function, you can not enable
    Real-Time Encryption
    on this URLor view. Real-Time Encryption encrypts passwords as the user types them.
  9. On the left, click
    PARAMETERS
    .
  10. Click the
    Add
    button.
    The Add Parameter popup screen opens.
  11. In the
    Type
    field, choose one of the following parameter types:
    • Explicit
      : Choose this if you want to assign a specific parameter name.
    • Wildcard
      : Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
    Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters.
  12. In the
    Name
    field, type a name for the parameter as follows:
    1. For an
      Explicit
      parameter type, type the exact name.
    2. For a
      Wildcard
      parameter type, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      Regular expressions should not be used as wildcards.
  13. Select the
    Encrypt
    check box.
  14. If the parameter is for a password field and you want to use substitute values when the user inputs the password, select the
    Substitute Value
    check box.
    • This attribute should be applied only on parameters with the input type
      password
      .
    • If you assign
      Substitute Value
      to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
    If you want a custom encryption function to be applied to this parameter, do not select the check boxes for both
    Encrypt
    and
    Substitute Value
    on the parameter. If you do this, the custom encryption function will not be applied to this parameter.
  15. Click
    Add
    .
    The parameter settings are saved.
  16. Repeat steps 10-14 for every parameter you want the system to encrypt.
  17. Click
    Save & Close
    .
    The URL (or view) configuration settings are saved.
If the form action in the HTTP request from the web page you created above does not refer to the URL of the web page, you need to also configure a URL for decrypted data.

Configure a URL for decrypting data

You need to configure a separate URL for decrypting data only if the form action in the HTTP request from the client does not refer to the URL from which the request is being sent.
Configure a URL for decrypting data to ensure that your server can read and verify encrypted data that was sent from the client.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  4. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  5. On the left, click
    URLS
    .
    The URLs list screen opens.
  6. Select the check box next to the URL where the client sends encrypted data.
  7. Click
    Actions
    Clone
    .
    The Clone URL screen opens.
  8. In the
    URL Path
    field, type the URL that is referred to in the form action of the HTTP request.
  9. Optional: In the
    Description
    field, type a description for the URL.
  10. Ensure that the
    Inject JavaScript
    setting is disabled.
  11. Click the
    Clone
    button in the Clone URL popup screen.
    • The new URL inherits the configuration settings of the source URL
    • Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.

Apply AJAX encryption on a URL or SPA view

Apply Ajax encryption on your web page if the web page sends data using AJAX and you want the data to be encrypted.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list screen opens.
  5. Select the URL or view on which you want to apply AJAX encryption.
    The URL Properties (or View Properties) screen appears.
  6. On the left, click
    APPLICATION LAYER ENCRYPTION
    .
    The Application Layer Encryption settings are displayed.
  7. Select the
    Enabled
    check box for
    Full AJAX Encryption
    .
  8. If your web page uses JSON format for submitting data, do the following for every parameter that you want to have AJAX encryption:
    1. Click
      PARAMETERS
      tab.
    2. Click the
      Add
      button.
      The Add Parameter popup screen opens.
    3. In the
      Type
      field, choose one of the following parameter types:
      • Explicit
        : Choose this if you want to assign a specific parameter name.
      • Wildcard
        : Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
        *
        specifies that any parameter name is allowed.
    4. In the
      Name
      field, type a name for the parameter as follows:
      • For an
        Explicit
        parameter type, type the exact name.
      • For a
        Wildcard
        parameter type, type the wildcard expression.
        The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
        Wildcard character
        Matches
        *
        All characters
        ?
        Any single character
        [abcde]
        Exactly one of the characters listed
        [!abcde]
        Any character not listed
        [a-e]
        Exactly one character in the range
        [!a-e]
        Any character not in the range
        If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use
        \
        and then the character to indicate that it should not be used as a wildcard character.
        Regular expressions should not be used as wildcards.
    5. Select both the
      Encrypt
      check box and the
      Substitute Value
      check box.
    6. In the
      AJAX Mapping
      field, type a mapping key for the parameter that is sent from the client to the server.
      For example, if you have a single page application form with an input field
      name
      or
      ID
      called
      A
      and you want to send it in the
      B
      key in the JSON file, type
      B
      in this text box.
      If the input field
      name
      or
      ID
      in the HTML of your web page has the same
      name
      or
      ID
      as the key of the JSON file, you do not need to type a mapping key in this text box.
    7. Click
      Add
      .
      The parameter settings are saved and the URL Properties (or View Properties) screen appears.
  9. Click
    Save & Close
    in the URL/View properties screen.
    The configuration settings for the URL/View are saved.

Configure HTML field obfuscation

Before you can configure HTML field obfuscation,
Application Layer Encryption
must be enabled on the URL or SPA view.
Configure HTML field obfuscation if you want the BIG-IP® system to encrypt the
name
attribute of all defined HTML
<input>
fields, and then decrypt them back to the original
name
on the BIG-IP system.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list screen opens.
  5. Select the URL on which you want to configure HTML field obfuscation.
    The URL properties screen opens.
  6. On the left, click
    APPLICATION LAYER ENCRYPTION
    .
    The Application Layer Encryption settings are displayed.
  7. Select the
    Enabled
    check box for the
    HTML Field Obfuscation
    setting.
    The
    Add Decoy Inputs
    and
    Remove Element IDs
    fields are displayed.
  8. Select the
    Enabled
    check box for the
    Add Decoy Inputs
    setting if you want the system to randomly, and continuously, generate and remove decoy
    <input>
    fields that are added to the web page.
    Enabling
    Add Decoy Inputs
    makes it harder for an attacker to identify sensitive information with either JavaScript or a proxy.
  9. Select the
    Enabled
    check box for the
    Remove Element IDs
    setting if you want the system to remove the ID attribute from URL parameters that have the
    Obfuscate
    property.
  10. On the left, click
    PARAMETERS
    .
  11. Click the
    Add
    button.
    The Add Parameter popup screen opens.
  12. In the
    Type
    field, choose one of the following parameter types:
    • Explicit
      : Choose this if you want to assign a specific parameter name.
    • Wildcard
      : Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
    Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters.
  13. In the
    Name
    field, type a name for the parameter as follows:
    1. For an
      Explicit
      parameter type, type the exact name.
    2. For a
      Wildcard
      parameter type, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      Regular expressions should not be used as wildcards.
  14. Select the
    Obfuscate
    check box.
  15. Click
    Add
    .
    The parameter settings are saved.
  16. Repeat steps 11-14 for every parameter you want the system to obfuscate.
  17. Click
    Save & Close
    in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Remove JavaScript event listeners from parameters

Before you can remove JavaScript event listeners from parameters, Application Layer Encryption must be enabled on the URL or SPA view.
You can remove JavaScript event listeners from parameters to protect sensitive data in parameters from being obtained by potential attackers.
Some web applications add non-malicious event listeners that improve functionality. If you choose to activate removal of event listeners on parameters, this will remove all event listeners, including non-malicious ones added by the web application. Take this into account before deciding to activate removal of event listeners.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list screen opens.
  5. Select the URL or view on which you want to remove JavaScript event listeners.
    The URL Properties (or View Properties) screen opens.
  6. On the left, click
    APPLICATION LAYER ENCRYPTION
    .
    The Application Layer Encryption settings are displayed.
  7. Select the
    Enabled
    check box for the
    Remove Event Listeners
    setting.
  8. On the left, click
    PARAMETERS
    .
  9. Click the
    Add
    button.
    The Add Parameter popup screen opens.
  10. In the
    Type
    field, choose one of the following parameter types:
    • Explicit
      : Choose this if you want to assign a specific parameter name.
    • Wildcard
      : Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
    Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters.
  11. In the
    Name
    field, type a name for the parameter as follows:
    1. For an
      Explicit
      parameter type, type the exact name.
    2. For a
      Wildcard
      parameter type, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      Regular expressions should not be used as wildcards.
  12. Select the
    Obfuscate
    check box or the
    Substitute Value
    check box.
    If you assign the
    Substitute Value
    attribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
  13. Click
    Add
    .
    The parameter settings are saved.
  14. Repeat steps 9-12 for every parameter on which you want to remove JavaScript event listeners.
  15. Click
    Save & Close
    in the URL/View Properties screen.
    The configuration settings for the URL/view are saved.

Configure advanced encryption on a URL or SPA view

Before configuring advanced encryption on a URL or SPA view,
Application Layer Encryption
must be enabled on the URL or view.
Configure advanced encryption on a URL or SPA view if you want to apply F5 DataSafe advanced encryption methods on your web page.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Fraud Protection Services
    DataSafe Profiles
    .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click
    URLS
    .
    The URLs list screen opens.
  5. Select the URL or view on which you want to apply advanced encryption methods.
    The URL/View Properties screen appears.
  6. On the left, click
    APPLICATION LAYER ENCRYPTION
    .
    The Application Layer Encryption settings are displayed.
  7. Select the
    Enabled
    check box for the
    Identify Stolen Credentials
    setting.
    When this setting is enabled, the system examines whether the user is trying to use a password that was stolen from a parameter where
    Substitute Value
    is enabled.
  8. Select the
    Enabled
    check box for the
    Hide Password Revealer Icon
    setting.
    When this setting is enabled, the system hides the password revealer icon on a web page, for browsers that use a password revealer icon (for example, Internet Explorer versions 10 and later).
    If you are using
    JavaScript Function for Substitute Values
    or
    Custom Encryption Function
    , you must enable
    Hide Password Revealer Icon
    . Otherwise, the user will see the actual substitute value if the user clicks the Password Revealer icon in the browser.
  9. Select the
    Enabled
    check box for the
    Keylogger Protection
    setting.
    When this setting is enabled, the system protects against in-browser key loggers.
  10. Select the
    Enabled
    check box for the
    Real-Time Encryption
    setting.
    Real-Time Encryption encrypts input field parameters as the user types them.
    • The
      Real-Time Encryption
      setting does not appear if you don't have at least one parameter with the
      Encrypt
      attribute.
    • Real-Time Encryption cannot be enabled if you are also using a custom encryption function on the URL or view.
  11. If you do not want to use the default F5 DataSafe JavaScript function for assigning substitute values for HTML password input fields and prefer to use your own JavaScript function, in the
    JavaScript Function for Substitute Values
    field, type your JavaScript function.
    The JavaScript function you type here must return substitute values for all passwords input field parameters where
    Substitute Value
    is enabled on the parameter. If you leave this field blank, the default F5 DataSafe JavaScript function is used.
  12. Click
    Save & Close
    in the URL/View Properties screen.
    The configuration settings for the URL/view are saved.