Applies To:

Show Versions Show Versions

Manual Chapter: Protecting XML Applications
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

13 
Because XML is used as a data exchange mechanism, it is important to inspect, validate, and protect XML transactions. With XML security, you can protect the following applications:
You implement XML security by creating an XML profile for a security policy. The XML profile can protect XML applications in the following ways:
Does the application use validation files, for example, schemas or WSDL documents?
If yes, you need to know which files and know where they are.
For web services, do the clients support secure web services with encryption and decryption capabilities?
If so, you can configure web services security to handle the decryption and encryption of XML data.
What applications are on the back end?
There can be more than one, for example, an Expat XML parser and an Oracle® database server.
You need to have already created a security policy for a web application. The easiest way to do this is to use the Deployment wizard by following the steps in Creating a Security Policy for XML Transactions in BIG-IP® Application Security Manager: Getting Started Guide.
Figure 13.1 shows an overview of the tasks for configuring XML security.
To configure security for SOAP web services, you begin by creating an XML profile. An XML profile defines the XML properties that a security policy enforces for XML applications. You need to associate the XML profile with a URL or with a parameter.
Some web services have a WSDL or schema document to describe the language that the application uses to communicate with its remote users and systems. The XML profile can validate whether the incoming traffic complies with the WSDL or schema document. However, neither a WSDL nor a schema file is required for configuring security for web services.
Note: Creating an XML profile requires external network access to verify the schema link. The time needed to create an XML profile varies, depending on the size of the WSDL document or schema file, and your connection speed.
1.
On the Application Security navigation pane, expand Application Security and click the create icon () next to XML Profiles.
The Create New XML Profile screen opens.
2.
In the Profile Name box, type a name for the XML profile.
3.
If you plan to implement web services encryption, check the Enable Web Services Security box, and refer to Implementing web services security for details about additional tasks that you need to perform.
4.
If your web service uses a WSDL or schema file, for the File setting, click Browse and navigate to the .wsdl or .xsd file. Otherwise, skip to step 8.
Note: The file you upload must use UTF-8 character encoding.
6.
Click Upload.
The system uploads the file and lists it on the screen.
Important: When a WSDL or schema document refers to another WSDL or schema document, the system gives you the option of importing it. If circular dependencies exist in the files (for example, schema 1 references schema 2, which contains a reference to back to schema 1) import schema 1, then schema 2, then schema 1 again. This creates a mapping between the files.
7.
To attempt to locate and use files referenced in the WSDL or schema document, ensure that the Follow Schema Links box is checked.
To use this setting, make sure the DNS server is on the DNS lookup server list (System>>Configuration>>Device>>DNS).
Tip: If you disable this setting and the uploaded file refers to other schemas, the system lists the referenced files in an error message at the top of the screen.
8.
To permit SOAP messages to contain attachments, check the Allow Attachments in SOAP Messages box.
a)
For the system to verify the SOAPAction header, check the Validate SOAPAction Header box. The system automatically enables this setting when you upload a WSDL file.
b)
Review the Valid SOAP Methods; to disable any of them, clear the Enabled check box. For details, see Managing SOAP methods.
10.
In the Defense Configuration area, for Defense Level, select High, Medium, or Low.
To customize defense settings, see Fine-tuning XML defense configuration.
11.
To mask sensitive XML data, click Sensitive Data Configuration and then add namespaces. For details on this task, see Masking sensitive XML data.
12.
Click Create.
The system adds the XML profile to the security policy.
13.
In the editing context area, click the Apply Policy button to activate the updated security policy.
A confirmation popup screen opens.
14.
Click OK.
The system applies the updated security policy.
You can configure web services security to handle decryption and encryption for the web services that Application Security Manager protects. You need to complete the following tasks to configure web services security.
To use web services security for encryption and decryption, you need to upload client and server certificates onto the Application Security Manager. On the XML profile properties screen, you can configure the system to use these certificates to decrypt requests from clients and encrypt responses from web services.
1.
On the Application Security navigation pane, expand Application Security, point to Options, then click Certificates Pool.
The Certificates Pool screen opens.
Note: The server and client certificates must be .pem files in x509v3 format. Also, the server certificate should contain the servers private key.
a)
Click Add.
The Add Certificate screen opens.
b)
For Name, type a name for the certificate.
c)
For Type, select Client or Server.
d)
For .PEM File, select Upload to copy a certificate, or select Paste text to paste a copy of the certificate in the text box.
e)
Click Add.
The systems Web Services Security feature can both decrypt requests from a web client to a web service, and encrypt responses if all of the following are true:
Note: The prerequisite for this procedure is that you have already created an XML profile, and now you want to add web services security to it. Making changes to the XML profile requires external network access to verify the schema link. The time needed to complete an XML profile update varies, depending on the size of the WSDL document or schema file, and your connection speed.
1.
In the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
3.
In the XML Profiles list, click the name of the XML profile for which you want to configure web services security.
The XML Profile Properties screen opens.
4.
Verify that the Enable Web Services Security check box is selected.
5.
Click Web Services Security Configuration.
The screen displays Web Services Security Configuration settings.
6.
For Server Certificate, if you want the system to decrypt SOAP messages from a web client to a web service, or to sign SOAP messages from a web service back to a web client, select a server certificate from the drop-down list. (The server certificates listed are those you uploaded previously.)
7.
For Client Certificates, if you want the system to encrypt SOAP messages from a web service to a web client, or if you want to verify SOAP messages from a web client to a web service, select names from the Available list and then move them into the Members list.
8.
For Encryption Algorithm, select the type of encryption you want to use. (Be sure your clients support this type of encryption.)
9.
For Key Transport Algorithm, select the key transport to use for decrypting the certificate key.
10.
Select the Encrypt Entire Body Value check box if you want to encrypt the whole SOAP message (/soapenv:Envelope/soapenv:Body).
11.
For Namespace Mappings, add the prefixes (found in the XML document) and namespaces (URLs that the prefix is mapped to).
12.
For Elements That Should Be Encrypted, configure which part of the XML document to encrypt:
For Encryption Method, select whether to encrypt the markup and the text (With markup) or the text only (Value only).
For XPath, type an XPath expression to specify which parts of the XML document to encrypt. For details, see Writing XPath queries.
13.
Click Update to update the XML profile.
14.
In the editing context area, click the Apply Policy button to activate the updated security policy.
A confirmation popup screen opens.
15.
Click OK.
The system applies the updated security policy.
If you want to encrypt specific elements in the XML document, you need to write an XPath expression that indicates which parts to encrypt. You specify the XPath in the Web Services Security Configuration area of the XML profile.
When writing XPath queries, you use a subset of the XPath syntax described in the XML Path Language (XPath) standard at http://www.w3.org/TR/xpath. Application Security Managers XPath allows only expressions that correspond to element values.
Use wildcards as needed (use * for elements and namespaces); for example, //emp:employee/*.
Table 13.1 summarizes the syntax for XPath expressions.
Selects nodes in the document from the current node that match the selection, no matter where they are.
Table 13.2 shows examples of XPATH queries.
Table 13.2 XPath examples 
Selects all b elements no matter where they are in the document.
Selects any element in a namespace bound to prefix b, which is a child of the root element a.
Selects elements in the namespace of element c, which is bound to prefix b, and is a child of element a.
When you upload a WSDL document, the system automatically populates a list of SOAP (Simple Object Access Protocol) methods in the validation configuration of the XML profile. Additionally, the system adds the SOAP methods as URLs in the security policy, and automatically associates the XML profile with the URLs.
The system configures into the policy all relevant URLs that it finds in the WSDL and designates them as valid SOAP methods. By default, all methods are enabled, which means that the security policy allows those methods. If you disable a SOAP method, and a request contains that method, then the system issues the SOAP method not allowed violation, and blocks the request if the enforcement mode is blocking.
Note: Before you can start this task, you must have already uploaded a WSDL document in the XML profile. Refer to To configure security for web services, if you have not performed this task.
1.
In the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
3.
In the XML Profiles area, in the Profile Name column, click the name of the profile for which you want to disable one or more SOAP methods.
The XML Profile Properties screen opens.
4.
In the Validation Configuration area, for the Valid SOAP Methods setting, select or clear the Enabled check box for each method that you want to enable or disable.
5.
Below the Defense Configuration area, click the Update button.
The screen refreshes, and displays the XML Profiles screen.
6.
To put the changes into effect immediately, click Apply Policy.
A confirmation popup screen opens.
7.
Click OK.
The system applies the updated security policy.
Some XML applications include a schema that describes the structure of the XML content. The XML profile can validate whether the incoming traffic complies with that schema.
If schemas refer to each other, you must upload the main schema twice: first as the main schema, and second as the referenced schema.
1.
In the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
3.
Click the Create button.
The Create XML Profile screen opens.
4.
In the Profile Name box, type a name for the XML profile.
5.
If the application uses a schema, for the File setting, click Browse and navigate to the .xsd file. Otherwise, skip to step 7.
Note: The file you upload must be encoded with UTF-8 character encoding.
If you selected a referenced file type, in the Import URL box, type the URL defined in the schemaLocation directive.
6.
Click Upload.
The screen lists the uploaded file.
Important: When a schema refers to another schema, the system gives you the option of importing it. If circular dependencies exist in the files (for example, schema 1 references schema 2, which contains a reference to back to schema 1) import schema 1, then schema 2, then schema 1 again. This creates a mapping between the files.
7.
To attempt to locate and use files referenced in the schema document, ensure that the Follow Schema Links box is checked. To use this setting, make sure the DNS server is on the DNS lookup server list (System>>Configuration>>Device>>DNS).
Tip: If you disable this setting and the uploaded file refers to other schemas, the system lists the referenced files in an error message at the top of the screen.
8.
To permit SOAP messages to contain attachments, check the Allow Attachments in SOAP Messages box.
9.
Click the Create button.
The system adds the new XML profile to the configuration, and the screen refreshes to display the new profile on the XML Profiles list screen.
10.
In the editing context area, click the Apply Policy button to activate the updated security policy.
A confirmation popup screen opens.
11.
Click OK.
The system applies the updated security policy.
The defense configuration provides formatting and attack pattern checks for the XML data. The defense configuration complements the validation configuration to provide comprehensive security for XML data and web services applications.
In the defense configuration, the defense level determines the granularity of the security inspection for the XML application. You can choose High, Medium, or Low and let the system determine the defense level settings. Or you can set the level, then adjust any of the settings to create a Custom defense level. The defense level settings specify the valid properties of the actual XML data or the web services application.
A trade-off occurs between ease of configuration and defense level. The higher the defense level, the more you may need to refine the security policy. For example, if you accept the default defense level of High, the XML security is optimal; however, when you initially apply the security policy, the system may generate false-positives for some XML violations.
1.
In the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
2.
In the XML Profiles list, click the name of the XML profile for which you want to modify the advanced defense configuration settings.
The XML Profile Properties screen opens.
3.
Above the Defense Configuration area, select Advanced.
The screen refreshes to display additional defense configuration settings.
4.
In the Defense Configuration area, for the Overridden Security Policy Settings, select attack signatures from the Global Security Policy Settings list and then click the Move (<<) button. To select more than one attack signature at the same time, hold down the Ctrl button on the keyboard when you select the attack signatures.
5.
In the Overridden Security Policy Settings list, enable or disable each attack signature as you want.
6.
For the Defense Level setting, select the protection level you want for the application. The default setting is High.
7.
Adjust the defense configuration settings as required by your application and traffic. For details, see Table 13.3.
8.
Click Update.
The system commits any changes you may have made.
9.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
Table 13.3, describes the defense configuration settings. The Defense Level setting (step 6, in the previous procedure) determines the default values for the settings. A value of 0 in the table indicates unlimited; that is, up to the boundaries of an integer type.
Default Value: High
Default Value: Low
Specifies the level of protection that the system applies to XML documents, applications, and services. If you change any of the default settings, the system automatically changes the defense level to Custom.
Specifies, in bytes, the largest acceptable document size.
Specifies the maximum number of elements that can be in a single document.
Specifies, in bytes, the maximum acceptable length for entity and attribute names.
Specifies, in bytes, the maximum acceptable length for attribute values.
Specifies the maximum acceptable number of child elements for each parent element.
Specifies the maximum number of attributes for each element.
Specifies the maximum number of namespace declarations for a single document.
Specifies, when enabled, that the XML document can contain or refer to DOCTYPE declarations (DTDs).
Specifies, when enabled, that references to external DOCTYPE declarations are acceptable.
Specifies the maximum amount of memory a single, expanded entity definition may consume.
Specifies the maximum number of times that a DTD entity can call itself.
Specifies, when enabled, that references to external DOCTYPE declarations are acceptable.
Specifies, when enabled, that leading white space at the beginning of an XML document is acceptable.
Specifies, when enabled, that the close tag format </>, which is used in the XML encoding for Microsoft® Office Outlook® Web Access, is acceptable.
Specifies, when enabled, that the entity and namespace names can start with an integer (0-9). Note that this is a compatibility option for use with Microsoft® Office Outlook® Web Access.
Specifies the largest allowed size for a namespace in the XML part of a request.
Allow Processing Instructions
Specifies, when enabled, that the system allows processing instructions in the XML request. If you upload a WSDL file that references valid SOAP methods, this setting is inactive.
Specifies, when enabled, that the system permits the existence of character data (CDATA) sections in the XML document part of a request.
You can mask sensitive XML data so that it does not appear in the interface or logs. You set this up in the XML profile of any XML application.
1.
In the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
2.
In the XML Profiles list, click the name of the XML profile for which you want to mask sensitive XML data.
The XML Profile Properties screen opens.
3.
Click Sensitive Data Configuration.
The screen displays Sensitive Data Configuration settings.
4.
For Namespace, select one of the options:
Any Namespaceif sensitive data can appear in any namespace
No Namespaceif no default namespace contains sensitive data
Custom and type the nameif sensitive data appears in a specific namespace
5.
For Name,
a)
Select Element or Attribute to indicate whether the sensitive data appears as a value of an XML element or attribute.
b)
In the box, type the XML element or attribute whose value contains the sensitive data. Entries in this box are case-sensitive.
6.
Click Add to add the information you entered in the Namespace and Name fields to the Sensitive Data table and to the XML profiles configuration.
7.
Click Update.
The system adds the sensitive data information to the XML profile.
8.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
9.
Click OK.
The system applies the updated security policy.
You can associate XML profiles with explicit URLs and wildcard URLs. The parameter or URL that the XML payload refers to is mostly in the WSDL or the schema. When the system receives a request that contains the URL, the system applies the associated XML profile, and generates, if applicable, an XML violation. You can configure the system to verify all requests, or only those requests whose Content-Type header contains a configurable string, for example, text/xml.
The Security Enforcer applies the XML profile to the entire POST data component in a request. If the Content-Type header check fails, the Security Enforcer applies the default HTTP validations for POST data. If you configure the XML profile to validate requests based on the Content-Type header values, F5 Networks recommends that you ensure that the security policy also validates POST data.
Tip: You can associate one XML profile with several URLs. You do not need to create a separate XML profile for each URL that you want the system to protect. If you associate an XML profile with a wildcard URL, you can use one XML profile to protect an entire web services application. For more information on wildcard URLs, see Configuring wildcard URLs.
1.
On the Application Security navigation pane, expand Application Security and click URLs.
The Allowed URLs List screen opens.
3.
In the Allowed URLs List area, click the name of the URL to which you want to assign an XML profile.
The Allowed URL Properties screen opens.
4.
Click the Apply XML Profile box to cause the system to validate XML data in requests to the URL.
The screen refreshes and provides more settings.
5.
For XML Profile, select the profile you want to associate with the URL.
Note: If you have not created the XML profile, you can click the Create button (+) to create one. The system redirects you back to the URL Properties screen when you are done.
6.
For the Check XML Content-Type Headers setting, specify how the system applies the XML profile to requests for this URL.
Select All if you want the system to inspect all requests.
Select User-defined and type a string, if you want the system to inspect only those requests whose Content-Type header value contains the string you specified. Note that this option has a default setting of *xml*.
7.
Click Update to save your changes.
8.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
9.
Click OK.
The system applies the updated security policy.
You can associate an XML profile with a parameter whose value is XML-encoded. When the system receives a request that contains the parameter, the system applies the XML profile to the parameter value, and if applicable, generates one or more XML violations.
1.
In the Application Security navigation pane, click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, click the name of the parameter to which you want to assign an XML profile.
The Parameter Properties screen opens.
4.
In the Edit Parameters area, for the Parameter Value Type, select XML value.
The screen refreshes, and displays XML profile settings.
5.
In the XML Profile area, for the XML Profile setting, specify a profile to use; either:
Note: When you navigate to the Create New XML Profile screen using the Create button (+), the system redirects you to the Parameter Properties screen when you finish creating the new XML profile.
6.
Click Update to save any changes you may have made.
7.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
8.
Click OK.
The system applies the updated security policy.
You can easily make any necessary changes to the profile, and then apply the updated security policy so that the changes take effect immediately.
Note: Making changes to an XML profile requires external network access to verify the schema link. The time needed to complete an XML profile update varies, depending on the size of the WSDL document or schema file, and your connection speed.
1.
In the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
3.
In the XML Profiles list, in the Profile Name column, click the name of the XML profile that you want to update.
The XML Profile Properties screen opens.
4.
Make any necessary changes to the profile properties, and then click Update.
The system saves any changes you may have made.
5.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
6.
Click OK.
The system applies the updated security policy.
If you no longer need a specific XML profile, you can remove it entirely from the configuration. F5 Networks recommends that before you delete an XML profile, you remove the profile from any URLs or parameters with which the profile is associated.
1.
On the navigation pane, click XML Profiles.
The XML Profiles screen opens.
3.
In the XML Profiles area, in the Select column (far left), check the box next to the profile that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system permanently removes the XML profile from the configuration.
5.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)