Configure secure communication with Security Proxy¶
The Security Proxy supports a secure listener. In order to secure all the traffic between Security Proxy and mobile application you need to configure TLS/SSL by: - enabling TLS/SSL - providing the certificate that will be used to generate session key - providing the certificate key which will be used by Security Proxy to decrypt the session key and establish a secure session
Additionally, though not recommended, you can configure properties which have their default values: - specify protocols versions - specify the group of ciphers that will be used to encrypt/decrypt the communication
The following table presents all properties described in this section:
| Property | Required | Description |
|---|---|---|
| SECURITY_PROXY_SSL_ENABLED | yes | Enable/disable TLS/SSL suport |
| SECURITY_PROXY_SSL_DEFAULT_CERTIFICATE | yes if SSL enabled | The ssl certificate of the server in PEM format |
| SECURITY_PROXY_SSL_DEFAULT_KEY | yes if SSL enabled | The ssl private key of the server in PEM format |
| SECURITY_PROXY_SSL_PROTOCOLS | no | TLS/SSL protocol versions |
| SECURITY_PROXY_SSL_CIPHERS | no | TLS/SSl cipher suites |
Enable SSL¶
In order to enable TLS/SSL add SECURITY_PROXY_SSL_ENABLED=true to the docker-compose.yml file.
Provide certificate¶
This property specifies the certificate of the server (and possibly also the chain certificate). Please see the Nginx documentation on how to prepare the certificate and optionally certificate chain.
The certificates must be provided in the PEM format like in the example below:
SECURITY_PROXY_SSL_CERTIFICATE=-----BEGIN CERTIFICATE-----\nMIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\nPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\nEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\nrz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\nOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\nxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\naeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\nHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\nSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\nikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\nAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\nR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\nJDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\nOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n-----END CERTIFICATE-----\n
Note: The certificate needs to be provided in one line, so you need to replace all end of line characters to '\n' like it was done in the example above
Provide certificate key¶
The private key of the server certificate must be provided in the PEM format like in the example below:
SECURITY_PROXY_SSL_CERTIFICATE_KEY=-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg\nMBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxPc\n9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+\nX0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/Wc\nblK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WD\nH0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0\nGEs=\n-----END ENCRYPTED PRIVATE KEY-----\n
Note: The certificate key needs to be provided in one line, so you need to replace all end of line characters to '\n' like it was done in the example above
Specify protocols versions¶
You can specify versions of SSL/TLS protocols by setting the SECURITY_PROXY_SSL_CIPHERS property.
Note: It is highly recommended to use the default TLS/SSL protocols.
The default cipher suites used by Security Proxy are:
TLSv1 TLSv1.1 TLSv1.2
Specify the cipher suite¶
You can specify the group of ciphers that will be used to encrypt and decrypt the communication between Security Proxy and mobile application by setting the SECURITY_PROXY_SSL_CIPHERS property.
Note: It is highly recommended to use the default cipher suites and TLS/SSL protocols.
The default cipher suites used by Security Proxy are:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
Adding additional certificates¶
Additional certificates can be defined in the same way as the default certificate. These certificates can be used for the resource gateways and transparent proxies with a server name. The following is an example of specifying two additional certificates:
- SECURITY_PROXY_SSL_CIM_CERTIFICATE=
- SECURITY_PROXY_SSL_CIM_KEY=
- SECURITY_PROXY_SSL_RESOURCE_CERTIFICATE=
- SECURITY_PROXY_SSL_RESOURCE_KEY=
In this example we have specified 2 additional certificates with the names CIM and RESOURCE. When configuring the transparent proxy or resource gateway they can
be referred to by these names when using the SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_<PROXYID>SSL_CERTIFICATE_NAME
or SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS<RESOURCEID>_SSL_CERTIFICATE_NAME. Example:
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_SSL_CERTIFICATE_NAME=CIM
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_SSL_CERTIFICATE_NAME=RESOURCE
Note: The certificate and certificate key need to be provided in one line