WAF - Configuring your Application for SSL

Document created by Steve McBride on Mar 27, 2015Last modified by Steve McBride on Oct 6, 2015
Version 2Show Document
  • View in full screen mode

Qualys WAF includes comprehensive support for encrypted web applications and, while configuration is very simple, there are a few key concepts to keep in mind to properly configure a web application for SSL support.

 

While we refer to SSL as the industry term for an encrypted web application, Qualys WAF does not support SSL v2 or SSL v3.  Rather, encrypted application support on Qualys WAF is TLS 1.2, 1.1, or 1.0 only.  This means that if a customer requires SSLv3, then they must offload SSL to an exterior load balancer (this should only occur if they need to support very old versions of Internet Explorer, as all modern browsers include TLS support).  The decision to remove support for SSLv3 was made due to the inherent insecurity of the protocol, as evidenced by the series of SSL breaches in the middle of 2014.

 

To configure Qualys WAF to support encryption is quite simple.  First, modify the application definition under "Assets" -> "Web Application", and ensure that https is enabled by either adding "https://" at the beginning of the Web Application URL, or by ticking the button represented by the green lock icon below:

waf_initial_application_setup.PNG

Then, move to the "SSL Support" tab, which will initially be blank when unconfigured, as:

waf_applicaton_ssl_unconfigured.PNG

Now, configure the application by pulling the certificate into the top area (self-signed certificates are supported, even though they're likely to cause an error in the browser unless you've configured the browser properly for the certificate in use), and private key into the center area.  If the private key has a passphrase, tick the appropriate box and enter the passphrase from the key itself.  The final configuration is to set another passphrase, as seen here:

waf_applicaton_ssl_configured.PNG

The "WAF SSL Passphrase" will be deployed to the key as it is placed on the WAF appliance, and will supersede the original key's passphrase.  This is done to help limit the risk of compromise of customer private keys and passphrases.  Now, make a note of the WAF SSL Passphrase, as it will be required in the next configuration step.

 

Now, SSH into the WAF appliance itself (or appliances, if multiple are deployed to protect this application).  The default SSH user is 'waf-user', and authentication will vary based on virtualization platform.  In EC2, use SSH key authentication as you would with any other EC2 instance.  In another virtualization environment, there is no default password; it will need to be set on first login.

waf_appliance_configured.PNG

In the screenshot, three commands have been issued.  The 'show' command simply shows the current tokens defined on the appliance.  As we can see here, the "waf_ssl_passphrase" token is not currently set, and will need to be set for the appliance to properly use the private key that was deployed in the Portal steps above.  Issuing a 'set waf_ssl_passphrase' command and assigning the WAF SSL Passphrase from the Portal will accomplish the final configuration step.  Critically, issue a 'save' command to ensure the key is configured persistently.  Now, the WAF services need to be restarted.  In the current version of the appliance, services cannot be restarted manually, so the last step to take is to reboot the device with the 'reboot' command.

 

The application and WAF appliances have now been configured properly to support SSL, so once the device restarts, the application should be accessible on "https://www.example.com" as defined above.

1 person found this helpful

Attachments

    Outcomes