Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy for Web Services
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This implementation describes how to automatically create a security policy to protect Web services traffic. Web services, also known as application services, allow different web-based applications from different sources to communicate with each other, because all communication is in XML and over the Internet protocol. Web services allow organizations to communicate data without intimate knowledge of each other's IT systems behind the firewall.
You create this security policy by using the Deployment Wizard. The Deployment Wizard guides you through the following tasks:
Verifying that the application servers are receiving traffic and that Application Security Manager is logging the traffic
Once you have completed the network configuration and updated the system-supplied attack signatures, you are ready to start the Deployment Wizard. The Deployment Wizard automates several essential configuration tasks, to expedite the initial configuration of a security policy.
When you start the Deployment Wizard, you select a deployment scenario. Each deployment scenario includes preset configuration options. The configuration options are tailored to address the needs of the environment or application for which you are creating a security policy. For this implementation, which uses the web services/XML deployment scenario, the default security policy uses these settings:
Important: You can run the Deployment Wizard only for new, unconfigured web applications, so do not set the language encoding for a new web application if you want to use the Deployment Wizard.
Note: If you have not yet configured the basic local traffic settings, refer to Chapter 2, Reviewing Network Configuration Tasks, and perform those tasks. Once you have completed the tasks outlined in that chapter, you can proceed with this implementation.
1.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens.
2.
Click the Set Language link.
The Web Application Properties screen opens.
3.
In the Deployment Wizard area, click the Run Deployment Wizard button.
The ASM Deployment Wizard starts.
5.
Click the Next button.
The Web Application Properties screen opens.
The web application properties include selecting the web application language and, optionally, configuring a URL for dynamic session IDs. For additional information on web application configuration, see the Working with Web Applications chapter in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Web Application Properties screen, for the Application Language setting, select a language encoding from the list.
2.
If the web application includes session information in its URLs, then you can enable the Dynamic Sessions in URL setting. See Chapter 6, Extracting Dynamic Session Information from URLs, for more information.
3.
Click Next.
The screen refreshes, and displays the Create New XML Profile screen.
The next task in this implementation is to create and configure an XML profile. You can create an XML profile that uploads a WSDL document or a schema file, or one that uses an application template. Note that the steps in this part of the Deployment Wizard are different depending on which type of XML profile you are creating. If you want to create an XML profile based on a WSDL document or a schema file, see Validating a WSDL document or schema file, next. If you want to create an XML profile based on an application template, see Creating an XML profile based on an application template.
Note: For detailed information on working with XML profiles, refer to the Protecting XML-Based Applications chapter of the Configuration Guide for BIG-IP® Application Security Management.
When you create an XML profile that validates the configuration based on a WSDL document or a schema file (*.xsd), the system populates the security policy with the objects in the WSDL document or schema file. You first upload the WSDL document or schema file, and then you update the configuration with the URLs within the WSDL document or schema file. Application Security Manager adds the URLs as objects within the security policy.
1.
In the Create Profile area, in the Profile Name box, type a unique name for the XML profile.
2.
Optionally, in the Description box, type any relevant information about the new profile. Note that the text description box has a 255-character limit.
3.
In the Validation Configuration area, in the File Type list, select the file type that matches the XML format that is appropriate for your application.
4.
For the File setting, either type the path to the file to upload, or click the Browse button, and navigate to the file.
Note: If your machine has Internet connectivity and a DNS entry, select User-defined WSDL Document even if you have an import reference inside the WSDL document. If your machine does not have internet connectivity, then search for the word import in the main WSDL document, and download the referenced document.
5.
If, for the File Type setting, you selected a referenced file type, in the Import URL, type one of the following URLs:
The URL that is defined in the location directive for a WSDL document
The URL that is defined in the schemaLocation directive in a schema (*.xsd) file
Important: When a schema file or WSDL document references another validation file, you first import the referenced file, and then upload the schema file or WSDL document. This allows the system to create a mapping between the files.
6.
Click Upload.
The screen refreshes, and for the Configuration Files setting, you see the uploaded files listed.
7.
To permit SOAP messages to contain attachments, check the Allow Attachments in SOAP Messages box.
8.
To have the system verify value of the SOAPAction header, check the Validate SOAPAction Header box. Note that the system automatically enables this setting when you upload a SOAP schema.
9.
Click Update to add the URLs from the uploaded WSDL file as objects in the security policy.
The screen refreshes, and displays the new XML profile on the XML Profiles screen.
In the Deployment Wizard, when you create an XML profile based on an application template, you associate the profile with either an object, a global parameter, or an object parameter.
1.
In the Create Profile area, in the Profile Name box, type a unique name for the XML profile.
2.
Optionally, in the Description box, type any relevant information about the new profile. Note that the text description box has a 255-character limit.
4.
In the Defense Configuration area, for the Applications setting, in the Available Applications list, select, by clicking, the application for which you are configuring the XML profile, and then click the Move (<<) button. To select more than one application at the same time, hold down the Ctrl button on the keyboard when you select the applications.
5.
If the application template has known attack patterns associated with it, the system automatically populates the Enabled Patterns setting.
7.
Click the Create button.
The Associate XML Profile screen opens.
8.
For the Associate XML Profile setting, select either Object or Parameter. If you select Parameter, then you also select the Parameter Level from the list.
9.
Click Next.
If you selected Object in step 8, the New Object screen opens. Refer to To create a new object, next, to continue with the wizard.
If you selected Global Parameter in step 8, the New Parameter screen opens. Refer to To create a new global parameter, following, to continue with the wizard.
If you selected Object Parameter in Step 8, the New Object screen opens. Refer to To create a new object parameter, following, to continue with the wizard.
1.
On the New Object screen, for the Object Name setting, type a name for the object.
Tip: For detailed information on creating objects in the Application Security Manager configuration, refer to the Configuring web objects section of the Working with the Security Policy chapter, in the Configuration Guide for BIG-IP® Application Security Management.
2.
Click Next.
The Objects List screen opens. Refer to Verifying that the application servers are receiving traffic, to continue with the Deployment Wizard.
1.
On the New Parameter screen, for the Parameter Name setting, type a name for the object.
Tip: For detailed information on creating parameters in the Application Security Manager configuration, refer to the Working with Parameters chapter in the Configuration Guide for BIG-IP® Application Security Management.
2.
Click Create.
The Parameters List screen opens. Refer to Verifying that the application servers are receiving traffic, to continue with the Deployment Wizard.
1.
On the Create New Object screen, for the Object Name setting, type a name for the object.
Tip: For detailed information on creating objects in the Application Security Manager configuration, refer to the Configuring web objects section of the Working with the Security Policy chapter, in the Configuration Guide for BIG-IP® Application Security Management.
2.
Click Next.
The New Parameter screen opens.
3.
On the New Parameter screen, for the Parameter Name setting, type a name for the object.
Tip: For detailed information on creating parameters in the Application Security Manager configuration, refer to the Working with Parameters chapter in the Configuration Guide for BIG-IP® Application Security Management.
4.
Click Create.
The Object Parameters screen opens. Refer to Verifying that the application servers are receiving traffic, to continue with the Deployment Wizard.
Before the Deployment Wizard starts updating the web services security policy, the wizard verifies that the application servers are receiving traffic. In the messages and information area of the screen (near the top), you see a notification that the system is checking to see if Application Security Manager is logging requests. The Deployment Wizard moves to the next phase only after it has successfully logged one request.
The ASM logging failed.
If you see this message, then you need to review the networking configuration.
ASM logging started successfully.
If you see this message, then the Deployment Wizard starts the Policy Builder.
Once the Deployment Wizard starts applying the new security policy to the web services traffic, the wizard may start generating learning suggestions for the XML violations as described in Starting the Deployment Wizard. The system logs traffic for at least an hour before it starts generating the learning suggestions.
Important: For detailed information about the learning process, and working with learning suggestions, refer to the Refining the Security Policy Using Learning chapter in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, expand Application Security, and then click Violations.
The Traffic Learning screen opens.
2.
Click a violation type hyperlink.
The learning suggestions properties screen opens. Note that the screens vary depending on the violation.
Once you have processed any learning suggestions generated by the Deployment Wizard, and the system has not generated new learning suggestions for a period of time, you can finalize the security policy, and finish the deployment process.
2.
Click Finish.
The Deployment Wizard performs the action you specified, and exits. The wizard also takes the following actions:
Performs the Apply Policy action.
The Application Security Manager provides several blocking response pages. For this deployment, you may want to use the SOAP Fault blocking response page, which is formatted using XML. For more information on the blocking response pages, refer to the Configuring the response pages section of the Working with the Security Policy chapter, in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
3.
From the Blocking menu, choose Response Page.
The Blocking Response Page opens.
4.
In the Blocking Response Page area, click Edit.
The Blocking Response Page Properties screen opens.
5.
For the Response Type setting, select SOAP Fault.
6.
Click the Save button.
The system saves the changes, and opens the Blocking Response Page screen.
7.
In the editing context area, click the Apply Policy button to put the changes you have made into effect.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)