Manual Chapter : Configuring F5 DataSafe Profiles

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0, 7.0.0, 6.1.0
Manual Chapter

Configuring F5 DataSafe Profiles

F5 DataSafe Overview

F5® DataSafe™ protects web sites from Trojan attacks by encrypting data at the application layer on the client-side. Encryption is performed on the client-side using a public key generated by the BIG-IP® system and provided uniquely per session. When the encrypted information is received by the BIG-IP system, it is decrypted using a private key that is kept on the server-side. Users can view alerts on potential encryption attacks in the Data Protection log in the BIG-IP system or in a remote Syslog Server if you choose to configure one for receiving alerts.

The F5 BIG-IQ® system improves the usability of DataSafe profiles by allowing configuration of a single DataSafe profile that can be used on multiple BIG-IP systems. In order to apply F5 DataSafe protection on your web site, you need to perform the following preliminary configurations in the BIG-IQ system:
  • Configure a virtual server for the DataSafe profile.
  • Create an initial DataSafe profile.
  • Associate that profile with the virtual server.
Note: In most cases, the virtual server that you create for your profile will be an SSL virtual server.
Important: F5 DataSafe profiles containing SPA views or wildcard parameters are not deployable on BIG-IP versions 13.x and lower. When performing Evaluate and Deploy for Fraud Protection, check the Critical Errors column to ensure that your DataSafe profile does not contain any features rendering it undeployable on your BIG-IP devices.

Create a web application server node

Local traffic pools use nodes as resources for load balancing. A node is an IP address that represents a server resource, which hosts applications.
Note: If you plan to add your F5 DataSafe profile to an existing virtual server (that is, you are not going to create a new virtual server for your profile), you do not need to create a new web application node.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Nodes .
    The Nodes list appears.
  3. Click the Create button.
    The New Node screen opens.
  4. In the Name field, type a descriptive label for the node.
    Names are case-sensitive.
  5. In the Device field, select the BIG-IP device of the node.
  6. In the Address field, type the IP address of the web application server.
  7. Click Save & Close.
    The Nodes list screen opens, showing the node you just created.

Create a web application pool

You can create a pool of servers that you can group together to receive and process traffic.
Note: If you plan to add your F5 DataSafe profile to an existing virtual server (that is, you are not going to create a new virtual server for your profile), you do not need to create a new web application pool.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Pools .
    The Pools list opens.
  3. Click Create.
    The New Pool screen opens.
  4. In the Name field, type a unique name for the web application pool.
  5. In the Device field, select the BIG-IP device of the pool.
  6. Click New Member.
    The New Pool Member screen opens.
  7. For Node Type, select Existing Node.
  8. From the Node list, select the IP address of the web application server.
  9. From the Port list, select HTTP or HTTPS .
  10. Click Save & Close in the New Pool Member screen.
  11. Click Save & Close in the New Pool screen.
The new pool appears in the Pools list.

Create a log publisher

You create a log publisher to specify where the BIG-IP system sends alert messages.

  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Logs > Log Publishers .
    The Log Publishers list screen opens.
  3. Click Create.
  4. In the Name field, type a unique, identifiable name for this publisher.
  5. At Log Destinations, from the Available list select local-syslog, and use the Move button -> to move the destination to the Selected list.
  6. Click Save & Close.
    The Log Publishers list screen opens, showing the log publisher you just created.

Create a custom HTTP profile

You should perform this procedure only if SNAT or Auto Map is used for Source Address Translation in the virtual server.
You create an HTTP profile to define the way that you want the system to manage HTTP traffic.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Profiles .
  3. Click Create.
    The New Profile screen opens.
  4. In the Name field, type a unique name for the profile.
  5. From the Type list, select Profile HTTP.
  6. For the Insert X-Forwarded-For setting, select Enabled.
  7. Click Save & Close.
The custom HTTP profile now appears in the HTTP profile list screen.

Create a virtual server

You create a virtual server to receive application requests from the clients. The virtual server manages the network resources for the web application that you are securing with a security policy.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Virtual Servers .
  3. Click the Create button.
    The New Virtual Server screen opens.
  4. In the Name field, type a unique name for the virtual server.
  5. In the Device field, choose a BIG-IP device for the virtual server.
  6. In the Destination Address field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
  7. In the Service Port field, type 80, or select HTTP from the list.
  8. From the HTTP Profile list:
    1. If you previously created an HTTP profile, then select the profile you created.
    2. Otherwise, select http.
  9. From the Source Address Translation list, select the appropriate translation.
  10. From the Default Pool list, select the pool that is configured for the application server.
  11. Click Save & Close.

Configure general properties for an F5 DataSafe profile

Before configuring the profile's general properties, you must have created a web application server node, a web application pool, and a log publisher for the profile.
You configure general properties for a F5 DataSafe profile to ensure proper encryption of data on your web site.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. Click Add.
    The Add DataSafe Profile screen opens, with the General Properties area showing.
  4. In the Name field, type a unique name for the profile.
  5. From the Parent Profile list, choose which parent profile you want to base your profile on.
    Note:
    • All undefined properties in the profile you are creating will be inherited from the parent profile. Any future changes to those properties in the parent profile will be automatically inherited by the profile you are creating.
    • URL properties are not inherited.
  6. In the Log Publisher list, select the Log Publisher that you created.
  7. If your web application is case-sensitive to URLs and SPA views, do the following:
    1. Click Advanced in the General Settings section.
      The Advanced settings appear.
    2. For the URLs are case sensitive setting, select the Enabled check box.
      Note:
      • You should enable this setting only if your web application is case-sensitive to URLs and SPA views.
      • This setting cannot be changed after initial creation of your profile and does not affect URL parameters in the profile.
  8. Click Save & Close.
    The system has created the F5 DataSafe profile.
After creating your the profile, you should define the URLs that you want to include in your profile.

Define URLs in the profile

You should set the profile's general properties before defining URLs in the profile.
Define URLs in your profile to ensure proper protection of your web site.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. From the list of profiles, select the profile on which you want to define a URL.
    The DataSafe profile properties screen opens.
  4. Click URLS and then the Add button.
    The Add URL screen opens.
  5. In the URL Path field, choose one of the following types for the URL path:
    • Explicit: Assign a specific URL path.
    • Wildcard: Assign a wildcard expression URL. Any URL that matches the wildcard expression is considered legal and will receive protection. For example, typing the wildcard expression /* specifies that any URL is allowed.
    Note: All URLs must start with a slash (/), for both Explicit and Wildcard types.
    1. If you chose Explicit, type the URL path.
    2. If you chose Wildcard, type the wildcard expression URL and if you want it to include a query string, select the Include Query String check box.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character Matches
      * All characters
      ? Any single character
      [abcde] Exactly one of the characters listed
      [!abcde] Any character not listed
      [a-e] Exactly one character in the range
      [!a-e] Any character not in the range

      If a wildcard character is actually used as part of a real URL and you don't want it to be treated as a wildcard character, use \ and then the character to indicate that it should not be used as a wildcard character.

      Note: Regular expressions should not be used in Wildcard URLs.
  6. If you want the DataSafe Main JavaScript to run on the web page of the URL, select the Enabled check box for Inject Main JavaScript (selected by default).
    Note:
    • When this setting is enabled, the DataSafe Main JavaScript also runs on all SPA views on this URL that are configured in the profile.
    • You should disable Inject Main JavaScript for web pages that do not require encryption protection and only receive data from a protected page.
  7. If you want to change the default location where the DataSafe Main JavaScript is injected in the URL's web page, at Location of Main JavaScript Injection:
    1. Select a position for the Main JavaScript (either before or after the tag you define).
    2. In the Tag field, type the tag for determining where the Main JavaScript is placed.
    Note: The DataSafe Main JavaScript must be injected into the web page HTML before the CSS Element.
  8. If you want to change the default location of the Disabled JavaScript Detection Tag, at Location of Disabled JavaScript Detection Tag do the following:
    1. Select a position for the Disabled JavaScript Detection Tag (either before or after the tag you define)
    2. In the Tag field, type the tag for determining where the Disabled JavaScript Detection Tag is placed
    The Disabled JavaScript Detection Tag detects if JavaScript has been disabled in your web browser.
  9. Click Save & Close to save your initial URL settings.
After defining the URLs in your profile, you should set a URL or SPA view to be a login page.

Set a URL or SPA view to be a login page

Set a URL or Single Page Application (SPA) view in your profile to be a login page if you want to encrypt data on a login page in your web site.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click URLS.
    The URLs list screen opens.
  5. Click the URL or view that you want to set as the login page, or click Add (or Add View) if you want to create a new URL or view to be a login page.
    Note: SPA views are supported only in BIG-IP versions 14.0 and higher.
  6. On the left, click PARAMETERS.
  7. Click the Add button.
    The Add Parameter popup screen opens.
  8. In the Type field, choose one of the following parameter types:
    • Explicit: Choose this if you want to assign a specific parameter name.
    • Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
    Note: Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters.
  9. In the Name field, type a name for the parameter as follows:
    1. For an Explicit parameter type, type the exact name.
    2. For a Wildcard parameter type, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character Matches
      * All characters
      ? Any single character
      [abcde] Exactly one of the characters listed
      [!abcde] Any character not listed
      [a-e] Exactly one character in the range
      [!a-e] Any character not in the range

      If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use \ and then the character to indicate that it should not be used as a wildcard character.

      Note: Regular expressions should not be used as wildcards.
  10. Select the Identify as Username check box.
    Note: Only one parameter per URL can have the attribute Identify as Username.
  11. Click Add.
  12. Click LOGIN PAGE PROPERTIES.
    Note: Configuring the Login Page properties is not required but recommended because a login cannot be verified as successful unless at least one of the criteria in the Login Page Properties screen is configured.
  13. For the URL is Login Page setting, check the Enabled check box.
    The Login Page Properties appear.
    Note: If URL is Login Page is enabled, you must configure at least one of the Login Page properties. If you configure more than one Login Page property, then all the criteria for all properties must be fulfilled for the BIG-IP system to consider the login successful.
  14. In the A string that should appear in the response body field, type a string that should appear in the successful response to the login URL.
  15. In the A string that should NOT appear in the response body field, type a string that should not appear in the successful response to the login URL.
  16. In the Expected HTTP response status code field, select Specify and type the HTTP response status code that the server must return to the user upon successful login, or select None.
    Note: If you select None, HTTP response code is not used to determine a successful login.
  17. In the Expected response header field, type a header name that the successful response to the login URL must match.
  18. In the Expected cookie name field, type a cookie name that the successful response to the login URL must include.
  19. Click Save & Close.
    The Login Page and Parameter settings are saved.
If the form action in the HTTP request from the login page does not refer to the login page URL, you need to also configure a post-login URL.

Configure a post-login URL

You need to configure a post-login URL only if the login page sends the login request to a URL that is different from the login URL. (For example, the login page URL is /login.jsp, but it sends the user name and password to /validate.jsp).
Configure a post-login URL to ensure that the BIG-IP system can retrieve the user name and decrypt the password.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click URLS.
    The URLs list appears.
  5. Select the check box next to the login URL.
  6. Click Actions > Clone .
    The Clone URL screen opens.
  7. In the URL Path field, type the URL that is referred to in the form action of the HTTP request.
  8. Optional: In the Description field, type a description for the URL.
  9. Ensure that Inject JavaScript is disabled.
  10. If the login URL contains SPA views and you want the post-login URL to inherit those views, select the Enabled check box by Clone Views.
  11. Select the Enabled check box by Clone Parameters.
  12. Click the Clone button in the Clone URL popup screen.
    Note:
    • The new URL inherits the configuration settings of the source URL
    • Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.
The BIG-IQ® system creates the new URL and it appears in the URLs list.

Associate an F5 DataSafe profile with a virtual server

In order to complete the process of applying F5 DataSafe protection to your web site, you need to associate the F5 DataSafe profile that you created with the virtual server that you created.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > Virtual Servers .
    The Virtual Servers list appears.
  3. Click the name of the virtual server on which you want to associate the F5 DataSafe profile.
    The virtual server properties screen opens.
  4. From the Attached Profile list, select the DataSafe profile that you want to associate with this virtual server.
  5. Click Save & Close.
    The Virtual Server list appears, and the DataSafe profile that you chose in the previous step is now listed as being associated with the virtual server.

General Configuration Options for F5 DataSafe Profiles and URLs

Configure advanced general settings on an F5 DataSafe profile

Configure advanced general settings on an F5 DataSafe profile if you want to change the default settings that the BIG-IQ system assigns to profiles.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. In the Alert Path field, use the automatically generated path, or define your own path.
    Note: If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
  5. In the Suggested Username Header field, use the default header or type a header that will be added to AJAX requests when the BIG-IP system detects an AJAX login attempt, which is common for Single Page Applications.
    With this header, the BIG-IP system can detect the username that was used for the login. The client sends this header only for URLs in the profile that have a parameter set as Identify as Username.
  6. For the JavaScript Directory field, use the automatically generated path, or define your own.
    This path specifies the location of the main F5 DataSafe JavaScript. This path does not include the actual file name of the JavaScript.
    Note:
    • This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
    • If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
  7. For the JavaScript Configuration Directory field, use the automatically generated path, or define your own path that specifies the location of the F5 DataSafe JavaScript containing profile configuration settings.
    This path specifies the location of the configuration JavaScript. This path does not include the actual file name of the JavaScript.
    Note:
    • This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
    • If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
  8. For the JavaScript Removal Location field, use the automatically generated path, or define your own path that specifies the location of the image file name that the system uses for detecting a JavaScript removal attack.
    Note:
    • This path should be changed only if your application is already using a directory with the same path as the automatically assigned default path.
    • If you define your own path, ensure that the path is not used by any other field in any profile that is deployed on the same BIG-IP device as the current profile, and that it is not an already existing URL.
  9. If your profile includes one or more URLs that contain SPA views, for Referrer Info Header use the default header value or assign your own header value that the BIG-IP system uses to identify SPA views.
  10. For JavaScript Grace Threshold, change the default value if you want to raise or lower the maximum amount of time (in seconds) permitted between when a protected web page is loaded and its injected JavaScript activates.
  11. Leave the Additional function to be run before JavaScript load field blank unless instructed otherwise by F5.
  12. For the Prevent duplicate alerts from Client Side setting, select the Enabled check box to prevent the client from sending an alert with information that is identical to an alert previously sent by the client during the past 24 hours.
  13. Click Save & Close.
    The BIG-IQ system saves the changes that you made to the advanced settings.

Enable an iRule to handle logins and alerts

Enabling iRules® to handle logins and alerts is only relevant if you have written an iRule to handle the ANTIFRAUD_ALERT event, or the ANTIFRAUD_LOGIN event and the iRule is associated with the same virtual server as your profile.
Enable an iRule to handle logins and alerts if you want to use an iRule to disable alerts or record login events.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. Scroll to the bottom of the screen, and for the Trigger iRule Events setting, select the Enabled check box.
  5. Click Save.
    iRules are now enabled to handle logins and alerts.

iRule events

iRules® can subscribe to the ANTIFRAUD_ALERT event and the ANTIFRAUD_LOGIN event in F5® DataSafe™.

iRule event Description
ANTIFRAUD_ALERT Occurs when alerts are sent to the BIG-IP® system.
ANTIFRAUD_LOGIN Occurs when a user successfully logs in to the profile. Or if login validation is not configured, this event can occur if just the user name is identified.
iRule Examples

The following example shows how an iRule uses the ANTIFRAUD_ALERT event to log all available information about an alert that was sent by the BIG-IP system to the location /var/log/ltm.

when ANTIFRAUD_ALERT{  
  log local0. "=========Anti-Fraud Alert========="
  log local0. "Alert Identifier: [ANTIFRAUD::alert_id]"
  log local0. "Alert Type: [ANTIFRAUD::alert_type]"
  log local0. "Alert Component: [ANTIFRAUD::alert_component]"
  log local0. "Alert Details: [ANTIFRAUD::alert_details]"
  log local0. "Alert GUID: [ANTIFRAUD::alert_guid]"
  log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]"
  log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]"
  log local0. "Alert Score: [ANTIFRAUD::alert_score]"
  log local0. "Alert Username: [ANTIFRAUD::alert_username]"
  log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]"
  log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]"
}

The following example shows how an iRule uses the ANTIFRAUD_ALERT event to disable a specific alert according to its type.

when ANTIFRAUD_ALERT{
if {[ANTIFRAUD::alert_type] eq "components_validation"}{
  log local0. "Alert Type is components validation"
  ANTIFRAUD::disable_alert
  log local0. "Disabled Alert"
  }
}

The following example shows how an iRule uses the ANTIFRAUD_LOGIN event with its commands.

when ANTIFRAUD_LOGIN{
  log local0. "=========Anti-Fraud Login========="
  # read mode
  log local0. "Username: [ANTIFRAUD::username]"
  log local0. "GUID: [ANTIFRAUD::guid]"

  # write mode
  ANTIFRAUD::username "other_user"
}
Values for iRule commands
The following values can be used in iRule commands:
Value Description
alert_id For example, d4.
alert_type The type of alert.
alert_component An error type that is determined according to the alert_type.
alert_details Additional information regarding the alert.
alert_device_id Persistent browser identifier.
alert_license_id crc32 of the license id in hex.
alert_transaction_data Key-value list of all parameters marked to be attached.
alert_username When this command is used without any additional arguments, this is the name of the user who triggered the alert.

It is possible to use additional arguments to override the current user name (write mode), as shown in the ANTIFRAUD_LOGIN example above.

alert_http_referrer The URL of the site that was visited just before the Alert URL was visited.
alert_additional_info Shows additional information about the alert, such as the parameter values too long error message.
disable_alert Disables the current alert.
For more information about iRules, go to F5 Networks DevCentral™ (https://devcentral.f5.com/irules).

Configuring SPA views

Configuring SPA views on a URL is relevant only if your web site is single-page application (SPA).
Configure SPA views to provide F5 DataSafe protection to the SPA views on a URL.
Note: SPA views are supported only in BIG-IP versions 14.0 and later.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click URLS.
    The URLs list screen opens.
  5. In the URL List, select the check box next to the URL where you want to add the view and then click Add View.
    The Add View screen opens.
  6. In the View Name field, type a name for the view.
  7. Leave the Additional function to be run before JavaScript load field blank unless instructed otherwise by F5.
  8. For Destination URLs, add URLs that you want to receive protected data from this view.
    Adding URLs here allows you to use the parameters that are configured on this view on the destination URL as well, without having to re-configure them on the destination URL. This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
  9. Click Save & Close.
    The BIG-IQ system creates the view and the profile properties screen opens.

Enhancing data encryption on a URL with SPA views

This task is relevant only if your URL contains SPA views.
If your URL contains SPA views, F5 DataSafe provides some additional settings for enhancing data encryption.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click URLS.
    The URLs list screen opens.
  5. In the URL List, click the relevant URL.
    The URL Properties screen opens.
  6. If this URL has SPA views that are not configured in the profile and you want the F5 DataSafe Main JavaScript to run on those views, for Fallback to Base URL select the Enabled check box (selected by default).
  7. At Destination URLs, add URLs that should receive encrypted data from this URL.
    Adding URLs here allows you to use the parameters that are configured on this URL on the destination URL as well, without having to re-configure them on the destination URL.
    Note:
    • This setting appears only for URLs that have SPA views configured in the profile.
    • This setting is relevant only when sending data by Ajax and in a form format (not JSON format).
  8. Click Save & Close.
    The URL configuration settings are saved.

Clone a profile

If you want to create a new profile with settings identical to an existing profile, you can clone the profile. Unlike parent-child profiles, the cloned profile is not dependent on the original one, and any changes made to the original profile after cloning are not inherited by the previously cloned profile.
Note: A cloned profile inherits all properties from the original profile including all URL properties and SPA views, with the exception of system-generated random values. Once the cloned profile is created, there is no further dependency on the original profile and any changes made in the original profile are not received by the cloned profile, with the following exception:
  • In the General Properties screen of a cloned profile, some of the settings have an override check box. If this check box is not checked, then any changes made in the original profile will be copied to the cloned profile. If it is checked, then changes in the original profile are not copied to the cloned profile.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. Select the check box next to the profile that you want clone.
  4. Click the Clone button.
    The Clone Profile pop-up screen opens.
  5. In the Clone Profile pop-up screen, assign a new profile name.
  6. Click Clone.
    The new profile is created and appears in the list of profiles in the DataSafe Profiles screen.

Clone a URL or SPA view

You can clone a URL or SPA view if you want to create a new URL or view that inherits the settings on an existing URL or view.
Note:
  • When cloning a URL, the new URL inherits the configured settings of the source URL. You can choose whether to copy SPA views, parameters, and the DataSafe Main JavaScript injection to the new URL.
  • When cloning an SPA view, the new view inherits the configured settings of the source view. You can choose whether to copy parameters to the new URL.
  • Once the new URL or view is created, there is no further dependency on the source URL or view and any future changes made to the source URL or view are not inherited by the new URL or view.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. From the list of profiles, select the profile with the URL or view that you want to clone.
    The DataSafe profile properties screen opens.
  4. On the left, click URLS.
    The URLs list screen opens.
  5. Select the check box next to the URL or view that you want clone.
  6. Click Actions > Clone .
    The Clone URL (or Clone View) screen appears.
  7. In the pop-up screen, assign a URL path or view name and (optionally) a description.
  8. If you are cloning a URL and you want to encrypt data on the web page of the new URL, enable the Inject JavaScript setting.
  9. Click the Clone button in the pop-up screen.
The BIG-IQ® system creates the new URL or view and it appears in the URLs list.

Encrypting Data on the Application Level

Overview: Encrypting data on the application level

Application Layer Encryption protects against credential theft from man-in-the-middle (MITM) and MITM browser attacks, verifies whether a user is trying to use a fabricated password, validates the client-side password, and encrypts credentials in real-time upon submission. F5® DataSafe™ allows you to configure data encryption on the application level, so that sensitive data entered by a user on the client-side is protected against attempted fraud attacks that occur in the web application.

Encrypt data as it leaves the web browser

Encrypt data as it leaves the web browser if you want to protect data that was entered by the user as it leaves the web browser.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click URLS.
    The URLs list screen opens.
  5. Select the URL or SPA view on which you want to encrypt data.
    The URL properties (or View Properties) screen opens.
  6. On the left, click APPLICATION LAYER ENCRYPTION.
    The Application Layer Encryption settings are displayed.
  7. Ensure that the Enabled check box for Application Layer Encryption is selected.
  8. If you want to use a custom encryption algorithm on parameters (instead of the BIG-IP® default encryption function), in the Custom Encryption Function field, type your custom encryption function.
    The custom encryption function encrypts all parameters where Encrypt is disabled and Substitute Value is enabled on the parameter.
    Note: If you use a custom encryption function, you can not enable Real-Time Encryption on this URLor view. Real-Time Encryption encrypts passwords as the user types them.
  9. On the left, click PARAMETERS.
  10. Click the Add button.
    The Add Parameter popup screen opens.
  11. In the Type field, choose one of the following parameter types:
    • Explicit: Choose this if you want to assign a specific parameter name.
    • Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
    Note: Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters.
  12. In the Name field, type a name for the parameter as follows:
    1. For an Explicit parameter type, type the exact name.
    2. For a Wildcard parameter type, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character Matches
      * All characters
      ? Any single character
      [abcde] Exactly one of the characters listed
      [!abcde] Any character not listed
      [a-e] Exactly one character in the range
      [!a-e] Any character not in the range

      If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use \ and then the character to indicate that it should not be used as a wildcard character.

      Note: Regular expressions should not be used as wildcards.
  13. Select the Encrypt check box.
  14. If the parameter is for a password field and you want to use substitute values when the user inputs the password, select the Substitute Value check box.
    Note:
    • This attribute should be applied only on parameters with the input type password.
    • If you assign Substitute Value to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
    Important: If you want a custom encryption function to be applied to this parameter, do not select the check boxes for both Encrypt and Substitute Value on the parameter. If you do this, the custom encryption function will not be applied to this parameter.
  15. Click Add.
    The parameter settings are saved.
  16. Repeat steps 10-14 for every parameter you want the system to encrypt.
  17. Click Save & Close.
    The URL (or view) configuration settings are saved.
If the form action in the HTTP request from the web page you created above does not refer to the URL of the web page, you need to also configure a URL for decrypted data.

Configure a URL for decrypting data

You need to configure a separate URL for decrypting data only if the form action in the HTTP request from the client does not refer to the URL from which the request is being sent.
Configure a URL for decrypting data to ensure that your server can read and verify encrypted data that was sent from the client.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  4. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  5. On the left, click URLS.
    The URLs list screen opens.
  6. Select the check box next to the URL where the client sends encrypted data.
  7. Click Actions > Clone .
    The Clone URL screen opens.
  8. In the URL Path field, type the URL that is referred to in the form action of the HTTP request.
  9. Optional: In the Description field, type a description for the URL.
  10. Ensure that the Inject JavaScript setting is disabled.
  11. Click the Clone button in the Clone URL popup screen.
    Note:
    • The new URL inherits the configuration settings of the source URL
    • Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.

Apply AJAX encryption on a URL or SPA view

Apply Ajax encryption on your web page if the web page sends data using AJAX and you want the data to be encrypted.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click URLS.
    The URLs list screen opens.
  5. Select the URL or view on which you want to apply AJAX encryption.
    The URL Properties (or View Properties) screen appears.
  6. On the left, click APPLICATION LAYER ENCRYPTION.
    The Application Layer Encryption settings are displayed.
  7. Select the Enabled check box for Full AJAX Encryption.
  8. If your web page uses JSON format for submitting data, do the following for every parameter that you want to have AJAX encryption:
    1. Click PARAMETERS tab.
    2. Click the Add button.
      The Add Parameter popup screen opens.
    3. In the Type field, choose one of the following parameter types:
      • Explicit: Choose this if you want to assign a specific parameter name.
      • Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
    4. In the Name field, type a name for the parameter as follows:
      • For an Explicit parameter type, type the exact name.
      • For a Wildcard parameter type, type the wildcard expression.

        The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.

        Wildcard character Matches
        * All characters
        ? Any single character
        [abcde] Exactly one of the characters listed
        [!abcde] Any character not listed
        [a-e] Exactly one character in the range
        [!a-e] Any character not in the range
        If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use \ and then the character to indicate that it should not be used as a wildcard character.
        Note: Regular expressions should not be used as wildcards.
    5. Select both the Encrypt check box and the Substitute Value check box.
    6. In the AJAX Mapping field, type a mapping key for the parameter that is sent from the client to the server.
      For example, if you have a single page application form with an input field name or ID called A and you want to send it in the B key in the JSON file, type B in this text box.
      Note: If the input field name or ID in the HTML of your web page has the same name or ID as the key of the JSON file, you do not need to type a mapping key in this text box.
    7. Click Add.
      The parameter settings are saved and the URL Properties (or View Properties) screen appears.
  9. Click Save & Close in the URL/View properties screen.
    The configuration settings for the URL/View are saved.

Configure HTML field obfuscation

Before you can configure HTML field obfuscation, Application Layer Encryption must be enabled on the URL or SPA view.
Configure HTML field obfuscation if you want the BIG-IP® system to encrypt the name attribute of all defined HTML <input> fields, and then decrypt them back to the original name on the BIG-IP system.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click URLS.
    The URLs list screen opens.
  5. Select the URL on which you want to configure HTML field obfuscation.
    The URL properties screen opens.
  6. On the left, click APPLICATION LAYER ENCRYPTION.
    The Application Layer Encryption settings are displayed.
  7. Select the Enabled check box for the HTML Field Obfuscation setting.
    The Add Decoy Inputs and Remove Element IDs fields are displayed.
  8. Select the Enabled check box for the Add Decoy Inputs setting if you want the system to randomly, and continuously, generate and remove decoy <input> fields that are added to the web page.
    Enabling Add Decoy Inputs makes it harder for an attacker to identify sensitive information with either JavaScript or a proxy.
  9. Select the Enabled check box for the Remove Element IDs setting if you want the system to remove the ID attribute from URL parameters that have the Obfuscate property.
  10. On the left, click PARAMETERS.
  11. Click the Add button.
    The Add Parameter popup screen opens.
  12. In the Type field, choose one of the following parameter types:
    • Explicit: Choose this if you want to assign a specific parameter name.
    • Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
    Note: Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters.
  13. In the Name field, type a name for the parameter as follows:
    1. For an Explicit parameter type, type the exact name.
    2. For a Wildcard parameter type, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character Matches
      * All characters
      ? Any single character
      [abcde] Exactly one of the characters listed
      [!abcde] Any character not listed
      [a-e] Exactly one character in the range
      [!a-e] Any character not in the range

      If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use \ and then the character to indicate that it should not be used as a wildcard character.

      Note: Regular expressions should not be used as wildcards.
  14. Select the Obfuscate check box.
  15. Click Add.
    The parameter settings are saved.
  16. Repeat steps 11-14 for every parameter you want the system to obfuscate.
  17. Click Save & Close in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Remove JavaScript event listeners from parameters

Before you can remove JavaScript event listeners from parameters, Application Layer Encryption must be enabled on the URL or SPA view.
You can remove JavaScript event listeners from parameters to protect sensitive data in parameters from being obtained by potential attackers.
Note: Some web applications add non-malicious event listeners that improve functionality. If you choose to activate removal of event listeners on parameters, this will remove all event listeners, including non-malicious ones added by the web application. Take this into account before deciding to activate removal of event listeners.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click URLS.
    The URLs list screen opens.
  5. Select the URL or view on which you want to remove JavaScript event listeners.
    The URL Properties (or View Properties) screen opens.
  6. On the left, click APPLICATION LAYER ENCRYPTION.
    The Application Layer Encryption settings are displayed.
  7. Select the Enabled check box for the Remove Event Listeners setting.
  8. On the left, click PARAMETERS.
  9. Click the Add button.
    The Add Parameter popup screen opens.
  10. In the Type field, choose one of the following parameter types:
    • Explicit: Choose this if you want to assign a specific parameter name.
    • Wildcard: Choose this if you want to assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
    Note: Wildcard parameters are supported in BIG-IP versions 14.0 and later. If you are using a BIG-IP version 13.x or earlier, use only explicit parameters.
  11. In the Name field, type a name for the parameter as follows:
    1. For an Explicit parameter type, type the exact name.
    2. For a Wildcard parameter type, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character Matches
      * All characters
      ? Any single character
      [abcde] Exactly one of the characters listed
      [!abcde] Any character not listed
      [a-e] Exactly one character in the range
      [!a-e] Any character not in the range

      If a wildcard character is actually used a part of a real parameter name and you don't want it to be treated a wildcard character, use \ and then the character to indicate that it should not be used as a wildcard character.

      Note: Regular expressions should not be used as wildcards.
  12. Select the Obfuscate check box or the Substitute Value check box.
    Note: If you assign the Substitute Value attribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
  13. Click Add.
    The parameter settings are saved.
  14. Repeat steps 9-12 for every parameter on which you want to remove JavaScript event listeners.
  15. Click Save & Close in the URL/View Properties screen.
    The configuration settings for the URL/view are saved.

Configure advanced encryption on a URL or SPA view

Before configuring advanced encryption on a URL or SPA view, Application Layer Encryption must be enabled on the URL or view.
Configure advanced encryption on a URL or SPA view if you want to apply F5 DataSafe advanced encryption methods on your web page.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Fraud Protection Services > DataSafe Profiles .
    The DataSafe Profiles list screen opens.
  3. In the list of profiles, click the relevant profile.
    The DataSafe Profile Properties screen opens.
  4. On the left, click URLS.
    The URLs list screen opens.
  5. Select the URL or view on which you want to apply advanced encryption methods.
    The URL/View Properties screen appears.
  6. On the left, click APPLICATION LAYER ENCRYPTION.
    The Application Layer Encryption settings are displayed.
  7. Select the Enabled check box for the Identify Stolen Credentials setting.
    When this setting is enabled, the system examines whether the user is trying to use a password that was stolen from a parameter where Substitute Value is enabled.
  8. Select the Enabled check box for the Hide Password Revealer Icon setting.
    When this setting is enabled, the system hides the password revealer icon on a web page, for browsers that use a password revealer icon (for example, Internet Explorer versions 10 and later).
    Note: If you are using JavaScript Function for Substitute Values or Custom Encryption Function, you must enable Hide Password Revealer Icon. Otherwise, the user will see the actual substitute value if the user clicks the Password Revealer icon in the browser.
  9. Select the Enabled check box for the Keylogger Protection setting.
    When this setting is enabled, the system protects against in-browser key loggers.
  10. Select the Enabled check box for the Real-Time Encryption setting.
    Real-Time Encryption encrypts input field parameters as the user types them.
    Note:
    • The Real-Time Encryption setting does not appear if you don't have at least one parameter with the Encrypt attribute.
    • Real-Time Encryption cannot be enabled if you are also using a custom encryption function on the URL or view.
  11. If you do not want to use the default F5 DataSafe JavaScript function for assigning substitute values for HTML password input fields and prefer to use your own JavaScript function, in the JavaScript Function for Substitute Values field, type your JavaScript function.
    The JavaScript function you type here must return substitute values for all passwords input field parameters where Substitute Value is enabled on the parameter. If you leave this field blank, the default F5 DataSafe JavaScript function is used.
  12. Click Save & Close in the URL/View Properties screen.
    The configuration settings for the URL/view are saved.