Copyright
Copyright © 2019 Balasys IT Ltd.. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balasys.
This documentation and the product it describes are considered protected by copyright according to the applicable laws.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
Linux™ is a registered trademark of Linus Torvalds.
Windows™ 10 is registered trademarks of Microsoft Corporation.
The Balasys™ name and the Balasys™ logo are registered trademarks of Balasys IT Ltd.
The Zorp™ name and the Zorp™ logo are registered trademarks of Balasys IT Ltd.
The Proxedo™ name and the Proxedo™ logo are registered trademarks of Balasys IT Ltd.
AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.
Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.
All other product names mentioned herein are the trademarks of their respective owners.
DISCLAIMER
Balasys is not responsible for any third-party websites mentioned in this document. Balasys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balasys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.
2021-05-12 .Copyright
Preface
Typographical conventions
Before you start using this guide, it is important to understand the terms and typographical conventions used in the documentation. For more information on specialized terms and abbreviations used in the documentation, see the Glossary at the end of this document.
The following text formatting principles and icons identify special information in the document.
| Tips provide best practices and recommendations. |
| Notes provide additional information on a topic, and emphasize important facts and considerations. |
| Warnings mark situations where loss of data or misconfiguration of the device is possible if the instructions are not obeyed. |
Command-
Commands you have to execute.
- Emphasis
-
Reference items, additional readings.
- /path/to/file
-
File names.
- Parameters
-
Parameter and attribute names.
In the parameter listing tables the required parameters are also emphasized with bold text:
| Key | Description |
|---|---|
param1 |
This is a required parameter. |
param2 |
This is an optional parameter. |
Additional marks used specifically in the Web User Interface (UI):
| Key | Description |
|---|---|
* |
The elements marked with * in the configuration reference tables are mandatory to be configured. |
(Default) |
For some of the configuration elements there are recommended default values, marked as (Default). In case the value is not defined during the configuration, the default value will be considered for the actual element. |
+ |
By clicking this sign you can add the actual element to the configuration. |
Contact and support information
This product is developed and maintained by Balasys IT Ltd..
Contact:
Balasys IT Ltd. 4 Alíz Street H-1117 Budapest, Hungary Tel: +36 1 646 4740 E-mail: <info@balasys.hu> Web: http://balasys.hu/
Sales contact
You can directly contact us with sales-related topics at the e-mail address <sales@balasys.hu>, or leave us your contact information and we call you back.
Support contact
To access the Balasys Support System, sign up for an account at the Balasys Support System page. Online support is available 24 hours a day.
Balasys Support System is available only for registered users with a valid support package.
Support e-mail address: <support@balasys.hu>.
Training
Balasys IT Ltd. holds courses on using its products for new and experienced users. For dates, details, and application forms, visit the https://www.balasys.hu/hu/support/trainings webpage.
1. Scope of this document
This document describes the Web User Interface for the Proxedo API Security. The purpose of this document is to present the designed approach and the usage for the configuration of Proxedo API Security via Web User Interface (UI). The Web UI allows easy configuration for Proxedo API Security. All the functionalities are grouped visually and logically into thematic units which follow the logical built up of Proxedo API Security’s configuration. The primary intended audience of this document are system engineers and system designers for configuring Proxedo API Security systems.
2. Introduction to Proxedo API Security
2.1. What is Proxedo API Security
The Proxedo API Security (PAS) is a security solution that protects API serving endpoints. It is positioned in the network flow between consumers of the APIs (clients) and backend solutions serving the API (servers) as a transparent HTTP proxy.
Proxedo API Security can:
-
handle incoming Transport Layer Security v1 (TLS) connections from clients & outgoing TLS connections to servers separately and selectively
-
verify that the communication conforms to HTTP specifications
-
verify that the content of the messages conform to their specified content type
-
verify that the content of messages conform to API specification(s) as described in schemas
-
extract parts of the content of the messages and relay them to external data stores such as log servers, SIEM systems or other data warehouses
2.2. Where to start
Depending on what you need to do the following starting points are suggested:
-
To understand what the product does and how, see Overview of Proxedo API Security.
-
If you are familiar with API terminology jump right to Architecture for Proxedo API Security.
-
-
See Installation of Proxedo API Security if you need to set up a new PAS.
-
The Operations chapter is about how to manage a working system on the level of the operating system.
-
Configuration of Proxedo API Security on the Web User Interface contains in-depth information about everything that can be configured with the help of the Web User Interface.
-
If you are already familiar with the system and need to find a component that suits your needs consult the Matcher types and their settings - Table 1, Comparators, Extractor types or Target.
3. Overview of Proxedo API Security
3.1. Main features
3.1.1. TLS
Transport Layer Security v1 (TLS) (successor of the now obsoleted Secure Socket Layer v3 (SSL)) is a widely used crypto protocol, guaranteeing data integrity and confidentiality in many PKI and e-commerce systems.
The TLS framework inspects TLS connections, and also any other connections embedded into the encrypted TLS channel. TLS connections initiated from the client are terminated on the Proxedo API Security, and two separate TLS connections are built: one between the client and the firewall, and one between the firewall and the server. If both connections match the configuration settings of PAS (for example, the certificates are valid, and only the allowed encryption algorithms are used), PAS inspects the protocol embedded into the secure channel as well. Note that the configuration settings can be different for the two connections, for example, it is possible to permit different protocol versions and encryption settings.
3.1.2. Enforcement
Proxedo API Security acts as an HTTP proxy and verifies that the traffic passing through conforms to HTTP’s specifications. By using OpenAPI schemas, as defined in OpenAPI specifications (also known as Swagger), it also verifies that the traffic passing through conforms to the API enpoint’s specification and can log or deny non-conforming traffic.
PAS also provides its own versatile filtering system to control passing traffic.
3.1.3. Insights
With Proxedo API Security it is possible to extract business-relevant information with extremely high resolution from the traffic and relay it to external data stores where further analysis can be implemented.
Thus, it is possible to feed Log Management solutions, Monitoring and SIEM systems, Data visualization tools with data extracted from the traffic, even to the level of specific fields deep inside API calls or URI parameters.
3.2. Main Concepts in Proxedo API Security
This chapter provides an overview of the Proxedo API Security solution, introduces its main concepts, and explains the relationship of the various components.
- API Endpoint
-
Proxedo API Security protects API endpoints. An API endpoint is the serving part of the communication channel and is the collection of all functions of a service. It resides at a list of well-known top URIs under which all the functions are accessible. APIs have well-defined HTTP Endpoints for all exposed calls, resources etc., usually through providing a schema that describes all parameters of these URI paths, including possible HTTP response codes, the format and fields of the data structure in the request’s and response’s body.
- Client
-
It is a consumer of API endpoints. It is the source of the requests.
- Backend
-
The backend constitutes of one or more servers that serve the API endpoint. It receives the requests of the client and sends the responses.
- HTTP message
-
It can be an HTTP request coming from the client or an HTTP response coming from the backend.
- Call
-
An HTTP conversation constitutes of a request — response interchange of HTTP messages between the client and the backend. Whenever the direction is irrelevant in the context — it applies to both requests and responses — the message is named Call.
- Listener
-
It is the part of PAS that listens to incoming traffic for given API Endpoints. It is bound to a network port. Clients address this port when accessing API Endpoints through the gateway.
- TLS
-
Transport Layer Security is the cryptographic protocol that secures HTTPS communications. PAS can apply TLS encryption both when communicating with Clients and Backends.
- Security flow
-
It provides a collection of security rules that PAS applies to a Call. It is two series of Plugins: one for requests and one for responses.
- Plugin
-
It is an element of the security flow that applies a specific security function. It has different types based on the role they do.
- Decompressor
-
It is a Plugin responsible for decompressing compressed content in the HTTP message’s body. This ensures that the original content of the message is available for processing.
- Compressor
-
It is a Plugin responsible for compressing the result of a flow and forwarding the compressed content.
- Deserializer
-
It is a Plugin responsible for parsing the HTTP message’s body to structured data. This ensures that a message is well-formed. The structured data will also be consumed by other Plugins that operate on the body of the message.
- Serializer
-
It is a Plugin responsible for serializing the structured data to the format of the HTTP message’s body.
- Filter
-
It is a Plugin that rejects calls when they match defined rules.
- Enforcer
-
It is a Plugin that validates calls against externally defined schemas.
- Insight
-
It is a Plugin that extracts various data from the call and sends it to external systems (log servers, SIEMs, and other data analysis tools).
- Brick
-
They are reusable components of Plugins. They can be defined on their own and then shared by multiple Plugins.
- Error policy
-
It is a brick that defines what happens if the Plugin has found an error. It decides if calls are rejected or merely logged, and defines the details of the HTTP error response sent to the client if a call is rejected.
- Matcher
-
It is a brick that decides if the Plugin should be executed for a given call by checking various data in the HTTP message.
- Selector
-
Selector is a brick that can extract a piece of information from a call. It is used by Insight plugins.
- Target
-
It is a brick that defines an external system to send extracted data to. It is used by Insight plugins.
3.3. Architecture for Proxedo API Security
Proxedo API Security is based on a micro-services architecture.
The components of the architecture are each responsible for well-defined subset of handling traffic between the client and the backend. Proxedo API Security is built up of three components:
- Transport Director
-
It manages the transport layer of API connections:
-
handles network connections from the client
-
handles network connections towards the backends
-
handles TLS on these connections
-
load-balances between multiple backend servers
-
load-balances between multiple Flow Directors
-
enforces HTTP protocol validity in calls
-
- Flow Director
-
It is responsible for the execution of the Plugins in the Endpoint’s flow and for applying Error Policies as necessary.
- Insight Director
-
It manages the connections to Targets. It is responsible for sending the data collected by Insight plugins to Target systems.
The handling of a connection with the help of components is shown in this figure:
-
Incoming connections are accepted by the Transport Director.
-
It handles TLS with the client if necessary.
-
-
It hands over the connection to the Flow Director.
-
The Flow Director chooses the Endpoint based on the URL.
-
The Flow Director applies the Endpoint specific Request Security Flow.
-
-
If an Insight plugin needs to send data to an external Target it sends the collected data to the Insight Director.
-
The Insight Director sends the data further to the Target with the appropriate protocol.
-
The Flow Director hands the connection back to the Transport Director.
-
The Transport Director then sends the data to the Backend.
-
It handles TLS with the backends if necessary.
-
It performs load balancing among Backend servers if necessary.
-
The same procedure is executed with the response coming from the Backend.
3.3.1. Understanding processing flow
The figure on Proxedo API Security architecture and the steps following that describe how client connection is handled. The following figure explains how calls are processed in more details:
-
As shown in the figure above, the incoming connection from the client is handled by the Transport Director, applying TLS if needed.
-
The Transport Director hands over the connection to the Flow Director, indicating which Listener the connection belongs to.
-
The Flow Director then chooses the Endpoint based on the URL in the request. First endpoint has matching URL is chosen.
-
The Flow Director then starts applying the request part of the Security Flow definition.
-
For each Plugin the Flow Director:
-
Checks if the Plugin's matcher matches the request.
-
If so, it executes the Plugin, if not, it executes the next Plugin.
-
If the Plugin indicates success it executes the next Plugin.
-
If the Plugin indicates an error it applies the Plugin's error policy. If the policy dictates to abort the connection:
-
It fills error details and hands back the connection to the Transport Director, aborting the execution of the flow.
-
The Transport Director closes the connection, sending error details to the client if allowed by the policy.
-
-
-
Once, the last Plugin has been executed the connection is handed back to the Transport Director.
-
The Transport Director initiates the connection towards the Backend:
-
It handles load balancing if necessary.
-
It handles TLS if necessary.
-
It sends the request itself to the Backend server.
-
-
The Backend server sends its response to the Transport Director.
-
Once, the response has been received the Transport Director again hands over the connection to the Flow Director.
-
The Flow Director then starts applying the response part of the Security Flow definition, executing the Plugins as above.
-
Once, the last Plugin has been executed the connection is handed back to the Transport Director.
-
Finally, the Transport Director sends the response to the client.
Usually, Plugins are organized in the following manner:
-
A Decompressor Plugin extracts the compressed body.
-
A Deserializer Plugin processes the decompressed request to understand the details in the body.
-
Filters are applied to filter unnecessary traffic.
-
Enforcers are applied for detailed validation of calls.
-
Insights are applied to collect data from the call.
-
Serializer Plugin serializes the body
-
Compressor Plugin compresses the serialized body
Though the order of the plugins can be changed based on the needs, note the followings:
-
When a Plugin needs access to the request body it requires Deserialized data. It is therefore strongly recommended that the first plugin is a Decompressor followed by a Deserializer.
-
At the end of the flow it is strongly recommended to place a Serializer plugin followed by a Compressor.
-
Generally Insights are applied after Filters and Enforcers so that they are not executed on possibly invalid calls.
-
Anything that operates on the HTTP headers or the body of the message will be aware of the call direction: The same Plugin in the request and response flow will act on the request or response data.
-
However, the Flow Director handles a request-response exchange together, so you can still use details from the request in Plugins of the response flow. The most notable example of this is using URI or method matchers in the response flow.
-
Plugins in the request flow, however, cannot access details of the response flow (since they are not available yet.)
It is also worth noting that Insight Plugins instantly hand over data to the Insight Director, and let the execution continue.
4. Installation of Proxedo API Security
The installation of Proxedo API Security is relatively straightforward. PAS is mainly distributed as Docker images, and is also completed with a .deb package that sets up the operational environment. You need to install both the core and the management components on the same machine.
4.1. Prerequisites
The followings are needed prior to the installation of Proxedo API Security:
-
the licence for PAS
-
a technical user for accessing Balasys' download site and docker registry
-
the PAS core and management .deb packages
You can download the .deb packages from the Balasys Download website. -
a server with Ubuntu 18.04 Operating System installed
4.2. Installation steps for the management component
-
Log in as root.
-
Update the OS' package list:
apt update. -
Install the PAS management .deb package:
apt install <path/to/deb>/proxedo-api-security-mgmt_<version>.deb.
This will:
-
Create a user named pas for running and configuring PAS.
pas user must not be created manually beforehand. -
Install the necessary configuration files and helper scripts under /opt/balasys.
-
Create systemd services for managing the PAS management component.
You need to use apt to locally install the .deb package as it installs its dependencies as well. dpkg will not resolve dependencies, and apt-getcannot install from a local file. Also note that to install PAS from the current directory, you must use the path ./ before the .deb package, or apt will try to download the package from a repository.
-
Change to the PAS user:
su - pas. -
Set up
MINIO_*andCONSUL_*parameters in /opt/balasys/etc/infrastructure/mgmt/docker-compose.conf. You can also modify other parameters if necessary, including port numbers and the version. For details, see docker-compose.conf.For HOSTNAMEparameters, use the fully qualified domain name or the IP address of the machine. For keys and tokens, you should define the values you want to use. Pick strong and preferably random-generated values. -
Run
pas-mgmt-registry-loginto set up authentication with the docker registry. Provide login credentials on the prompt. Contact support if you need assistance with your credentials.Docker will, by default, save your credentials unencrypted in the home directory of the pasuser. Using a password-management tool likepassis not enforced, but it is recommended. -
Run
pas-mgmt-updateto download the docker images. -
Set up startup configuration in /opt/balasys/etc/mgmt/config.yml.
-
Run
pas-mgmt-checkconfigto validate the configuration. -
Start PAS management:
systemctl start proxedo-api-security-mgmt.This service is enabled by default, so the service starts on system restart.
4.3. Installation steps for the core component
-
Log in as root.
-
Update the OS' package list:
apt update. -
Install the PAS .deb package:
apt install <path/to/deb>/proxedo-api-security_<version>.deb.
This will:
-
create a user named pas for running and configuring PAS.
pas user must not be created manually beforehand. -
Install the necessary configuration files and helper scripts under /opt/balasys.
-
Create systemd services for managing PAS.
You need to use apt to locally install the .deb package as it installs its dependencies as well. dpkg will not resolve dependencies, and apt-getcannot install from a local file. Also note that to install PAS from the current directory, you must use the path ./ before the .deb package, or apt will try to download the package from a repository.
-
Change to the PAS user:
su - pas. -
Set up
MINIO_*andCONSUL_*parameters and the number of Flow Director instances to run in /opt/balasys/etc/infrastructure/pas/docker-compose.conf. If necessary, also change the version you want to follow.For MinIO- and Consul-related parameters, you must use the same values as you did in /opt/balasys/etc/infrastructure/mgmt/docker-compose.conf. For details, see docker-compose.conf. -
Copy license.txt to /opt/balasys/etc/pas.
-
Run
pas-registry-loginto set up authentication with the docker registry. Provide login credentials on the prompt. Contact support if you need assistance with your credentials.Docker will, by default, save your credentials unencrypted in the home directory of the pasuser. Using a password-management tool likepassis not enforced, but it is recommended. -
Run
pas-updateto download the docker images. -
Start PAS:
systemctl start proxedo-api-security.Starting PAS core will only succeed once you have a functional configuration set up in the management component. To do it, please refer to Configuration of Proxedo API Security on the Web User Interface. This service is enabled by default, so the service starts on system restart. -
If you configured Certificate Revocation List (CRL) verification in any of your Backends or Listeners you need to enable CRL updates:
sytemctl enable proxedo-api-security-crl-update.service sytemctl enable proxedo-api-security-crl-update.timer sytemctl start proxedo-api-security-crl-update.timer
5. Base system configuration
This chapter explains configuration details for setting up a working PAS. Configuration settings are detailed here, provided by the .deb packages installed on an Ubuntu 18.04 LTS server.
The .deb packages carry convenience tools for managing the Proxedo API Security core and the management component, the actual installation and execution is done by Docker and docker-compose.
5.1. docker-compose.yml
The main configuration of the running environment is the defined in /opt/balasys/etc/infrastructure/pas/docker-compose.yml and /opt/balasys/etc/infrastructure/mgmt/docker-compose.yml files. They describe the containers running PAS.
The format of the files must adhere to the YAML 1.1 specification. For a brief overview of the YAML format look at the example here. For an in-depth reference of docker-compose configuration see its documentation.
This file controls:
-
the images to run the container from
-
the persistent data storage (docker volumes) to attach to the containers
-
the ports propagated to the containers
-
the environment variables available inside the containers
-
intra container communication channels (links)
-
log target configuration
Unless inevitable, you should not modify these files. There are two cases when you might need to.
-
If you need to modify the provided environment to debug your setup.
-
If you need to change the default behavior of logging into the system’s journal you must change the logging parameters under all the services. See more details in docker-compose’s documentation.
| If you modify these files, they will not be overwritten on package upgrade. Only interactive installs will notify you. |
| Do not use docker-compose directly to manage the installation. Always use systemctl as it handles dependencies and scaling. |
5.2. docker-compose.conf
Some aspects of how the services are run by docker-compose are configured through /opt/balasys/etc/infrastructure/pas/docker-compose.conf and /opt/balasys/etc/infrastructure/mgmt/docker-compose.conf.
The format of this file is a shell environment file format: a key-value pair in each line, separated by an equal sign ("=").
| There must not be spaces around the equal sign. |
The configuration files of different components have a common portion along with other parameters that are only valid in one of them. For details, see the following tables.
| Key | Default | Description |
|---|---|---|
PAS_IMAGE_TAG |
3.0.latest |
The release track of Proxedo API Security to use. See Tracking version. |
COMPOSE_FILE |
/opt/balasys/etc/infrastructure/pas/docker-compose.yml or /opt/balasys/etc/infrastructure/mgmt/docker-compose.yml |
Path to the compose file. You must not modify the default value. |
COMPOSE_PROJECT_NAME |
pas |
Name used for the compose project. They must be kept synchronized over different files. |
PAS_DOCKER_REGISTRY |
docker.balasys.hu |
It is the domain name of the docker registry to download images from. |
MINIO_ACCESS_KEY |
It is the access key to use for MinIO authentication. It is an arbitrary string preferably generated randomly. It must be the same in different files. |
|
MINIO_SECRET_KEY |
It is the secret key to use for MinIO authentication. It is an arbitrary string preferably generated randomly. It must be the same in different files. |
|
CONSUL_HOSTNAME |
It is the hostname or the IP address where Consul is accessible. Generally it should be the domain name or the IP address of the computer running PAS. The same value must be provided for this field in different files. |
|
CONSUL_PORT |
8080 |
It is the port to use for connecting to Consul. The same value must be provided for this field in different files. |
CONSUL_TOKEN |
The token to use for Consul authentication. The same value must be provided for this field in different files. It must also be the same as the value of |
| Key | Default | Description |
|---|---|---|
PAS_MGMT_WEBUI_HTTP_PORT |
80 |
It is the port to expose for HTTP access of the management web user interface. |
PAS_MGMT_WEBUI_HTTPS_PORT |
443 |
It is the port to expose for HTTPS access of the management web user interface. |
MINIO_HOSTNAME |
It is the hostname or IP address where MinIO is accessible. Generally it should be the domain name or IP address of the computer running PAS. |
|
MINIO_PORT |
9000 |
It is the port to use for connecting to MinIO. |
| Key | Default | Description |
|---|---|---|
PAS_FLOW_DIRECTOR_SCALE |
1 |
It defines the number of Flow Director instances to run. For details, see Scaling Flow Director. |
PAS_TRANSPORT_DIRECTOR_PORT_RANGE1 |
49000-49100 |
It is a port range to expose to Transport Director. Listeners will work in this port range. |
PAS_TRANSPORT_DIRECTOR_PORT_RANGE2 |
49101-49200 |
It is an additional port range to expose to Transport Director. Listeners will work in this port range. |
MINIO_ENDPOINT |
It is the host name (or IP address) and port pair to access MinIO. It must be defined in the |
Management example:
PAS_IMAGE_TAG=3.0.latest
COMPOSE_FILE=/opt/balasys/etc/infrastructure/mgmt/docker-compose.yml
COMPOSE_PROJECT_NAME=pas
PAS_DOCKER_REGISTRY=docker.balasys.hu
PAS_MGMT_WEBUI_HTTP_PORT=80
PAS_MGMT_WEBUI_HTTPS_PORT=443
MINIO_HOSTNAME=your.hostname.tld
MINIO_PORT=9000
MINIO_ACCESS_KEY=your_minio_access_key
MINIO_SECRET_KEY=your_minio_secret_key
CONSUL_HOSTNAME=your.hostname.tld
CONSUL_PORT=8080
CONSUL_TOKEN=your_consul_tokenCore example:
PAS_IMAGE_TAG=3.0.latest
COMPOSE_FILE=/opt/balasys/etc/infrastructure/mgmt/docker-compose.yml
COMPOSE_PROJECT_NAME=pas
PAS_DOCKER_REGISTRY=docker.balasys.hu
PAS_FLOW_DIRECTOR_SCALE=1
PAS_TRANSPORT_DIRECTOR_PORT_RANGE1=49000-49100
PAS_TRANSPORT_DIRECTOR_PORT_RANGE2=49101-49200
MINIO_ENDPOINT=your.hostname.tld:9000
MINIO_ACCESS_KEY=your_minio_access_key
MINIO_SECRET_KEY=your_minio_secret_key
CONSUL_HOSTNAME=your.hostname.tld
CONSUL_PORT=8080
CONSUL_TOKEN=your_consul_token| Changing any of the values requires the restart of all services. |
5.3. PAS restart policy
PAS service lifecycle is managed by systemd and is by default set to restart if any of the components fails at any point. To avoid infinite restarting, the number of restarts within a short period of time is also limited. As a result, if PAS core or management stops with a non-zero exit code 3 times within 100 seconds, the corresponding systemd unit will enter failed state.
| The default restart policy and the options are identical for both core and management components. |
The relevant part of the service file looks as follows:
[Unit]
StartLimitIntervalSec=100
StartLimitBurst=3
[Service]
Restart=on-failureModifying the restart policy is possible by editing the service file in
override mode. To do so, run systemctl edit proxedo-api-security or
systemctl edit proxedo-api-security-mgmt. This will open a text editor and
will let you define the parameters you wish to override. For example, if you
want to switch off all default restart settings, enter the following text in
the override editing window:
[Unit]
StartLimitIntervalSec=
StartLimitBurst=
[Service]
Restart=noPossible values for Restart= are documented by systemd. We recommend using no
to avoid automatic restarting by systemd or on-failure to make the service
restart on non-zero exit codes. If you want a more fine-tuned restart policy,
please consult the systemd.service(5) man page and configure the desired
options.
To discard your overrides, run systemctl revert proxedo-api-security or systemctl revert proxedo-api-security-mgmt.
| You only need to enter the parameters you want to change. |
Overriding systemd units is only possible as root user.
|
5.4. Tracking version
Proxedo API Security has a version number in the form of major.minor.patch. The docker image labels control how the automatic update of the services are handled. Each image has 3 possible tags:
-
MAJOR.latest (for eg.
1.latest): These tags point to the latest release in the major release. That is, for the release of bothx.y.z+1andx.y+1.0, this tag will be updated, and the services will be upgraded at the restarts. There will not be upgrades forx+1.0.0. -
MAJOR.MINOR.latest (for eg.
1.3.latest): These tags point to the latest release in the minor release. That is, for the releasex.y.z+1, this tag will be updated, and the services will be upgraded at restarts, however not for the releasex.y+1.0. -
MAJOR.MINOR.PATCH (for e.g.
1.4.7): These tags point to a specific release and will never be changed once released.
5.5. Scaling Flow Director
A single instance of Flow Director uses a single processor core. It is necessary to adjust the number of instances to use all the available cores. This is controlled by the PAS_FLOW_DIRECTOR_SCALE variable. As the Flow Director handles the most demanding duties among the components, it must be assigned most of the cores. If there are up to four cores available, assign three cores to the Flow Director, and the remaining one core will be suitable for the Transport and Insight Director. If there are more than four cores, assign two cores for the Transport and Insight Director and assign the rest to the Flow Director.
5.6. Configuration of dockerd
The docker daemon is configured through /etc/docker/daemon.json. The full documentation can be found in the official docker documentation.
Balasys recommends the use of the default configuration.
| Do not use /etc/default/docker as it is ignored when systemd is used. |
5.7. Setting up time synchronization
To ensure time synchronization on different nodes you need to configure NTP on them. The ntp package is already installed as a dependency, but it must be configured We recommend adding the following configuration to /etc/ntp.conf.
driftfile /var/lib/ntp/ntp.drift
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
server time.nist.gov prefer
server ip-time-1.cern.ch
Use your own NTP servers in the server directives if you have any, or adjust the given values to ones that are allowed by your policies.
|
After creating the configuration, run the following commands.
# Disable systemd-timesyncd
timedatectl set-ntp false
# Restart ntp
systemctl restart ntp
# Enable ntp so that it starts on system startup
systemctl enable ntp6. Configuration of Proxedo API Security on the Web User Interface
This chapter explains configuration details for setting up a working Proxedo API Security (PAS) with the help of the Web User Interface.
The Proxedo API Security Web User Interface (UI) is installed together with the installation of Proxedo API Security. The URL for Proxedo API Security Web UI and the necessary credentials are defined by the administrator during the initial configuration of Proxedo API Security.
6.1. Minimum configuration
It is possible to run PAS with a minimum, basic configuration. For a minimum configuration the following items need to be configured in the Web UI:
-
-
Port
-
Endpoint
For more details on the Listener's parameters, see Listeners’ configuration options.
-
-
-
Name
-
Url
For more details on the Endpoint's parameters, see Endpoint configuration.
-
-
-
Request
-
Response
-
Backend
-
This basic configuration can be further improved with the completion of more configuration units later. The minimum configuration can also be used to test the installation settings.
6.2. Login Page
The main component of the Login page is the login form where the user needs to provide the credentials in order to be authorized to use the Web UI of Proxedo API Security.
The necessary credentials have been defined during the initial configuration of Proxedo API Security.
For accessing the Web User Interface:
-
Enter the valid user credentials.
-
Click the Log In button.
After a successful login, the user has access to the Proxedo API Security Web UI.
6.3. Proxedo API Security Web User Interface main page
The configuration elements are organized into a logical order for easier usage.
6.3.1. Navigation
The PAS Web UI has the following navigation areas:
The navigation areas identified in Figure Navigation areas in the Proxedo API Security Web User Interface are described here in more details:
- Left navigation area (1)
-
This navigation area (1) presents the navigation units available for configuration.
When opening up the Proxedo API Security Web UI, three main navigation units are available, that is, BRICKS, PLUGINS, and SERVICES.
These three main navigation units can be opened for further sub-navigation units by clicking on either the navigation item itself or on the
arrow icon next to it. Alternatively, when the sub-navigation units are not in use, they can be hidden by clicking the arrow navigation icons next to the main navigation items, or similarly by clicking on the navigation item itself. - Top navigation area (2)
-
This Top navigation area (2) presents the Apply Config and the Logout options in the top right corner. For information on when and how to use the Apply Config button, see section Applying and validating Proxedo API Security configuration.
The Main configuration area (3) provides the following navigation and activity options. Note that some of these activities are also available when the configuration parameters are presented in list view:
| Navigation option | Description |
|---|---|
|
By selecting the New navigation button, you can define a new configuration key, previously selected from the Left navigation panel (1) for configuration. |
|
By selecting the Pen navigation button, the Web UI navigates back to the configuration page of the selected element. You can change the so far configured details or add new configuration details. If you change the value of an already configured parameter, a Warning appears requesting confirmation on the change being implemented. |
|
By selecting the Bin button, you can delete the configuration element active in the window. If you select an element for deletion, a Warning appears, requesting confirmation on the deletion of the element. |
|
By selecting the Next page button you can navigate to the next page of the parameter keys listed. |
6.4. BRICKS - Configuration units
Bricks are reusable components. They do not provide a complete security function themselves, instead, they are used as building blocks elsewhere (hence the name). They can be used by Plugins (like Selectors), or utilized by other bricks (like Extractors).
Certain Bricks are so called default objects, which are in 'read-only' state and cannot be configured or modified. Such default objects are listed in the following table:
| Default object name | Class |
|---|---|
Always |
Matcher |
Never |
Matcher |
content_type_json |
Matcher |
content_type_json_regexp |
Matcher |
json_content |
Matcher |
content_type_xml_base |
Matcher |
content_type_xml_dtd |
Matcher |
content_type_xml_ext_parsed |
Matcher |
content_type_xml_regexp |
Matcher |
content_type_xml_text |
Matcher |
content_type_xml_text_ext_parsed |
Matcher |
xml_content |
Matcher |
error_policy |
Error policy |
enforcer_default |
Error policy |
insight_default |
Error policy |
These default objects are listed under the actual classes in the Web UI.
The BRICKS main page in the Web UI is as follows:
-
Click on BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of BRICKS. -
Click on the sub-navigation unit you would like to configure. The details of the sub-navigation menu open up in the Main configuration area.
6.4.1. Error Policy
Error Policies define how to proceed if a Plugin decides to have found an error. For example, when an Enforcer plugin decides that the call is invalid.
It is the error policy that enables the user to act differently in case the error appears in a request or a response.
6.4.1.1. Error policy hierarchy
Error policy values are applied in a hierarchical manner. There are three layers of definition:
-
the hard-coded default error policy (see the default values in Configuring Error policies)
-
the default error policy of the different Plugin types
These are needed because the expected default behavior depends on what a Plugin does. -
a custom error policy applied on a Plugin instance that represents user policy
| Error policies can behave differently when applied on different Plugins. This is because each Plugin has a default policy which can overwrite the settings defined in the applied error policy. Also, the plugin’s default policy is applied if there is no error policy configured. The effective error policy of each Plugin instance is logged when the Flow Director starts. |
An error policy value is searched for in a bottom-to-top manner: if it is present in a custom error policy, it will be applied, if not, it will be looked for in the layer above.
This lookup works on a configuration item basis, therefore one can only override a single configuration in case of a custom error policy.
6.4.1.2. Configuring Error policies
Error policies can be configured from the BRICKS main menu item.
-
Click on BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of BRICKS. -
Select Error Policy.
The configuration window that appears presents the default error policies, as listed in Default objects - BRICKS and the configuration values already set by the user:
-
Click on the New navigation button to create an error policy.
An Error Policy contains the following settings:
The following table provides details on what values can be figured for an Error policy and what these values define for an Error policy. Configure the following options:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
It is the name identifying the error policy. This name of the error policy can be referenced from other parts of the configuration, that is, the error policy is reusable. |
|
Request |
The available values are:
|
Abort |
It defines what action shall take place if there is an error on the request side:
|
Request code |
The values are available from a drop-down list. If the elements of the drop-down list are selected, it will make the list of the actual request codes visible. The applicable request code can be selected. |
422 |
It provides the HTTP status code to be used when denying invalid requests. |
Request message |
The message can be provided in free text. |
Request error |
The reason is provided here in the HTTP response line when denying invalid requests. |
Request silent |
The parameter can be configured by switching it on or off. When it is switched on, the Plugins do not report on the denial of the invalid request. When it is turned off, the Plugins have the ability to report the error in detail in the body of the HTTP error request. |
true |
Do not report validation errors of the request to the client. |
Response |
Response error mode:
|
Abort |
It defines what action shall take place if there is an error on the request side:
|
Response code |
The values are available from a drop-down list. Note that the response codes are grouped, so that if the elements of the drop-down list are selected, further groups of response codes will be made visible in a tree structure. The applicable request code can be selected. |
502 |
It provides the HTTP status code to be used when denying invalid requests. |
Response message |
The message can be provided in free text. |
Response error |
The reason is provided here that can be used in the HTTP response line when denying invalid requests. |
Response silent |
The parameter can be configured by switching it on or off. When it is switched on, the Plugins do not report on the denial of the invalid response. When it is turned off, the Plugins have the ability to report the error in detail in the body of the HTTP error response. |
true |
Do not report validation errors of the response to the client. |
The default values in the above table represent the hard coded default values. They form a strict security policy: all errors are fatal, and only mistakes made by the client are reported in detail.
For configuring error policies, continue with completing the following steps:
-
Configure the necessary parameters for the error policy based on the details provided in the table Error policy configuration options.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button.
The default values in the above table represent the hard coded default values. They form a strict security policy: all errors are fatal, and only mistakes made by the client are reported in detail.
The error policies configured here can be used in the Plugin’s configuration, by referencing their name.
6.4.2. Matcher
Matchers decide if the Plugin should be executed for a given call by checking various data in the HTTP message. They provide an extremely versatile way of defining the circumstances that must be met for the Plugin to execute.
Matchers need three pieces of information:
-
Name: The name of the matcher defines what part of the call needs to be checked.
-
Pattern: The pattern defines what it needs to be compared with.
-
Comparator: The Comparator shows by what means the collected value of the call is compared with the provided pattern. (Some comparators also take flags or arguments.)
To ease configuration, a matcher in its simplest form is defined as a key: a value pair where the key contains the Name and the Comparator and the value is the pattern, as in the following example:
"name[.comparator[.comparator_flag][.comparator_flag]..]: pattern"The matchers can be used in Plugin configurations' match option by referencing their name.
|
There are some named Matchers available without explicit configuration:
Also note that no other matchers can be defined with these names. |
Matchers internally utilize Extractors to fetch the information from the call to compare with. The Name of the matcher resembles the name of the extractor that will be used.
All matchers have a default comparator that is applied implicitly.
| If you want to use comparator parameters, the comparator name should be given even if the default comparator is used. |
6.4.2.1. Configuring Matchers
Matchers can be configured from the BRICKS main navigation item.
-
Click on BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of BRICKS. -
Select Matcher.
The configuration window that appears presents the default matchers, as listed in Default objects - BRICKS and the configuration values already set by the user:
-
Click on the New navigation button to configure a matcher.
The generic configuration page for matchers provides the following settings:
The configuration parameters for matchers are described in details in the following table:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name of the matcher defines what part of the call needs to be checked. Matchers internally utilize Extractors to fetch the information from the call to compare with. The Name of the matcher resembles the name of the extractor that will be used. |
|
Type* |
It is a mandatory value. For the available values, see Matcher types and their settings - Table 1, Matcher types and their settings - URI matchers - Table 2, Matcher types and their settings - Table 3 and Matcher types and their settings - Soap matchers - Table 4. |
The preferred matcher type has to be selected from the drop-down list. |
-
Provide the name of the matcher.
-
Choose the type of the matcher from the drop-down list.
Depending on the choice of the matcher type, some more required configuration fields might appear on this page. The following tables describe the matcher types in details and provide the necessary information for the additional configuration fields, required for setting the matcher types:
| Matcher type | Description |
|---|---|
Always |
This matcher always matches. |
Never |
This matcher never matches. It can be used to turn off a Plugin. |
Method |
It matches the HTTP method of the request. Note that the method is case insensitive by definition, therefore the case will always be ignored. When choosing the Method matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
JMESPath |
It matches the data from the body of a JSON call with the help of the JMESPath expression. JMESPath is a query language for JSON. It is a very versatile tool for extracting the needed information from the body of the call, and for organizing it according to needs. A complete explanation on how to write JMESPath expressions is not in the scope of this document. To learn more about it visit the: main website:
When choosing the JMESPath matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Raw content |
It matches the original content of the message. If the content type is JSON, the body will be decompressed but not parsed. When choosing the Raw content matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
| Matcher type | Description | ||
|---|---|---|---|
URI matchers |
A range of matchers is available to match different parts of the URI. The structure of an URI looks as follows: scheme://[username[:password]@]host[:port][/path][?query][#fragment] That is, for example: https://john.doe:secret123@example.com:8443/some/resource?foo=bar&baz=qux#some-anchor
These matchers use the URI extractors. It has an extensive list of examples of what each extractor extracts from the URI. |
||
URI |
It matches against the whole request URI as received from the client. When choosing the URI matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI netloc |
It matches the network location in the URI. It includes:
When choosing the URI netloc matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI origin |
It matches the origin part of the URI. It includes:
When choosing the URI origin matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI scheme |
It matches the scheme of request (http or https). Note that the scheme is case insensitive by definition, therefore the case will always be ignored. When choosing the URI scheme matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI username |
It matches the username in the request if present. When choosing the URI username matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI password |
It matches the password in the request if present. When choosing the URI password matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI host |
It matches the host in the request. When choosing the URI host matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI port |
It matches the port of the request. Note that this matches the default port — that is 80 and 443 for HTTP and HTTPS, respectively — even if it is not explicitly in the request. When choosing the URI port matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI path |
It matches the path part of the URI. It includes:
If you need to match the _path_ exactly as received, use URI raw path matcher. When choosing the URI path matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI raw path |
It matches the path part of the URI, without the normalization of URI path matcher carried out.
It is recommended to use URI path matcher unless there is an explicit need for matching the raw path. One such example would be logging or filtering out badly formed requests. When choosing the URI raw path matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI raw query |
It matches the query part of the URI as a string.
It is recommended to use URI query parameter matcher unless there is an explicit need for matching the raw string.
An example on this might be if there is a match on When choosing the URI raw query matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||
URI query parameter |
It matches the value of a query parameter. It is also valid for URIs to include a query parameter more than once. That is, it could be foo=bar&qux=quz&foo=baz. To accommodate this, matching is done against the value of each occurrence of the parameter. Matching occurs if any value is matched. When choosing the URI query parameter matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. When choosing the URI query parameter matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
| Matcher type | Description | ||||
|---|---|---|---|---|---|
Header |
It matches the value of an HTTP header. Some HTTP headers can be present more than once in a call. To accommodate this, matching is completed against the value of each occurrence of the header. Matching occurs if there is any match. For example, if the Accept header was repeated as follows: Consequently, in this example above both The syntax of this matcher differs from the others because the name of the Header name must be added: "header.<header_name>[.comparator[.comparator_flag][.comparator_flag]..]" Therefore to match against the header named Server the key will be
The syntax of this matcher differs from the others because the name of the Header name must be added.
When choosing the Header matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||||
Content type |
It matches the content type of the message. It is a more robust solution than using the Header matcher on the Content-Type header because that can contain parameters as well. When choosing the Content type matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||||
Status |
It matches the status code of the response.
The available values for the Expression parameter are: Informational response, Successful response, Redirects, Client errors, Server Errors. When choosing the Status matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
||||
Call direction |
Matches the direction of the message (request or response). |
||||
Any |
Any is a Compound matcher that matches if any of its sub-matchers matches. The sub-matcher can also be a compound matcher. |
||||
All |
All is a Compound matcher that matches if all of its sub-matchers match. The sub-matcher can also be a compound matcher. |
||||
None |
None is a Compound matcher that matches if none of its sub-matchers match. The sub-matcher can also be a compound matcher. |
||||
One |
One is a Compound matcher that matches if exactly one of its sub-matchers matches. The sub-matcher can also be a compound matcher. |
||||
xpath |
It matches the data from the body of an XML call with the help of the Xpath expression. Xpath is a query language for XML. It is a very versatile tool for extracting the needed information from the body of the call, and organizing it according to needs. A complete explanation on how to write Xpath expressions is not in the scope of this document. To learn more about it visit the main website. For more details on xpath configuration options, see Xpath extractor configuration options. When choosing the Call direction matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
| Matcher type | Description |
|---|---|
Soap Matchers |
A range of matchers is available to match different parts of the SOAP message. These matchers extend the [xpath-matcher] matcher with predefined expressions. They use the [soap-extractors]. It has an extensive list of examples of what each extractor extracts from the SOAP message. When choosing the SOAP Matchers matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap version |
Soap version matches the soap message version. It identifies with the soap namespace. The possible values are:
When choosing the SOAP version matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap envelope |
It matches the soap envelope. When choosing the SOAP envelope matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap header |
It matches the soap header. When choosing the SOAP header matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap body |
It matches the soap body. When choosing the SOAP body matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap fault |
It matches the soap fault. When choosing the SOAP fault matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap fault code |
Soap matchers extend the xpath matcher with predefined expressions. They use the SOAP extractors. It has an extensive list of examples of what each extractor extracts from the SOAP message. It matches the soap fault 'code'. The expression depends on the soap version.
When choosing the SOAP fault code matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap fault detail |
It matches the soap fault 'detail'. The expression depends on the soap version.
When choosing the SOAP fault details matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap 11 fault faultstring |
It matches the soap fault 'faultstring'. This matcher only works with soap version 1.1. When choosing the Soap 11 fault faultstring matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap 11 fault faultactor |
It matches the soap fault 'faultactor'. This matcher only works with soap version 1.1. When choosing the Soap 11 fault faultactor matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap 12 fault reason |
It matches the soap fault 'Reason'. This matcher only works with soap version 1.2. When choosing the Soap 12 fault reason matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap 12 fault node |
It matches the soap fault 'Node'. This matcher only works with soap version 1.2. When choosing the Soap 12 fault node matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
Soap 12 fault role |
It matches the soap fault 'Role'. This matcher only works with soap version 1.2. When choosing the Soap 12 fault role matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options. |
For details on comparator types, see Types of comparators.
Depending on the matcher type selected, the administrator might need to fill in further parameters. These parameters are described in the following table.
| Key | Values | Default value | Description |
|---|---|---|---|
Comparator |
The matchers need the information on the Comparator, which shows by what means the collected value of the call is compared with the provided pattern. |
||
Type |
The available comparator types can be checked from the drop-down list. |
For details on the comparator types, see Types of comparators. |
|
Ignorecase |
Off (False) |
It sets the IGNORECASE flag for the selected comparator type. |
|
Expression* |
A regular expression specifies a set of strings that match it. |
||
JmesPath Expression |
A complete explanation on how to write JMESPath expressions is not in the scope of this document. To learn more about it visit the: main website:
|
||
Query Parameter |
It is also valid for URIs to include a query parameter more than once. That is, it could be foo=bar&qux=quz&foo=baz. To accommodate this, matching is done against the value of each occurrence of the parameter. Matching occurs if any value is matched. |
||
Header |
It extracts the value of an HTTP header. It is valid for some HTTP headers to be present more than once in a call. In this case, all the values are extracted as a list. It provides the name of the header in the configuration. |
||
Namespaces |
It defines the XML namespaces. |
||
Xpath Expression* |
The expression to extract the node from the call to match against. |
||
Multiline |
It sets the Multiline flag for the Regex comparator. |
||
Minimum* |
It matches if the pattern is larger or equal to the value. |
||
Maximum* |
It matches if the pattern is smaller or equal to the value. |
-
Configure the necessary parameters with the help of the above tables.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button to save the configured matcher.
6.4.3. Selector
Selectors are responsible for collecting information from the call. They utilize Extractor bricks for this purpose.
Most extractors return simple string values. However, some (might) return dictionaries. For example, you can get all the HTTP headers, or all the URI query parameters.
They are used by Insight.
6.4.3.1. Configuring Selectors
The selector can be configured from the BRICKS main navigation item.
-
Click on BRICKS main configuration item in the left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of BRICKS. -
Select Selectors.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
-
Click on the New navigation button to configure the Selector.
The following configuration options appear for Selector:
The selector accepts the following configuration options:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name of the parameter can be referenced. |
|
Type* |
Choose the selector type from the drop-down list. For more details on the values, see Extractor types. |
Extractors are used to extract data from the call. They are utilized by Selector (and Matcher as well). Extractors are included by their type in Selectors, and are used by a special syntax in matchers. For details, see Extractors and Extractor types. |
|
Save as |
The key under which the results of a selector are saved in the Insight plugin’s dictionary. |
Top |
If it is omitted, the result will be directly merged as top level keys. |
Depending on what value is selected for the Type parameter, additional parameters might appear for configuration. The following table provides details on these additional parameters.
| Key | Values | Default value | Description |
|---|---|---|---|
Clear text |
It can be switched On or Off. |
||
Namespaces |
It defines the XML namespaces. |
||
Xpath Expression |
The expression to extract the node from the call to match against. |
||
JmesPath Expression |
A complete explanation on how to write JMESPath expressions is not in the scope of this document. To learn more about it visit the: main website:
|
||
Expression* |
A regular expression specifies a set of strings that match it. |
||
Time format* |
'YYYY-MM-DDTHH:mm:ss.SSSSSSZZ' |
Set the format. See: Timestamp format options |
|
Time zone* |
It is the name of the time zone, or the time zone offset. |
-
Name the Selector key.
-
Fill in any more desired parameters.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button if you have configured all the required parameters.
6.4.4. Target
Target bricks define where the data collected by the Insight will be sent to.
The Target configuration tree contains named Targets with their respective configuration.
| Unlike other bricks, target configurations cannot be put inline into a Plugin’s configuration, they must always be configured here. |
See the Target configuration options for the available target types and their configuration options.
6.4.4.1. Data flattening
To ensure compatibility with a wide range of target types, the results collected by the Insight plugin are flattened. The path inside the complex data structure is encoded into the key for each value:
-
The merged key describes the path to the value in the data structure as a string.
-
The parts of the path will be separated by a forward slash character ("/").
-
Keys in nested dictionaries are added to the path by name.
-
List items are added to the path by their index.
| You can control the separator with the Flatten separator configuration key that every target accepts. |
6.4.4.2. Configuring Targets
The Target can be configured from the BRICKS main navigation item.
-
Click on BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of BRICKS. -
Select Target.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
-
Click on the New navigation button to configure the Target.
The Target accepts the following configuration options:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
It is the name identifying the Target. This name of the Target can be referenced from other parts of the configuration. |
|
Type* |
It is a mandatory value. The values can be selected from the drop-down list. The available values are:
|
|
|
Flatten |
This parameter can be switched 'on' or 'off'. |
On (True) |
Flatten the target message. |
Flatten separator |
/ |
It is the separator in the flattened message. |
|
Level |
3 |
It is the log level for the logged message. |
|
Message |
It is the message of the insight if present, otherwise it is empty. |
It is the message part of the log message. |
|
Tag |
The value can be selected from a drop-down list. |
info |
It is the log tag for the logged message. |
-
Provide the name for your Target configuration.
-
Select the Target type.
-
Continue with the Syslog, Elastic and Local log configurations with the help of the following tables: Syslog Target configuration parameters, Elastic Target configuration parameters and Local log Target configuration parameters.
The following table presents the configuration parameters for the Local log Target type:
| Key | Values | Default value | Description |
|---|---|---|---|
Flatten separator |
/ |
It is the separator in the flattened message. |
|
Level |
3 |
It provides the log level for the logged message. |
|
Message |
The message of the insight if present, otherwise it is empty. |
It is the message part of the log message. |
|
Tag |
info |
It is the log tag for the logged message. |
The following table presents the configuration parameters for the syslog Target type:
| Key | Values | Default value | Description |
|---|---|---|---|
Data format |
The possible values are: sdata, json. |
sdata |
This is the data format of the insight. |
Enable heartbeat |
False |
It enables sending heartbeat (-- MARK --) messages to the target. |
|
Flatten |
True |
It flattens the target message. |
|
Flatten Separator |
/ |
It is the separator in the flattened message. |
|
Flush lines |
It specifies how many lines are flushed to a destination at a time. The Insights Director waits for this number of lines to accumulate and sends them off in a single batch. Increasing this number increases the throughput, as more messages are sent in a single batch, but also increases the message latency. |
||
Heartbeat |
|
|
|
Host* |
It is the hostname of the syslog search instance. |
||
IP protocol |
The possible values are 4 and 6, corresponding to IPv4 and IPv6. |
This determines the internet protocol version of the given driver. |
|
Mask credit card numbers |
False |
It masks the middle section of recognised credit card numbers in any fields of the log message. Recognised credit cards are from one of the following issuers: American Express, Discover Card, Mastercard, VISA. |
|
Remote Connection |
|
|
|
Report config load |
False |
It reports the event of a configuration being loaded with a cryptographic hash of the loaded configuration. This ingorms the target about changes in the configuration. |
|
Second fraction digits |
Integer between 0 and 6 inclusive |
3 |
The number of digits representing the fractions of seconds in the Syslog timestamp. |
Time Zone |
See table Time zones for time zone names. |
GMT |
The name of the time zone (for example, "Europe/Budapest") or the time zone offset in +/-HH:MM format (for example, +01:00). |
The following table presents the configuration parameters for the elastic Target type:
| Key | Values | Default value | Description |
|---|---|---|---|
Doc type |
_doc |
The doc type is used when sending the data. |
|
Flatten |
True |
It flattens the target message. |
|
Flatten Separator |
/ |
It is the separator in the flattened message. |
|
Host* |
It is the hostname of the Elastic search instance. |
||
Index |
It is the name of the index in the Elastic search instance. |
||
Mask credit card numbers |
False |
It masks the middle section of recognised credit card numbers in any fields of the log message. Recognised credit cards are from one of the following issuers: American Express, Discover Card, Mastercard, VISA. |
|
Port |
|
Add the port number here to connect to the remote system. |
-
Configure any more desired parameter details.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click Save to save your configuration settings for the Target.
6.4.5. TLS
Transport Layer Security (TLS) is the cryptographic protocol that secures HTTPS communications. PAS can apply TLS encryption both when communicating with Clients and Backends.
When HTTPS is used the TLS settings must be configured.
| These parameters are used by the Transport director. For options that reference a file the path is relative to /opt/balasys/var/persistent/ inside the Transport Director container. This directory is a docker volume and by default mounted from the /opt/balasys/var/persistent/transport-director directory in the host system. |
6.4.5.1. Configuring the TLS
TLS can be configured from the BRICKS main navigation item.
-
Click on BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of BRICKS. -
Select TLS.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
-
Click on the New navigation button to configure TLS.
TLS contains the following settings:
The configuration of the first two parameters determines the TLS type and from these two steps on, it is either a Client TLS configuration or a Backend TLS configuration.
6.4.5.1.1. Configuring the Client TLS
The following parameters need to be configured for Client TLS:
-
Name the Client TLS configuration.
-
Select the Type of the TLS, Client TLS in this case, from the drop-down list to configure TLS.
For details on these parameters, see the following table:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name of the parameter can be referenced. |
|
Type* |
It is a mandatory value. Choose the required value from the drop-down list. |
Client TLS, Backend TLS and Syslog TLS configurations can be defined here. |
-
Configure the mandatory parameters for Client TLS, based on the information provided in Table Client TLS configuration.
| Key | Values | Default value | Description |
|---|---|---|---|
Certificate* |
Configuration for the X.509 certificate used for TLS connections on the listener. |
||
Certificate File* |
It is a mandatory value. You can upload the certificate file. |
Provide the path and filename for the certificate file. The certificate must be in PEM format. |
|
Key file* |
It is a mandatory value. You can upload the key file. |
Provide the path and filename to the private key file. The private key must be in PEM format. |
|
Key passphrase |
You can upload the file. |
Provide the passphrase used to access the private key specified in the Key file. |
|
Enable Verification* |
Off (False) |
It is an option for verifying client side X.509 certificates. By default no client verification takes place. |
|
Client verification* |
Client verification options |
||
Trusted Certs |
You can upload trusted certificates in a ZIP file. |
A directory where trusted IP addresses, certificate assignments are stored. When a peer from a specific IP address shows the certificate stored in this directory, it is accepted regardless of its expiration or issuer CA. Each file in the directory should contain a certificate in PEM format. The filename must be the IP address. |
|
Required |
The parameter can be switched on or off. |
On (true) |
If it is set to True, PAS requires a certificate from the peer. |
Trust Level |
The values can be selected from the drop-down list. The available values are:
|
full |
It defines the trust level for certificate verification:
|
Verify Depth |
4 |
It defines the length of the longest accepted CA verification chain. PAS will automatically reject longer CA chains. |
|
Ca Dir |
You can upload the trusted CAs in a ZIP file |
It is a Directory where where the trusted CA certificates are stored. CA certificates are loaded on-demand from this directory when PAS verifies the certificate of the peer. |
|
Verify Crl |
The parameter can be switched on or off. |
Off (false) |
If it is set to True, PAS checks the CRLs (Certificate Revocation Lists) associated with trusted CAs. CRLs will load automatically if PAS verifies the certificate of the peer. |
Intermediate Revocation Check Type |
The values can be selected from the drop-down list. The available values are:
|
hard_fail |
The revocation check type for all certificates in the chain, except the Leaf Certificate:
|
Leaf Revocation Check Type |
The values can be selected from the drop-down list. The available values are:
|
hard_fail |
The revocation check types for the Leaf certificate are as follows:
|
Options* |
TLS protocol options used on the listener. |
||
Disable TLS v1 |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1 in the connection. |
On (true) |
Transport Layer Security v1 (TLS) (successor of the now obsoleted Secure Socket Layer v3 (SSL)) is a widely used crypto protocol, guaranteeing data integrity and confidentiality in many PKI and e-commerce systems. |
Disable TLS v1.1 |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1.1 in the connection. |
On (true) |
It does not allow the usage of TLSv1.1 in the connection. |
Disable TLS v1.2 |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1.2 in the connection. |
Off (false) |
It does not allow the usage of TLSv1.2 in the connection. |
Disable TLS v1.3 |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1.3 in the connection. |
false |
It does not allow the usage of TLSv1.3 in the connection. |
Cipher |
ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305: DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384 |
Specifies the allowed ciphers. Can be set to all, high, medium, low, or a string representation of the selected ciphers. |
|
Timeout |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1 in the connection. |
300 |
It drops idle connection if the timeout value (in seconds) expires. |
Session Cache Size |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1 in the connection. |
20480 |
It defines the number of sessions stored in the session cache for SSL session reuse |
Disable Session Cache |
The parameter can be switched on or off. |
Off (false) |
Do not store session information in the session cache. Set this option to 'on' to disable SSL session reuse. |
Disable Ticket |
The parameter can be switched on or off. |
Off (false) |
Do not store session information in the session cache. Set this option to 'on' to disable SSL session reuse. |
Disable Compression |
The parameter can be switched on or off. |
Off (false) |
Set the parameter On to disable support for SSL/TLS compression. Set the parameter Off to enable support for SSL/TLA compression. |
Cipher Server Preference |
The parameter can be switched on or switched off. |
On (true) |
Use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. |
Disable Renegotiation |
The parameter can be switched on or off. |
On (true) |
Set this parameter On to disable client-initiated renegotiation. |
Dh Parameter File |
You can upload the DH parameter file. The DH parameter file must be in PEM format. |
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Save the Client TLS configuration by clicking Save.
6.4.5.1.2. Configuring Backend TLS
The following parameters need to be configured for Backend TLS:
-
Name the Backend TLS configuration.
-
Select Backend TLS from the drop-down list to configure Backend TLS.
For details on these parameters, see the following table:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name of the parameter can be referenced. |
|
Type* |
It is a mandatory value. Choose the required value from the drop-down list. |
Client TLS, Backend TLS and Syslog TLS configurations can be defined here. |
-
Configure the mandatory parameters for Backend TLS, based on the information provided in Table Backend TLS configuration.
The configuration parameters are described in details in the following table:
| Key | Values | Default value | Description |
|---|---|---|---|
Enable Certificate* |
Off/False |
It is an option for enabling backend side X.509 certificates. By default no backend verification takes place. |
|
Enable Verification* |
Off/False |
It is an option for verifying Backend side X.509 certificates. By default no backend verification takes place. |
|
Backend verification* |
Backend verification options |
||
Trusted Certs |
You can upload trusted certificates in a ZIP file. |
A directory where trusted IP addresses-certificate assignments are stored. When a peer from a specific IP address shows the certificate stored in this directory, it is accepted regardless of its expiration or issuer CA. Each file in the directory should contain a certificate in PEM format. The filename must be the IP address. |
|
Trust Level |
The values can be selected from the drop-down list. The available values are:
|
full |
It defines the trust level for certificate verification:
|
Verify Depth |
4 |
It defines the length of the longest accepted CA verification chain. PAS will automatically reject longer CA chains. |
|
Ca Dir |
You can upload the trusted CAs in a ZIP file. |
It is a directory where the trusted CA certificates are stored. CA certificates are loaded on-demand from this directory when PAS verifies the certificate of the peer. |
|
Verify Crl |
The parameter can be switched on or off. |
Off (false) |
If it is set to True PAS checks the CRLs (Certificate Revocation Lists) associated with trusted CAs. CRLs will load automatically if PAS verifies the certificate of the peer. |
Intermediate Revocation Check Type |
The values can be selected from the drop-down list. The available values are:
|
soft_fail |
The revocation check types for all certificates in the chain, except for the Leaf Certificate are as follows:
|
Leaf Revocation Check Type |
The values can be selected from the drop-down list. The available values are:
|
soft_fail |
The revocation check type for the Leaf Certificate.
|
Check Subject |
The parameter can be switched on or off. |
Off (false) |
If it is set to, PAS compares the subject of the server-side certificate with application-layer information (for example, it checks whether the Subject matches the hostname in the URL). |
Options* |
TLS protocol options used on the listener. |
||
Disable TLS v1 |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1 in the connection. |
On (true) |
Transport Layer Security v1 (TLS) (successor of the now obsoleted Secure Socket Layer v3 (SSL)) is a widely used crypto protocol, guaranteeing data integrity and confidentiality in many PKI and e-commerce systems. |
Disable TLS v1.1 |
The parameter can be switched on or off. If it is set ON it does not allow using TLS v. 1.1 in the connection. |
On (true) |
It does not allow the usage of TLS v. 1.1 in the connection. |
Disable TLS v1.2 |
The parameter can be switched on or off. If it is set ON it does not allow using TLS v. 1.2 in the connection. |
false |
It does not allow the usage of TLS v. 1.2 in the connection. |
Disable TLS v1.3 |
The parameter can be switched on or off. If it is set to ON it does not allow using TLS v. 1.3 in the connection. |
false |
It does not allow the usage of TLS v. 1.3 in the connection. |
Cipher |
ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305: DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384 |
Specifies the allowed ciphers. Can be set to all, high, medium, low, or a string representation of the selected ciphers. |
|
Timeout |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1 in the connection. |
300 |
It drops idle connection if the timeout value (in seconds) expires. |
Session cache size |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1 in the connection. |
20480 |
It defines the number of sessions stored in the session cache for SSL session reuse |
Disable session cache |
The parameter can be switched on or off. |
Off (false) |
Do not store session information in the session cache. Set this option to 'On' to disable SSL session reuse. |
Disable ticket |
The parameter can be switched on or off. |
Off (false) |
Do not store session information in the session cache. Set this option to 'On' to disable SSL session reuse. |
Disable compression |
The parameter can be switched on or off. |
Off (false) |
Set the parameter On to disable support for SSL/TLS compression. Set the parameter Off to enable support for SSL/TLA compression. |
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button if you have configured all the required parameters.
6.4.5.1.3. Revocation checks for certificates
The PAS tries both CRL and OCSP-stapling checks for certificates.
The result for a certificate according to the revocation check types:
| CRL check | OCSP stapling check | Soft fail result | Hard fail result |
|---|---|---|---|
PASS |
PASS |
PASS |
PASS |
PASS |
unsuccessful |
PASS |
PASS |
unsuccessful |
PASS |
PASS |
PASS |
unsuccessful |
unsuccessful |
PASS |
FAIL |
PASS |
FAIL |
FAIL |
FAIL |
FAIL |
PASS |
FAIL |
FAIL |
unsuccessful |
FAIL |
FAIL |
FAIL |
FAIL |
unsuccessful |
FAIL |
FAIL |
FAIL |
FAIL |
FAIL |
FAIL |
6.4.5.1.4. Configuring Syslog TLS
The following parameters need to be configured for Syslog TLS:
-
Name the Syslog TLS configuration.
-
Select the Type of the TLS, Syslog TLS in this case, from the drop-down list to configure TLS.
For details on these parameters, see the following table:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name of the parameter can be referenced. |
|
Type* |
It is a mandatory value. Choose the required value from the drop-down list. |
Client TLS, Backend TLS and Syslog TLS configurations can be defined here. |
-
Configure the mandatory parameters for Syslog TLS, based on the information provided in Table Syslog TLS configuration.
| Key | Values | Default value | Description |
|---|---|---|---|
Certificate* |
It is the configuration for the X.509 certificate used for TLS connections on the target. |
||
Certificate File* |
It is a mandatory value. You must select a File brick of type generic that represents the uploaded certificate. |
Provide the name of the selected File brick. The certificate must be in PEM format. |
|
Key file* |
It is a mandatory value. You can select a File brick of type generic that represents the uploaded private key. |
Provide the name of the selected File brick. The private key must be in PEM format. |
|
Enable Verification* |
Off (false) |
It is an option for enabling the verification of server side X.509 certificates. |
|
Options* |
TLS protocol options used on the Syslog target. |
||
Disable SSL v2 |
The parameter can be switched on or off. |
On (true) |
Session tickets are a method for SSL session reuse, described in RFC 5077. Set this option to ON to disable SSL session reuse using session tickets. |
Disable SSL v3 |
The parameter can be switched on or off. |
On (true) |
Session tickets are a method for SSL session reuse, described in RFC 5077. Set this option to ON to disable SSL session reuse using session tickets. |
Disable TLS v1 |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1 in the connection. |
On (true) |
Transport Layer Security v1 (TLS) (successor of the now obsoleted Secure Socket Layer v3 (SSL)) is a widely used crypto protocol, guaranteeing data integrity and confidentiality in many PKI and e-commerce systems. |
Disable TLS v1.1 |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1.1 in the connection. |
On (true) |
It does not allow the usage of TLSv1.1 in the connection. |
Disable TLS v1.2 |
The parameter can be switched on or off. If it is set ON it does not allow using TLSv1.2 in the connection. |
Off (false) |
It does not allow the usage of TLSv1.2 in the connection. |
ECDH curve list |
Add one or more names of ECDH curves. The possible values are the ones supported by OpenSSL 1.1.1. |
Off (false) |
This is a list of curves permitted in the connection when using Elliptic Curve Cryptography (ECC). |
Peer verify |
Select one of the following options in the drop-down menu: optional-trusted, optional-untrusted, required-trusted, required-untrusted |
required-trusted |
It defines the verification method of the peer. The four possible values are a combination of two properties of validation: whether the peer is required to provide a certificate (required or optional prefix), and whether the certificate provided needs to be valid (trusted or untrusted suffix). |
Cipher |
It is the colon-separated list of ciphers from the list supported by OpenSSL 1.1.1. |
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS!aNULL: !MD5: !DSS |
It specifies the allowed ciphers. |
DH Parameter File |
Select a File brick of type generic from the drop-down menu. |
It specifies the file containing the Diffie-Hellman parameters, generated using the |
|
Server verification* |
Server verification options are mandatory if Enable Verification is set to True. |
||
Trusted DN |
It is a list of the distinguished names of the accepted certificates. |
You can list the distinguished names of the accepted certificates in this parameter to accept connections only from hosts using certain certificates signed by the trusted CAs. For example, when using "*, O=Example Inc, ST=Some-State, C=*", it will accept only certificates issued for the Example Inc organization in Some-State state. |
|
CA dir |
Select the CA File brick representing your CA directory. |
CA directory containing the trusted CA and CRL files. |
|
Verify CRL |
Off (false) |
It verifies that certificates used in the connection are not revoked by any CRLs in the CA directory. |
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Save the Syslog TLS configuration by clicking Save.
6.4.6. Files
The Files configuration element enables the administrator to upload any Generic, Swagger, XSD, WSDL, CA and CRL certificate files.
6.4.6.1. Configuring Files
Files can be configured from the BRICKS main navigation item.
-
Click on BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of BRICKS. -
Select Files.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
-
Click on the New navigation button to configure Files.
Files contains the following settings:
Files has the following configuration parameters:
| Key | Values | Default | Description |
|---|---|---|---|
Name* |
It is a mandatory value. The name can be provided in free text. |
It defines the file-related configuration. |
|
Type* |
It is a mandatory value. The available values are:
See table Requirements for specific file types for specific requirements for each type. |
The type selected here defines by which BRICK it can be used. The file uploaded here with the Type Swagger, for example, can be used by Swagger bricks. |
|
File* |
It is a mandatory value. The required file can be uploaded here. |
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Save the configuration by clicking the Save button.
| File type | Requirements |
|---|---|
CA |
|
6.4.7. Common configuration elements for BRICKS
6.4.7.1. Extractors
Extractors are used to extract data from the call.
They are utilized by Matcher and Selector. Extractors are configured as part of matchers and selectors, there are no named extractors.
Extractors are included by their type in Selectors, and are configured within matchers.
Most extractors return simple string values. However, some (might) return dictionaries. For example, you can get all the HTTP headers, or all the URI query parameters.
See the Extractor types for more details on extractors and their configuration options.
The following table provides details on extractor types:
| Key | Description | ||
|---|---|---|---|
Method |
It extracts the HTTP method of the request. It does not require configuration. |
||
Status |
It extracts the status code of the response. It does not require configuration. |
||
JMESPath |
It extracts data from the body of a JSON call with the help of a JMESPath expression. JMESPath is a query language for JSON. It is a very versatile tool for extracting the needed information from the body of the call, and organizing it according to requirements. A complete explanation on how to write JMESPath expressions is not in the scope of this document. To learn more about it visit the: main website:
|
||
Header |
It extracts the value of an HTTP header. It is valid for some HTTP headers to be present more than once in a call. In this case, all the values are extracted as a list. It provides the name of the header in the configuration. |
||
Header force list |
It works like the Header extractor but it returns a list even if there is only a single extracted value. |
||
Header first |
It works like header extractor but it only returns the first extracted value even if there is a list of extracted values. |
||
Headers |
It extracts all the headers from the call. The results are stored as a dictionary, therefore it is recommended to omit the 'save as' key if you use this from a selector. It is valid for some HTTP headers to be present more than once in a call. In such cases all the values are stored under the header’s key as a list. It does not require configuration. |
||
URI |
It matches against the whole request URI as received from the client. It does not require configuration. |
||
URI netloc |
It extracts the network location in the URI. It does not require configuration. It includes:
|
||
URI origin |
It extracts the origin part of the URI. It does not require configuration. It includes:
|
||
URI scheme |
It extracts the scheme of the request (http or https). It does not require configuration. |
||
URI username |
It extracts the username in the request if present. It does not require configuration. |
||
URI password |
It extracts the password in the request if present. It does not require configuration. |
||
URI host |
It extracts the host in the request. It does not require configuration. |
||
URI port |
It extracts the port of the request, the default port — that is 80 and 443 for HTTP and HTTPS, respectively — even if it is not not displayed explicitly in the request. It does not require configuration. |
||
URI path |
It extracts the path part of the URI. It does not require configuration. It includes:
If you need to extract the path exactly as received, use URI raw path parameter. |
||
URI raw path |
It extracts the path part of the URI, without the normalization of URI path carried out. NOTE: If the path is missing a single forward slash ("/") is extracted. It does not require configuration. |
||
URI raw query |
It extracts the query part of the URI as a string. It does not require configuration. It does not require configuration. |
||
URI query |
It extracts the query part of the URI. It does not require configuration. It does not require configuration. |
||
URI query parameter |
It extracts the value of a query parameter. It is also valid for URIs to include a query parameter more than once. That is, it could be 'foo=bar&qux=quz&foo=baz'. In this case both values are extracted as a list. Provide the name of the parameter in the configuration. |
||
URI query parameter force list |
It works like Uri query parameter but it returns a list even if there is only a single extracted value. |
||
URI query parameter first |
It works like Uri query parameter but it only returns the first extracted value even if there is a list of extracted values. |
||
Content |
It extracts the content. It does not require configuration. |
||
Raw content |
It extracts the content as a string. It does not require configuration. |
||
Content type |
It extracts the content type from the HTTP header. It does not require configuration. |
||
Content type charset |
It extracts the charset from the content type HTTP header. It does not require configuration. |
||
Call direction |
It extracts the call direction (request, response). It does not require configuration. |
||
Session ID |
It extracts the internal identifier of the HTTP session in keep-alive HTTP connections. Its 'Include request counter' option enables adding a request counter representing the number of requests in the session. |
||
Static |
It extracts a string, integer, number, object, array, boolean as string from the configuration. |
||
Timestamp |
It extracts the current time. Also see the tables on Configuring timestamps and Timestamp format options. |
||
Xpath |
It extracts data from the body of an XML call with the help of a Xpath expression. Xpath is a query language for XML. It is a very versatile tool for extracting the needed information from the body of the call, and organizing it according to needs. A complete explanation on how to write Xpath expressions is not in the scope of this document. To learn more about it visit the main website. Also see table Xpath extractor configuration options. Provide the Xpath expression in the configuration. Depending on the expression, the return value is a single node or a list of nodes. If you want a single value or a list independent from the expression, use xpath first or xpath force list. |
||
Xpath force list |
It works like xpath but it returns a list even if there is only a single extracted value. |
||
Xpath first |
It works like xpath but it only returns the first extracted value even if there is a list of extracted values. |
||
Soap version |
This extractor extends the xpath extractor with predefined expressions. It extracts the soap message version. It identify with the soap namespace. Possible values:
|
||
Soap envelope |
This extractor extends the xpath extractor with predefined expressions. It extracts the soap envelope. |
||
Soap header |
It extracts the soap header. This extractor extends the xpath extractor with predefined expressions. |
||
Soap body |
It extracts the soap body. This extractor extends the xpath extractor with predefined expressions. |
||
Soap fault |
It extracts the soap fault. This extractor extends the xpath extractor with predefined expressions. |
||
Soap fault code |
It extracts the soap fault 'code'. This extractor extends the xpath extractor with predefined expressions. This extractor expression depends on the soap version.
|
||
Soap fault detail |
This extractor extends the xpath extractor with predefined expressions. It extracts the soap fault 'detail'. This matcher expression depends on the soap version.
|
||
Soap 1.1 fault faultstring |
This extractor extends the xpath extractor with predefined expressions. It extracts the soap fault 'faultstring'. This extractor only works with soap version 1.1. |
||
Soap 1.1 fault faultactor |
This extractor extends the xpath extractor with predefined expressions. It extracts the soap fault 'faultactor'. This extractor only works with soap version 1.1. |
||
Soap 1.2 fault reason |
This extractor extends the xpath extractor with predefined expressions. It extracts the soap fault 'Reason'. This extractor only works with soap version 1.2. |
||
Soap 1.2 fault node |
This extractor extends the xpath extractor with predefined expressions. It extracts the soap fault 'Node'. This extractor only works with soap version 1.2. |
||
Soap 1.2 fault role |
This extractor extends the xpath extractor with predefined expressions. It extracts the soap fault 'Role'. This extractor only works with soap version 1.2. |
You can still use Save as for extractors returning dictionaries. For example, you can save all the headers under the headers' key and the URI query parameters under the parameters' key.
|
Timestamp extractors can be configured as follows:
| Name | Default | Description |
|---|---|---|
Time zone |
'UTC' |
Set the time zone.
|
format |
'YYYY-MM-DDTHH:mm:ss.SSSSSSZZ' |
Set the format. See: Timestamp format options |
| Token | Output | |
|---|---|---|
Year |
YYYY |
2000, 2001, 2002 … 2012, 2013 |
Month |
MMMM |
January, February, March |
Day of Year |
DDDD |
001, 002, 003 … 364, 365 |
Day of Month |
DD |
01, 02, 03 … 30, 31 |
Day of Week |
dddd |
Monday, Tuesday, Wednesday |
Hour |
HH |
00, 01, 02 … 23, 24 |
AM / PM |
A |
AM, PM, am, pm |
Minute |
mm |
00, 01, 02 … 58, 59 |
Second |
ss |
00, 01, 02 … 58, 59 |
Sub-second |
S… |
0, 02, 003, 000006, 123123123123 |
Time zone |
ZZZ |
Asia/Baku, Europe/Warsaw, GMT |
Seconds Timestamp |
X |
1381685817, 1381685817.915482 |
ms or µs Timestamp |
x |
1569980330813, 1569980330813221 |
| Key | Default | Description |
|---|---|---|
xpath_expression |
It is the expression to extract the node from the call to match against. |
|
namespaces |
Defines the XML namespaces. |
|
clear_text |
False |
It removes white spaces at the beginning and at the end of the string. |
6.4.7.2. Comparators
Comparators are used for comparing the pattern with the result of the xpath expression.
| Key | Description | Parameters | ||
|---|---|---|---|---|
Equals |
It matches if the parameter is exactly the same as the value matched. |
Ignore case: Case differences (lower case, upper case) are ignored. When the present VaLuE would match value. |
||
Not equals |
It matches if the parameter is not exactly the same as the value matched. |
Ignore case: Case differences are ignored. When the present VaLuE would not match vAlUe. |
||
Starts with |
It matches if the value starts exactly with the pattern. |
Ignore case: Case differences are ignored. When the present VaLuE would match value_given. |
||
Ends with |
It matches if the value ends exactly with the pattern. |
Ignore case: Case differences are ignored. When the present VaLuE would match given_value. |
||
Substring |
It matches if the exact pattern is found somewhere in the value. |
Ignore case: Case differences are ignored. When the present VaLuE would match some-value-given. |
||
Pattern |
The Pattern treats the input as Unix shell-style wildcards. There are special characters used in shell-style wildcards:
|
Ignore case: Case differences are ignored. When the present VaLuE would match some-value-given. |
||
Regex |
Regex treats input as a regular expression for matching. Consult Python’s regular expression documentation and their Regular Expression HOWTO. |
|
||
Minimum |
It matches if the pattern is larger or equal to the value. |
|||
Maximum |
It matches if the pattern is smaller or equal to the value. |
|||
Range |
It matches if the value is between the limits in the pattern, including boundaries. The format of the pattern must be minimum..maximum. |
|||
Status class |
Status class is a special matcher for conveniently matching HTTP status code classes. It takes the name of the class and checks if the status code is in the given range as stated in Checking status code range. |
| Pattern | Status code range | Description |
|---|---|---|
info |
1xx |
Informational response |
success |
2xx |
Successful response |
redirect |
3xx |
Redirects |
client_error |
4xx |
Client Errors |
server_error |
5xx |
Server Errors |
6.5. PLUGINS - Configuration units
A plugin is an element of the security flow that applies a specific security function. Plugins have different types based on the role they do:
Plugins are named, so that they can be referenced in other parts of the configuration.
| This means that Plugin configurations are reusable. |
Certain Plugins are so called default objects, which are in 'read-only' state and cannot be configured or modified. Such default objects are listed in the following table:
| Default object name | Key |
|---|---|
default_json |
Serializer |
default_xml |
Serializer |
default_json |
Deserializer |
default_xml |
Deserializer |
Default |
Compressor |
default |
Decompressor |
6.5.1. Common Plugin parameters
Regardless of what plugins do, all plugins share some common parameters.
| Key | Values | Default value | Description |
|---|---|---|---|
Matcher |
The Matchers configured under BRICKS main configuration unit are listed here and can be selected from the drop-down list. |
Always: If the value is not defined, the plugin is always executed. |
It decides if the Plugin should be executed based on the call’s details. For details see Matcher. If no matcher is configured the Plugin is always executed. |
Error policy |
The Error Policy configured under BRICKS are listed here can be selected from the drop-down list. |
It defines a custom error policy to be applied if the Plugin reports an error. The settings of the Error policy here override the Security Flow’s default error policy. If no error policy is configured, the plugin type’s default error policy is applied. For details see Error Policy. |
Both parameters are optional:
-
If no matcher is configured, the Plugin is always executed.
-
If no error policy is configured, the plugin type’s default error policy is applied.
| Only values defined in the custom error policy are overridden, the rest is inherited from the Plugin type’s default error policy, not from the Security Flow’s default error policy. See Error Policy for details on how the error policy hierarchy is applied. |
Plugins' are always named so that their names refer to a Plugin that represents a certain configuration. The names themselves are referenced from the Security Flow.
6.5.2. Enforcer
An Enforcer Plugin validates calls against externally defined schemas.
The Plugin supports validation against OpenAPI2.0 (Swagger) schemas, XSD schemas or WSDL schema.
Understanding the format of these schemas is not in the scope of this document. Further information is available at:
The Plugin overrides the following fields of the default error policy:
| Policy Setting | Default |
|---|---|
request_code |
422 |
request_message |
Validation Error |
Problems are considered errors that lead to the termination of the call. Problems in the request are reported back to the client, while errors in the response are suppressed to avoid information leak.
See Error Policy to understand how defaults are applied.
6.5.2.1. Configuring Enforcer Plugins
Enforcer plugins can be configured from the PLUGINS main navigation item.
-
Click on PLUGINS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of PLUGINS. -
Select Enforcer plugin.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
The following values can be configured for the Filter Plugin:
The Enforcer Plugin accepts the following configuration options:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
This name identifies the Enforcer Plugin. The name of the plugin can be referenced from other parts of the configuration. |
|
Type* |
It is a mandatory value. It can be selected from the drop-down list. The available values are:
The Swagger, XSD, and WSDL keys configured under BRICKS can be selected here. |
This identifies the type of the Enforcer plugin. |
|
Error policy |
The error policies configured under BRICKS - Configuration units are listed here and can be selected from the drop-down list. |
enforcer_default |
It defines a custom error policy to be applied if the Plugin reports an error. The settings of the Error policy here override the Security Flow’s default error policy. For details see [errorpolicies]. |
Matcher |
The matchers configured under BRICKS - Configuration units are listed here and can be selected from the drop-down list. |
Always: If the value is not defined the plugin is always executed. |
It decides if the Plugin should be executed based on the call’s details. For details see Matcher. If omitted the Plugin is always executed. |
Swagger/WSDL/Operations* |
Depending on which file type was selected above, the following values are available:
|
The Swagger enforcer Plugin validates against OpenApi2.0 schemas. WSDL enforcer Plugin validates against WSDL 1.0-1.1 schemas. XSD enforcer Plugin validates against XSD schemas. |
XSD has the following configuration options for the Operations parameters:
| Key | Default | Description |
|---|---|---|
uri_path |
* |
It defines the pattern for uri_path. |
Choose Method |
It defines the method of the HTTP message. The following values are available for Method:
|
|
Status |
It defines the status of the HTTP message. |
|
Choose Call direction |
It defines the direction of the message, which must be either request or response. |
|
Choose files |
It defines the XSD schema. |
-
Name the Enforcer Plugin.
-
Choose the type of the Enforcer plugin.
-
Choose an Error policy from the drop-down list. The drop-down list will offer the error policy options configured under Bricks.
-
Choose a Matcher from the drop-down list. The drop-down list will offer the matcher options configured under Bricks.
-
Choose a Swagger from the drop-down list. The drop-down list will offer the Swagger options configured under Bricks.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.5.2.2. Swagger
The Swagger enforcer Plugin validates against OpenApi2.0 schemas.
The Plugin overrides the following fields of the default error policy:
| Policy Setting | Default |
|---|---|
request_code |
422 |
request_message |
Validation Error |
Problems are considered errors that lead to the termination of the call. Problems in the request are reported back to the client, while errors in the response are suppressed to avoid information leak.
See Error Policy to understand how defaults are applied.
The Plugin needs the schema definition file of the API Endpoint. This file must be in JSON or YML format.
6.5.2.3. XSD
XSD enforcer Plugin validates against XSD schemas. Both XSD 1.0 and 1.1 are supported.
| As XSD enforcer requires parsed XML content an xml deserializer plugin needs to be included before XSD enforcer. |
In the XSD enforcer you can define operations. Each operation contains criteria for identifying the call, and path of an XSD schema. If the HTTP message meets all criteria, its content will be validated using the schema.
XSD enforcer schema must contain at least one operation.
6.5.2.4. WSDL
WSDL enforcer Plugin validates against WSDL 1.0-1.1 schemas.
| As WSDL enforcer requires parsed XML content, an xml deserializer plugin needs to be included before WSDL enforcer. |
The Plugin overrides the following fields of the default error policy:
| Policy Setting | Default |
|---|---|
request_code |
422 |
request_message |
Validation Error |
Problems are considered errors that lead to the termination of the call. Problems in the request are reported back to the client, while errors in the response are suppressed to avoid information leak.
See Error Policy to understand how defaults are applied.
The plugin needs the schema definition file. This file must be in XML format.
| WSDL schema validates request and response as well. Make sure that wsdl enforcer included in request and response flow as well. |
| In simple cases — when the listener/endpoint is serving a single version of a single API endpoint — a matcher is usually not needed as the schemas define all known URLs in the API. If however multiple API endpoints are consolidated under a single endpoint definition, you can define multiple enforcers each matching on a sub-path by using an URI path matcher and putting them all in the Security Flow. |
6.5.3. Filter
Filter Plugins are lightweight alternatives of Enforcer Plugins for filtering unwanted traffic. They only consist of a matcher and an error policy. If the matcher matches, the error policy is applied. This way you can use matchers inline, instead of creating a whole schema-based Enforcer Plugin for the simple use cases.
6.5.3.1. Configuring Filter Plugins
The Filter Plugin can be configured under the PLUGINS main navigation unit.
-
Click on PLUGINS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of PLUGINS. -
Select Filter plugin.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
The following values can be configured for the Filter Plugin:
The Filter Plugin accepts the following configuration options:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name identifying the Filter Plugin. This name of the plugin can be referenced from other parts of the configuration. |
|
Body |
It can be defined in free text. |
"" |
It is the body of the message sent in case an error policy is applied. |
Content Type |
"" |
A list of Selector that collect information from the call. They can be referenced by their name. |
|
Error policy |
The error policies configured under BRICKS - Configuration units are listed here and can be selected from the drop-down list. |
error_policy |
It defines a custom error policy to be applied if the Plugin reports an error. The settings of the Error policy here override the Security Flow’s default error policy. For details see Error Policy. |
Matcher |
The matchers configured under BRICKS - Configuration units are listed here and can be selected from the drop-down list. |
Always: If the value is not defined the plugin is always executed. |
It decides if the Plugin should be executed based on the call’s details. For details see Matcher. If omitted the Plugin is always executed. |
| Make sure that any component referenced in the configuration of this component, for example an Error policy or a Matcher selected from the drop-down lists, must remain part of the configuration later as well. Removing any of the referenced components might lead to invalid configuration. |
-
Add the name of the Filter Plugin.
-
Add the Body content for the error policy. (Optional)
-
Define the Content type.
-
Choose an error policy from the drop-down list. (Optional)
-
Choose a matcher from the drop-down list. (Optional)
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
The Plugin does not override any of the default error policy options.
Problems are considered errors that lead to the termination of the call. Problems in the request are reported back to the client, while errors in the response are suppressed to avoid information leak.
See Error Policy to understand how defaults are applied.
| If you omit the matcher, the Plugin will always be executed. For Filter plugins this means aborting all calls. |
6.5.4. Insight
It is a Plugin that extracts various data from the call and sends it to external systems (log servers, SIEMs, and other data analysis tools).
6.5.4.1. Configuring Insight Plugins
The Insight Plugin can be configured under the PLUGINS main navigation unit.
-
Click on PLUGINS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of PLUGINS. -
Select Insight plugin.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
-
Click the New button to create an Insight Plugin configuration. The following values can be configured for the Insight Plugin:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name identifying the insight. This name of the insight can be referenced from other parts of the configuration. |
|
Error policy |
The error policies configured under BRICKS - Configuration units are listed here and can be selected from the drop-down list. |
insight_default |
It defines a custom error policy to be applied if the Plugin reports an error. The settings of the Error policy here override the Security Flow’s default error policy. For details see Error Policy. |
Matcher |
The matchers configured under BRICKS - Configuration units are listed here and can be selected from the drop-down list. |
Always: If the value is not defined the plugin is always executed. |
It decides if the Plugin should be executed based on the call’s details. For details see Matcher. If omitted the Plugin is always executed. |
Message |
It is a mandatory value. It can be defined in free text. |
"" |
It is the message part of the log message. |
Selectors* |
A list of Selector that collect information from the call. They can be referenced by their name or can be defined inline. |
||
Targets* |
A list of Insight where the collected information will be sent to. |
The Plugin overrides the following fields of the default error policy:
| Policy Setting | Default |
|---|---|
request |
log |
response |
log |
Problems are considered errors that only need to be logged. If that is overridden then problems in the request are reported back to the client, while errors in the response are suppressed to avoid information leak.
See Error Policy to understand how defaults are applied.
The Plugin collects the information from all the selectors and sends them to all the targets.
The collected information from all the selectors is arranged into a dictionary: a list of key — value pairs. The key can be configured in each selector. Certain selectors might return complex data structures, that are made up of other dictionaries and/or lists. To ensure compatibility with a wide range of target types, such results are flattened. The path inside the complex data structure is encoded into the key for each value. More details are available on this in Data flattening.
-
Add the name of the Insight Plugin.
-
Choose an error policy from the drop-down list. (optional)
-
Choose a matcher from the drop-down list. (optional)
-
Add the message content for the error policy. (optional)
-
Choose a selector from the drop-down list.
-
Define the target.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.5.5. Serializer
The Serializer Plugin is responsible for serializing the structured data to the format of the HTTP message’s body.
Serialization needs to be done before compression. A typical Security Flow configuration starts with a Decompressor followed by a Deserializer and finishes with a Serializer followed by a Compressor. This ensures that transferred HTTP bodies are syntactically correct and that they are reconstructed to avoid transferring potentially crafted content.
The Serializer Plugin understands the Content-Type HTTP header and can work with JSON and XML content.
6.5.5.1. Configuring Serializer Plugins
The Serializer can be configured under the PLUGINS main navigation unit.
-
Click on PLUGINS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of PLUGINS. -
Select Serializer.
The configuration window that appears presents the default Serializers, as listed in Default objects - PLUGINS and the configuration values already set by the user:
-
Click the New button to create a serializer configuration. The following values can be configured for the Serializer Plugin:
The table describes some more details on the serializer configuration parameters.
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
It is the name identifying the serializer. This name of the serializer can be referenced from other parts of the configuration, that is, the Plugin is reusable. |
|
Type* |
It is a mandatory value. The value can be selected from a drop-down list. The value can be:
|
There are two types of predefined (de)serializer plugins. |
|
Error policy |
The Error Policy configured under BRICKS are listed here can be selected from the drop-down list. |
error_policy |
It defines a custom error policy to be applied if the Plugin reports an error. The settings of the Error policy here override the Security Flow’s default error policy. If no error policy is configured, the plugin type’s default error policy is applied. For details see Error Policy. |
Matcher |
The Matchers configured under BRICKS main configuration unit are listed here and can be selected from the drop-down list. |
json_content |
It decides if the Plugin should be executed based on the call’s details. For details see Matcher. If no matcher is configured the Plugin is always executed. |
The Plugin does not override any of the default error policy options.
Problems are considered errors that lead to the termination of the call. Problems in the request are reported back to the client, while errors in the response are suppressed to avoid information leak.
See Error Policy to understand how defaults are applied.
Continue configuring the serializer with the following steps:
-
Add the name of the serializer.
-
Select the type of the Serializer.
-
Choose an Error policy from the drop-down list.
-
Choose a Matcher from the drop-down list.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.5.6. Deserializer
It is a Plugin responsible for parsing the HTTP message’s body to structured data. This ensures that a message is well-formed. The structured data will also be consumed by other Plugins that operate on the body of the message.
A typical Security Flow configuration starts with a Decompressor followed by a Deserializer and finishes with a Serializer followed by a Compressor. This ensures that transferred HTTP bodies are syntactically correct and that they are reconstructed to avoid transferring potentially crafted content.
6.5.6.1. Configuring Deserializer Plugins
The Deserializer can be configured under the PLUGINS main navigation unit.
-
Click on PLUGINS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of PLUGINS. -
Select Deserializer plugin.
The configuration window that appears presents the default Deserializers, as listed in Default objects - PLUGINS and the configuration values already set by the user:
-
Click the New navigation button to create a deserializer configuration.
The following values can be configured for the Deserializer Plugin:
The following table describes the deserializer configuration parameters in details:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name identifying the deserializer. This name of the deserializer can be referenced from other parts of the configuration. |
|
Type* |
It is a mandatory value. The value can be selected from a drop-down list. The value can be:
|
There are two types of predefined (de)serializer plugins. |
|
Error policy |
The error policies configured under BRICKS - Configuration units are listed here can be selected from the drop-down list. |
error_policy |
It defines a custom error policy to be applied if the Plugin reports an error. The settings of the Error policy here override the Security Flow’s default error policy. For details see Error Policy. |
Matcher |
The matchers configured under BRICKS - Configuration units are listed here can be selected from the drop-down list. |
json_content |
It decides if the Plugin should be executed based on the call’s details. For details see Matcher. If omitted the Plugin is always executed. |
The Plugin does not override any of the default error policy options.
Problems are considered errors that lead to the termination of the call. Problems in the request are reported back to the client, while errors in the response are suppressed to avoid information leak.
See Error Policy to understand how defaults are applied.
-
Add the name of the deserializer.
-
Select the Type of the Deserializer.
-
Choose an Error policy from the drop-down list.
-
Choose a Matcher from the drop-down list.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.5.7. Compressor
The Compressor Plugin compresses the body of the HTTP message.
Compressors understand the Transfer-Encoding HTTP header and can work with content optionally compressed by the gzip, deflate and brotli algorithms.
6.5.7.1. Configuring Compressors
The Compressor can be configured under the PLUGINS main navigation unit.
-
Click on PLUGINS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of PLUGINS. -
Select Compressor.
The configuration window that appears presents the default Compressor, as listed in Default objects - PLUGINS and the configuration values already set by the user:
-
Click the New button to create a Compressor configuration. The following values can be configured for the Compressor Plugin:
The table describes some more details on the Compressor’s configuration parameters.
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
It is the name identifying the compressor. This name of the compressor can be referenced from other parts of the configuration, that is, the Plugin is reusable. |
|
Error policy |
The Error Policy configured under BRICKS are listed here can be selected from the drop-down list. |
The Plugin has a default error policy. |
It defines a custom error policy to be applied if the Plugin reports an error. The settings of the Error policy here override the Security Flow’s default error policy. If no error policy is configured, the plugin type’s default error policy is applied. For details see Error Policy. |
Matcher |
The Matchers configured under BRICKS main configuration unit are listed here and can be selected from the drop-down list. |
Always: If the value is not defined the plugin is always executed. |
It decides if the Plugin should be executed based on the call’s details. For details see Matcher. If no matcher is configured the Plugin is always executed. |
Continue configuring the compressor with the following steps:
-
Add the name of the compressor.
-
Choose an Error policy from the drop-down list.
-
Choose a Matcher from the drop-down list.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.5.8. Decompressor
The Decompressor Plugin decompresses the body of the HTTP message.
They understand the Transfer-Encoding HTTP header and can work with content optionally compressed by the gzip, deflate and brotli algorithms.
6.5.8.1. Configuring Decompressors
The Decompressor can be configured under the PLUGINS main navigation unit.
-
Click on PLUGINS main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of PLUGINS. -
Select Decompressor.
The configuration window that appears presents the default Decompressor, as listed in Default objects - PLUGINS and the configuration values already set by the user:
-
Click the New button to create a Decompressor configuration. The following values can be configured for the Decompressor Plugin:
The table describes some more details on the Decompressor’s configuration parameters.
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
It is the name identifying the decompressor. This name of the decompressor can be referenced from other parts of the configuration, that is, the Plugin is reusable. |
|
Error policy |
The Error Policy configured under BRICKS are listed here can be selected from the drop-down list. |
The Plugin has a default error policy. |
It defines a custom error policy to be applied if the Plugin reports an error. The settings of the Error policy here override the Security Flow’s default error policy. If no error policy is configured, the plugin type’s default error policy is applied. For details see Error Policy. |
Matcher |
The Matchers configured under BRICKS main configuration unit are listed here and can be selected from the drop-down list. |
Always: If the value is not defined the plugin is always executed. |
It decides if the Plugin should be executed based on the call’s details. For details see Matcher. If no matcher is configured the Plugin is always executed. |
Continue configuring the decompressor with the following steps:
-
Add the name of the decompressor.
-
Choose an Error policy from the drop-down list.
-
Choose a Matcher from the drop-down list.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.6. SERVICE - Configuration units
Proxedo API Security is based on a micro-services architecture.
6.6.1. Backend
Backends are a set of servers for a given API endpoint.
Their configuration is made up of two main parts:
-
a list of servers: port pairs and how to route traffic to them
-
TLS configuration for talking to the servers
6.6.1.1. Configuring the Backend
Backend can be configured under the SERVICE main navigation item.
-
Click on the_SERVICE_ main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of SERVICE. -
Select Backend.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
-
Click the New navigation button to create a Backend configuration.
The following keys are available for Backend configuration:
Backends take the following configuration options:
| Key | Values | Default value | Description |
|---|---|---|---|
Name |
It is a mandatory value. It can be defined in free text. |
The name identifying the backend. This name of the backend can be referenced from other parts of the configuration. |
|
Backend retry in |
If the value is not configured the default value will be added. |
600000 |
It is the timeout in milliseconds before a server -that was down- is restarted again. |
Backend timeout |
If the value is not configured the default value will be added. |
30000 |
It is the connection timeout in milliseconds of a server that is down. |
Backend TLS |
The value can be selected from a drop-down list. The drop-down list presents the Backend TLS configurations defined under BRICKS/TLS. If the value is not configured the default value will be added. |
none |
You can define the TLS configuration towards the backend servers. See [backend-side-tls] for details. |
Backend use client address |
If this parameter is switched on, PAS uses the client’s source address as the source of the server-side connection. Otherwise it uses the IP address of the interface connected to the server. If the value is not configured the default value will be added. |
false |
The URL by which the backend servers understand incoming requests. When set, two transformations take place:
|
Forge Port |
The source port can can take on the following values:
If the value is not configured the default value will be added. |
Any |
This parameter defines the source port that PAS uses in the server-side connection. The values in details are as follows:
|
LB method |
One of the following methods can be used:
If the value is not configured the default value will be added. |
Direct |
Load balancing method to use. |
Servers* |
It is a mandatory value. There are two values to be configured:
|
The list of servers that serve API endpoint(s). See Backend servers' configuration for details. |
-
Name the Backend configuration.
-
Provide the values for the Servers parameter:_Host_ and Port.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.6.2. Endpoint
An endpoint holds together all the policies that apply to a certain API endpoint:
-
List of URLs
-
The default error policy for the endpoint
-
The backend to which requests will be forwarded
-
The security flow that will be applied to the traffic
| Note that Endpoints are named. This is because they need to be referenced from other parts of the configuration. This is true for most top level configuration objects (but not true for _Listeners, for example). |
6.6.2.1. Security Flow
The Security Flow definition in an endpoint lists what happens to the traffic on a given endpoint.
To understand how requests flow through PAS, see Understanding processing flow. The Security Flow starts when the Transport Director has already set up client connection and routed the request to the Flow Director. At this point the TLS and HTTP layers are already processed, but the content in the body of the request is available only in raw format and has not been parsed yet.
At this stage, the configuration security flow decides on what happens to the traffic by applying a list of Plugins one by one. Plugin is a collective name for Enforcers, Insights, Filters, etc. Once, all the plugins have processed the request, the control is handed back to the Transport Director which routes the request to a backend server, and comes back with the response after handling TLS and HTTP. At this point, the Flow Director applies another list of Plugins to response, and once done, it hands back the response to the Transport Director which in turn returns that to the client.
If at any point an error occurs, the error policy is applied — which might either mean to lead to logging the error or to terminating processing and returning an error indication to the client.
Plugins can override the endpoint’s error policy.
Also note that different Plugins need different data. An Insight that applies a JMESPath query needs parsed JSON, while one that extracts value from an HTTP header field does not. Other Plugins provide these required values, like a JSON deserializer Plugin. It is important that the Plugins are configured in such an order that the required data is made available beforehand.
6.6.2.2. Configuring the Endpoint
Endpoints can be configured under the SERVICE navigation item.
-
Click on the SERVICE main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of SERVICE. -
Select Endpoint.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
-
Click the New navigation button to create an Endpoint configuration.
The following keys are available for endpoint configuration on the main page of endpoint:
Each endpoint has the following configuration options. The elements marked with * are mandatory to be configured.
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name identifying the endpoint. This name of the endpoint can be referenced from other parts of the configuration. |
|
Backend* |
It is a mandatory value. Backends are a set of servers for a given API endpoint. For more details, see Security Flow. |
The Security Flow definition in an endpoint lists what happens to the traffic on a given endpoint. For more details, see Security Flow. |
|
Backend URL |
The URL by which the backend servers understand incoming requests. When set, two transformations take place:
|
||
Failure policy |
Two values have to be configured:
|
Silent: True; Code: 500 |
With the help of the Failure policy, it can be configured whether the use shall receive notification or not, and whether the notification shall contain the code on the type of the failure. The values in details are as follows:
|
Security flow* |
The security flow process requires the configuration of three values, each containing a list of Plugins. All three values are mandatory values.
|
The values in details are as follows:
|
-
Name the Endpoint Service.
-
Provide the Backend.
-
Choose the Request plugin from the drop-down list. The Plugin options available from the drop-down list have been configured under PLUGINS main navigation item.
-
Choose the Response plugin from the drop-down list. The Plugin options available from the drop-down list have been configured under PLUGINS main navigation item.
-
Select the Backend parameter from the drop-down list. Backend servers are configured under the SERVICE main navigation item.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
| Backend and Backend url needs to be the same as for all endpoints configured to the same listener. |
| All endpoints in the list must have the same backend and backend URL configured. |
| While ports must be unique, as only one listener can bind to a specific port, it is perfectly valid to route incoming traffic from multiple listeners to the same endpoint. |
A typical security flow is configured with the plugins in the following order:
-
a Decompressor Plugin that decompresses the content of the request
-
a Deserializer Plugin that parses the content of the request
-
an Enforcer Plugins that ensure the call is valid
-
Insight Plugins that extract important data from certain calls
-
a Serializer Plugin that rebuilds the contents of the request
-
a Compressor Plugin that compresses the content of the request
| The Plugin configurations are reusable. |
| The (De)compressor Plugin requires no configuration. default must be used as plugin_name. |
6.6.3. Listeners
Listeners are network endpoints where services are exposed to the network. They consist of:
-
a listening port
-
an optional client-side TLS configuration if HTTPS is used
-
a list of endpoints that handle the traffic.
Since these are the entry points for client traffic it must be routed here on the network.
6.6.3.1. Configuring Listeners
Listeners can be configured under the SERVICE navigation unit.
-
Click on the SERVICE main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of SERVICE. -
Select Listener.
The configuration window that appears either presents the configuration values already set by the user or shows the configuration values ready to be configured:
-
Click the New button to create a Listener configuration.
At least one listener must always be configured in the Proxedo API Security configuration.
The following keys are available for listener configuration on the main page of the listener:
The listener’s key elements are described in the following table. The elements marked with * are mandatory to be configured.
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name identifying the listener. This name of the listener can be referenced from other parts of the configuration. |
|
Client TLS |
The default value is ‘none’, which means TLS is not used (and therefore HTTPS). You can alternatively set it to ‘first client tls’ or to ‘second client tls’, which values have to be defined first under Bricks/Client TLS. |
None |
TLS configuration towards the clients. See TLS for details. |
Endpoints* |
It is a mandatory value. You can choose the first, the second or the third endpoint values from a drop-down list. The endpoint values have to be defined previously under SERVICE/Endpoint. |
The list of endpoint(s), as defined under [endpoints] that serve traffic coming in on the listener. |
|
Port |
It is a mandatory value. Any port value can be defined. |
443 |
The number of the port(s) the listener binds to. |
Also consider the followings:
| All endpoints in the list must have the same backend and backend URL configured. |
| Ports must be unique, only one listener can bind to a specific port. It is however perfectly valid to route incoming traffic from multiple listeners to the same endpoint. |
-
Name the Listener Service.
-
Select the Client TLS parameter from the drop-down list. The client side TLS parameter values have to be defined previously under BRICKS.
-
Select the Endpoint from the drop-down list. The endpoint values have to be defined previously under SERVICE/Endpoint.
-
Fill in the Port information. If it is not configured, the default value will be applied.
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.6.4. Log
If at any point an error occurs during the Security Flow, the error policy is applied and logging takes place if configured so.
6.6.4.1. Configuring Logs
Logging can be configured under the SERVICE main navigation item.
-
Click on SERVICES main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of SERVICE. -
Select Log.
The following keys are available for configuration on the main page of Log:
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name identifying the log configuration. |
|
Log level |
The value can take number format. |
3 |
It configures the log level to logging. It must be between 1-9. |
Log specification |
A single log specification consists of a wildcard matching log category, a colon, and a number specifying the verbosity level of that given category. Categories match from left to right. For example: |
*.accounting:4,core.summary:4 |
Set verbosity mask on a per category basis. Each log message has an assigned multi-level category, where levels are separated by a dot. |
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.6.5. Transport director
The Transport Director manages the transport layer of API connections:
-
handles network connections from the client
-
handles network connections towards the backends
-
handles TLS on these connections
-
load-balances between multiple backend servers
-
load-balances between multiple Flow Directors
-
enforces HTTP protocol validity in calls
6.6.5.1. Configuring the Transport Director
The Transport Director can be configured under the SERVICE main navigation item.
-
Click on the SERVICE main configuration item in the Left navigation area. Alternatively you can also click on the
sign to open up the sub-navigation items of SERVICE. -
Select Transport Director.
The following main window appears for the Transport Director:
The following settings control the Transport Director container’s startup.
| Key | Values | Default value | Description |
|---|---|---|---|
Name* |
It is a mandatory value. It can be defined in free text. |
The name identifying the Transport Director configuration. This name of the deserializer can be referenced from other parts of the configuration. |
|
Enable core |
It can be configured active or inactive. |
false |
It enables core dumps on failures. |
Threads |
0 |
Set the maximum number of threads that can be used in parallel. |
-
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
-
Click the Save button, when all required configuration fields have been defined.
6.7. Applying and validating Proxedo API Security configuration
PAS configuration can be checked and validated on two levels:
-
component-level validation
-
validating the whole configuration by using the Apply Config button
Component-level validation
Component-level validation takes place while configuring the actual elements of the configuration and by using the ‘Validate’ button on the Web UI page of the specific component.
If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the Component validation failed. Also a warning with information on the missing details appears at the problematic field for the user.
If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the Component Validation successful notification. For related errors see, section Validation errors.
Validating the whole configuration
When applying the configuration by using the Apply Config button, the Web Ui provides either of the following messages:
-
Configuration applied successfully.
-
The configuration failed.
Note, that in case the configuration could not be applied, the Web Ui also provides an additional pop-up window with the description of the problem.
6.7.1. Validation errors
In case the configuration could not be applied, the following result messages help the user to correct the configuration and achieve a valid configuration.
6.7.1.1. Component-related errors
These errors are the results of the validation of the actual components. By correcting these the user can achieve a functioning configuration.
6.7.1.1.1. Missing data for required fields
Each component has compulsory configuration fields that must be filled in. In case any of those fields are left empty, the Web UI provides a 'Missing data for required field' notification when the component is validated, that is, the Validate button is used. Each compulsory field is highlighted with a * sign.
Example
The Target component requires the 'Host' field to be filled in, otherwise the component’s configuration is not valid.
Error message: Missing data for required field.
6.7.1.1.2. Missing reference
This error indicates that the component references a non-existing component.
Example
The user creates an error policy, 'Error Policy A' which error policy is referenced in a Filter. Following that, this specific error policy, 'Error Policy A' is deleted from the configuration. This results in a missing reference in the Filter.
Error message: Reference to a non-existing component: Error Policy A.
6.7.1.2. Integrity errors
6.7.1.2.1. Cycle detection
This error indicates that there is a cycle of references between the instances. The cycle of references can only be configured in between compound matchers.
Example
If the compound matcher 'Matcher A' is configured to reference the compound matcher 'Matcher B' and the compound matcher 'Matcher B' is also referencing the compound matcher 'Matcher A', there will be a cycle of references between these two compound matchers.
Error message: Cyle detected in configuration: BRICK/Matcher/Matcher A→BRICK/Matcher/Matcher B→BRICK/Matcher/Matcher A.
6.7.1.2.2. Required Instance is missing
This error indicates that a required instance is not configured. It is required that at least one Listener service must be configured.
Error message: At least one service/listener must be configured.
6.7.1.2.3. Endpoints of a listener must use the same backend
All endpoints added to a listener must use the same backend with the same backend URL.
Example
Configure two endpoints using different backends and create a listener. Add both endpoints to the same listener.
Error message: All endpoints configured to a listener must use the same backend.
7. Operations
7.1. Operation of dockerd
Dockerd is managed through 'systemd', so common administration tasks are carried out through its interfaces.
- Checking the status of docker
-
systemctl status docker
docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2017-07-10 08:25:38 CEST; 4h 1min ago
Docs: https://docs.docker.com
Main PID: 2148 (dockerd)
Tasks: 177 (limit: 4915)
Memory: 119.1M
CPU: 1min 36.272s
CGroup: /system.slice/docker.service
├─2148 /usr/bin/dockerd
├─2185 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcon
├─2542 docker-containerd-shim fef20e5205c47b5cc18e612903a33e749ebd89a4bf30fd5bb8fb4a801450c84f /var/run/docker/libcontainerd/fef20e5205c47b5cc18e612903a33e749ebd8
├─2582 docker-containerd-shim 410f0bc67c731635a7d60e9f259d2f62ef8a845e09595254217decd3b3885473 /var/run/docker/libcontainerd/410f0bc67c731635a7d60e9f259d2f62ef8a8
├─2704 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5000 -container-ip 172.18.0.2 -container-port 5000
├─2732 docker-containerd-shim 3853efde62d1767e70372584812df07968a647f40039691d82ccd5cbc66ee32d /var/run/docker/libcontainerd/3853efde62d1767e70372584812df07968a64
├─2770 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8484 -container-ip 172.18.0.2 -container-port 443
├─2806 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8181 -container-ip 172.18.0.2 -container-port 80
├─2832 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 2222 -container-ip 172.18.0.2 -container-port 22
├─2837 docker-containerd-shim e24a8f2f189467601edb6bee0e63451e7230726feab50d43556e6c66a8f9fc56 /var/run/docker/libcontainerd/e24a8f2f189467601edb6bee0e63451e72307
├─2921 docker-containerd-shim 8ac62e1eee0d162e632eab95b08ea36aff69abd5d1eeac475bfee3f393cba179 /var/run/docker/libcontainerd/8ac62e1eee0d162e632eab95b08ea36aff69a
├─2974 docker-containerd-shim 6df61a17c29a132cb5886a494fc34e38ff38f2cf470919289c783fada579a70c /var/run/docker/libcontainerd/6df61a17c29a132cb5886a494fc34e38ff38f
├─3043 docker-containerd-shim d00a1de3994e2b11ecd93d938dc94702f4f6d0364d2f3c1c423ab2a1ec5c843a /var/run/docker/libcontainerd/d00a1de3994e2b11ecd93d938dc94702f4f6d
├─3123 docker-containerd-shim b9e93059835c2d343c912c7f7154b14625dcd2e8d242fd67328e9532e5829d64 /var/run/docker/libcontainerd/b9e93059835c2d343c912c7f7154b14625dcd
├─3187 docker-containerd-shim 2d058ab3987f2461c5f0029505eca264f94d34ed23c8464bfd83362ad9bcd142 /var/run/docker/libcontainerd/2d058ab3987f2461c5f0029505eca264f94d3
└─3258 docker-containerd-shim 882c51a1a693230ea2d84f2f1a422655f9051d3a21a5f916a03e62614b17ed4a /var/run/docker/libcontainerd/882c51a1a693230ea2d84f2f1a422655f9051- Starting docker
-
systemctl start docker - Stopping docker
-
systemctl stop docker - Configuring docker to start automatically
-
systemctl enable docker - Configuring docker not to start automatically
-
systemctl disable docker
7.2. Operation of services
The services of PAS are consolidated under the user pas who has privileges for common administration tasks.
| Unless otherwise noted administrative commands should therefore be run as pas and not as root. This is especially true for docker-compose commands. |
7.2.1. Checking configuration with pas-mgmt-checkconfig
pas-mgmt-checkconfig can check the validity of PAS management configuration. Namely:
-
it makes sure that the mandatory containers are defined in docker-compose.yml.
-
it checks config.yml against the defined containers one by one.
| docker-compose.yml is only checked for making sure that services have a proper image tag. |
| Currently, there is no configuration checker script for the core component. |
7.2.2. Checking services
7.2.2.1. Management service
- Checking the status of PAS management
-
systemctl status proxedo-api-security-mgmt - List the status of the services
-
docker-compose -f /opt/balasys/etc/infrastructure/mgmt/docker-compose.yml ps
Name Command State Ports ------------------------------------------------------------------------------------------------------- pas_blob-store_1 /usr/bin/dumb-init /opt/ba ... Up 0.0.0.0:9000->9000/tcp pas_config-api_1 /usr/bin/dumb-init /usr/lo ... Up 8080/tcp pas_consul_1 /usr/bin/dumb-init /usr/lo ... Up 0.0.0.0:8080->8080/tcp pas_frontend_1 /usr/bin/dumb-init /usr/lo ... Up 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
- Check which images are used by the services
-
docker-compose -f /opt/balasys/etc/infrastructure/mgmt/docker-compose.yml images
Container Repository Tag Image Id Size ------------------------------------------------------------------------------------------------ pas_blob-store_1 docker.balasys.hu/api-security/blob-store 3.0.3 40bdc2d7665e 654.5 MB pas_config-api_1 docker.balasys.hu/api-security/config-api 3.0.3 025bf7529113 596.2 MB pas_consul_1 docker.balasys.hu/api-security/consul 3.0.3 afd247e1e8c4 817 MB pas_frontend_1 docker.balasys.hu/api-security/config-webui 3.0.3 1f2536bf1cf2 583.5 MB
7.2.2.2. Core service
- Checking the status of PAS
-
systemctl status proxedo-api-security - List the status of the services
-
docker-compose -f /opt/balasys/etc/infrastructure/pas/docker-compose.yml ps
Name Command State Ports ---------------------------------------------------------------------------------------------------------------------- pas_flow-director_1 /usr/bin/dumb-init /usr/lo ... Up pas_flow-director_2 /usr/bin/dumb-init /usr/lo ... Up pas_insight-director_1 /usr/bin/dumb-init /usr/lo ... Up pas_transport-director_1 /usr/bin/dumb-init /usr/lo ... Up 0.0.0.0:49000->49000/tcp, 0.0.0.0:49001->49001/tcp
- Check which images are used by the services
-
docker-compose -f /opt/balasys/etc/infrastructure/pas/docker-compose.yml images
Container Repository Tag Image Id Size -------------------------------------------------------------------------------------------------------------- pas_flow-director_1 docker.balasys.hu/api-security/flow-director 3.0.3 a2b7ccc88823 626.3 MB pas_flow-director_2 docker.balasys.hu/api-security/flow-director 3.0.3 a2b7ccc88823 626.3 MB pas_insight-director_1 docker.balasys.hu/api-security/insight-director 3.0.3 db005e0fa5b6 573.6 MB pas_transport-director_1 docker.balasys.hu/api-security/transport-director 3.0.3 c53bfaed2db0 653.1 MB
7.2.3. Starting and stopping services
7.2.3.1. Management service
- Starting PAS management
-
systemctl start proxedo-api-security-mgmt - Stopping PAS management
-
systemctl stop proxedo-api-security-mgmt - Restarting PAS management
-
systemctl restart proxedo-api-security-mgmt
pas-mgmt-checkconfig is invoked prior to (re)starting and
reloading the service. The requested operation is interrupted if
pas-mgmt-checkconfig fails.
|
- Configuring PAS management to start automatically
-
systemctl enable proxedo-api-security-mgmt - Configuring PAS management not to start automatically
-
systemctl disable proxedo-api-security-mgmt
7.2.3.2. Core service
- Starting PAS
-
systemctl start proxedo-api-security - Stopping PAS
-
systemctl stop proxedo-api-security - Restarting PAS
-
systemctl restart proxedo-api-security - Reloading PAS
-
systemctl reload proxedo-api-security - Configuring PAS to start automatically
-
systemctl enable proxedo-api-security - Configuring PAS not to start automatically
-
systemctl disable proxedo-api-security
7.3. Checking Logs
All the container logs are collected in the system journal. Container logs are identified with the name of the container such as pas-[transport|insight|flow|ha]-director. Management container identifiers are pas-[frontend|config-api|consul|blob-store]
You can check the system journal with the journalctl command.
It accepts various possibilities for filtering, consult its manual page for details.
When using the --unit option of journalctl, note that the services are docker containers and their logs show up under the docker service, and not under proxedo-api-security.
|
One option for checking a specific container’s logs is to use the
--identifier option for journalctl and specify the identifier of the component.
|
7.3.1. Understanding logs
As multiple pieces of software run in each container, there are two layers of logs in each containers' output.
The first field is always an ISO formatted date. Then the name of the process inside the container follows. The remaining fields are the output of the process itself.
In the below example, we see logs from the flow-director container. It prints output for processes called pre, pas-event-handler, flow-director and service-adaptor.
2021-04-20T09:15:30 pre Container starts
2021-04-20T09:15:33 pre INFO:confgen: Generating configuration files
2021-04-20T09:15:34 pas-event-handler INFO:SupervisordEventDispatcher:Dispatching event; processname='pre', eventname='PROCESS
2021-04-20T09:15:34 pas-event-handler INFO:SupervisordEventDispatcher:Process exited; processname=pre, success=True
2021-04-20T09:15:34 pas-event-handler INFO:SupervisordEventDispatcher:Starting main processes.
2021-04-20T09:15:34 pas-event-handler INFO:SupervisordEventDispatcher:Starting process; process='flow-director'
[...]
2021-04-20T09:15:37 flow-director 2021-04-20T09:15:37+0200: flow_builder.info(3) (nosession): Loaded plugin; [...]
2021-04-20T09:15:37 flow-director 2021-04-20T09:15:37+0200: flow_builder.info(3) (nosession): Loaded plugin; [...]
2021-04-20T09:15:37 flow-director 2021-04-20T09:15:37+0200: flow_builder.info(3) (nosession): Loaded plugin; [...]
2021-04-20T09:15:37 flow-director 2021-04-20T09:15:37+0200: flow_builder.info(3) (nosession): Loaded plugin; [...]
2021-04-20T09:15:37 flow-director 2021-04-20T09:15:37+0200: flow_builder.info(3) (nosession): Loaded plugin; [...]
2021-04-20T09:15:37 flow-director 2021-04-20T09:15:37+0200: flow_builder.info(3) (nosession): Loaded plugin; [...]
2021-04-20T09:15:37 flow-director 2021-04-20T09:15:37+0200: flow_builder.info(3) (nosession): Loaded plugin; [...]
2021-04-20T09:15:37 flow-director 2021-04-20T09:15:37+0200: flow_set.info(3) (nosession): Start building flows
[...]
2021-04-20T09:15:39 pas-event-handler INFO:SupervisordEventDispatcher:Starting process; process='service-adaptor'
[...]
2021-05-07T14:23:55 service-adaptor INFO:PASHealthCheck:All services are healthy.
2021-05-07T14:23:55 service-adaptor [pid: 47|app: 0|req: 223/223] 172.19.0.3 () {28 vars in 350 bytes} [Fri May 7 14:23:55 2021] [...]
7.3.1.1. Flow Director and Transport Director logs
As from the API security perspective, the most important components are Flow Director and Transport Director, we discuss their logs more in detail. There are two important concepts related to these logs: categories and Session IDs.
-
Categories help filtering logs based on their relevance. They are composed of a component, a tag, and a severity, for example: http.info(3).
-
The component helps to identify the part of the solution. For the Transport Director this is usually core or http, for the Flow Director it is either core, or the Plugin’s type, such as serializer or enforcer.
-
The tag helps to define the type of the message. Usually one of info, error, debug, policy or accounting.
-
The severity defines how important the message is. It is a number between 1-9 where 1 is the highest.
-
-
Session ID helps identifying log lines that belong to the same session. This is especially important as the calls travel between the Transport Director and the Flow Director.
It is usually in the form of svc/default/<listener>:<transport-director-session>/default/http#<http-request-count>/flow:<flow-director-id>/ch:<flow-director-channel>/<plugin_type>/<plugin_name>, for example: svc/default/httpbin:14/default/http#0/flow:1/ch:28/enforcer/manualtest.
Information that is not available at the time, will be missing from the Session ID. Generally, the part until /flow: belongs to the Transport Director. Consequently, the Transport Director will never see that part. The Flow Director however will fetch and include that information. Nevertheless, in early phases it might not be available, and the Session ID will start with flow.
Despite some parts not being always available, the ID is constructed in such a manner that grepping on any part will find other messages with extra information as well.
7.4. Backup and restore
- Configuration
-
The following files and folders need to be backed up or restored:
-
/opt/balasys/etc
-
/opt/docker
-
- Data
-
The following files or folders need to be backed up or restored:
-
/opt/balasys/var/persistent
-
- Process to backup files or folders
-
-
Pack files or folders mentioned earlier (optional).
-
Copy (packed) configuration and data to the backup server.
-
- Process to restore files or folders
-
-
Stop all PAS services.
-
Copy (packed) configuration and data from the remote server.
-
Unpack files or folders mentioned earlier (optional).
-
Start all PAS services.
-
7.5. Recreating services
| Recreating services will cause a service disruption. |
- Factory reset for PAS services
-
Remove all persistent data from the host.
| This operation must be run as root. |
-
/opt/balasys/bin/pas-factory-reset -
/opt/balasys/bin/pas-mgmt-factory-reset- Resetting an individual service without removing persistent data
-
Use
docker psto find the container name of the service, the container of which you want to reset. -
Stop the services by
systemctl stop proxedo-api-securityorsystemctl stop proxedo-api-security-mgmt. -
Remove the containers by
docker rm <name-of-container>. -
Start the services by
systemctl start proxedo-api-securityorsystemctl start proxedo-api-security-mgmt.
7.6. Troubleshooting services
- Inspect running processes inside services
-
-
docker-compose -f /opt/balasys/etc/infrastructure/pas/docker-compose.yml top [SERVICE] -
docker-compose -f /opt/balasys/etc/infrastructure/mgmt/docker-compose.yml top [SERVICE]
-
You can list available services by running docker-compose -f <docker-compose-file> ps --services.
|
pas_flow-director_1 UID PID PPID C STIME TTY TIME CMD -------------------------------------------------------------------------------------------------------------------------------------- root 26109 26052 0 13:46 ? 00:00:00 /usr/bin/dumb-init /usr/local/bin/supervisord -c /opt/balasys/etc/supervisord.conf [...] root 26529 26252 0 13:46 ? 00:00:01 /usr/bin/python3 /usr/local/bin/twistd -ny /opt/balasys/etc/twisted.tac [...] pas_flow-director_2 UID PID PPID C STIME TTY TIME CMD -------------------------------------------------------------------------------------------------------------------------------------- root 26350 26314 0 13:46 ? 00:00:00 /usr/bin/dumb-init /usr/local/bin/supervisord -c /opt/balasys/etc/supervisord.conf [...] root 26545 26434 0 13:46 ? 00:00:01 /usr/bin/python3 /usr/local/bin/twistd -ny /opt/balasys/etc/twisted.tac [...]
- Gain a shell to a running service
-
-
pas-login SERVICE -
pas-mgmt-login SERVICE
-
| Run these commands without parameters to get the list of available service names. |
Appendix A: Time zones
Time zones
| Country Code | Time zone Name |
|---|---|
AD |
Europe/Andorra |
AE |
Asia/Dubai |
AF |
Asia/Kabul |
AG |
America/Antigua |
AI |
America/Anguilla |
AL |
Europe/Tirane |
AM |
Asia/Yerevan |
AO |
Africa/Luanda |
AQ |
Antarctica/McMurdo |
AQ |
Antarctica/Casey |
AQ |
Antarctica/Davis |
AQ |
Antarctica/DumontDUrville |
AQ |
Antarctica/Mawson |
AQ |
Antarctica/Palmer |
AQ |
Antarctica/Rothera |
AQ |
Antarctica/Syowa |
AQ |
Antarctica/Troll |
AQ |
Antarctica/Vostok |
AR |
America/Argentina/Buenos_Aires |
AR |
America/Argentina/Cordoba |
AR |
America/Argentina/Salta |
AR |
America/Argentina/Jujuy |
AR |
America/Argentina/Tucuman |
AR |
America/Argentina/Catamarca |
AR |
America/Argentina/La_Rioja |
AR |
America/Argentina/San_Juan |
AR |
America/Argentina/Mendoza |
AR |
America/Argentina/San_Luis |
AR |
America/Argentina/Rio_Gallegos |
AR |
America/Argentina/Ushuaia |
AS |
Pacific/Pago_Pago |
AT |
Europe/Vienna |
AU |
Australia/Lord_Howe |
AU |
Antarctica/Macquarie |
AU |
Australia/Hobart |
AU |
Australia/Currie |
AU |
Australia/Melbourne |
AU |
Australia/Sydney |
AU |
Australia/Broken_Hill |
AU |
Australia/Brisbane |
AU |
Australia/Lindeman |
AU |
Australia/Adelaide |
AU |
Australia/Darwin |
AU |
Australia/Perth |
AU |
Australia/Eucla |
AW |
America/Aruba |
AX |
Europe/Mariehamn |
AZ |
Asia/Baku |
BA |
Europe/Sarajevo |
BB |
America/Barbados |
BD |
Asia/Dhaka |
BE |
Europe/Brussels |
BF |
Africa/Ouagadougou |
BG |
Europe/Sofia |
BH |
Asia/Bahrain |
BI |
Africa/Bujumbura |
BJ |
Africa/Porto-Novo |
BL |
America/St_Barthelemy |
BM |
Atlantic/Bermuda |
BN |
Asia/Brunei |
BO |
America/La_Paz |
BQ |
America/Kralendijk |
BR |
America/Noronha |
BR |
America/Belem |
BR |
America/Fortaleza |
BR |
America/Recife |
BR |
America/Araguaina |
BR |
America/Maceio |
BR |
America/Bahia |
BR |
America/Sao_Paulo |
BR |
America/Campo_Grande |
BR |
America/Cuiaba |
BR |
America/Santarem |
BR |
America/Porto_Velho |
BR |
America/Boa_Vista |
BR |
America/Manaus |
BR |
America/Eirunepe |
BR |
America/Rio_Branco |
BS |
America/Nassau |
BT |
Asia/Thimphu |
BW |
Africa/Gaborone |
BY |
Europe/Minsk |
BZ |
America/Belize |
CA |
America/St_Johns |
CA |
America/Halifax |
CA |
America/Glace_Bay |
CA |
America/Moncton |
CA |
America/Goose_Bay |
CA |
America/Blanc-Sablon |
CA |
America/Toronto |
CA |
America/Nipigon |
CA |
America/Thunder_Bay |
CA |
America/Iqaluit |
CA |
America/Pangnirtung |
CA |
America/Atikokan |
CA |
America/Winnipeg |
CA |
America/Rainy_River |
CA |
America/Resolute |
CA |
America/Rankin_Inlet |
CA |
America/Regina |
CA |
America/Swift_Current |
CA |
America/Edmonton |
CA |
America/Cambridge_Bay |
CA |
America/Yellowknife |
CA |
America/Inuvik |
CA |
America/Creston |
CA |
America/Dawson_Creek |
CA |
America/Fort_Nelson |
CA |
America/Vancouver |
CA |
America/Whitehorse |
CA |
America/Dawson |
CC |
Indian/Cocos |
CD |
Africa/Kinshasa |
CD |
Africa/Lubumbashi |
CF |
Africa/Bangui |
CG |
Africa/Brazzaville |
CH |
Europe/Zurich |
CI |
Africa/Abidjan |
CK |
Pacific/Rarotonga |
CL |
America/Santiago |
CL |
America/Punta_Arenas |
CL |
Pacific/Easter |
CM |
Africa/Douala |
CN |
Asia/Shanghai |
CN |
Asia/Urumqi |
CO |
America/Bogota |
CR |
America/Costa_Rica |
CU |
America/Havana |
CV |
Atlantic/Cape_Verde |
CW |
America/Curacao |
CX |
Indian/Christmas |
CY |
Asia/Nicosia |
CY |
Asia/Famagusta |
CZ |
Europe/Prague |
DE |
Europe/Berlin |
DE |
Europe/Busingen |
DJ |
Africa/Djibouti |
DK |
Europe/Copenhagen |
DM |
America/Dominica |
DO |
America/Santo_Domingo |
DZ |
Africa/Algiers |
EC |
America/Guayaquil |
EC |
Pacific/Galapagos |
EE |
Europe/Tallinn |
EG |
Africa/Cairo |
EH |
Africa/El_Aaiun |
ER |
Africa/Asmara |
ES |
Europe/Madrid |
ES |
Africa/Ceuta |
ES |
Atlantic/Canary |
ET |
Africa/Addis_Ababa |
FI |
Europe/Helsinki |
FJ |
Pacific/Fiji |
FK |
Atlantic/Stanley |
FM |
Pacific/Chuuk |
FM |
Pacific/Pohnpei |
FM |
Pacific/Kosrae |
FO |
Atlantic/Faroe |
FR |
Europe/Paris |
GA |
Africa/Libreville |
GB |
Europe/London |
GD |
America/Grenada |
GE |
Asia/Tbilisi |
GF |
America/Cayenne |
GG |
Europe/Guernsey |
GH |
Africa/Accra |
GI |
Europe/Gibraltar |
GL |
America/Godthab |
GL |
America/Danmarkshavn |
GL |
America/Scoresbysund |
GL |
America/Thule |
GM |
Africa/Banjul |
GN |
Africa/Conakry |
GP |
America/Guadeloupe |
GQ |
Africa/Malabo |
GR |
Europe/Athens |
GS |
Atlantic/South_Georgia |
GT |
America/Guatemala |
GU |
Pacific/Guam |
GW |
Africa/Bissau |
GY |
America/Guyana |
HK |
Asia/Hong_Kong |
HN |
America/Tegucigalpa |
HR |
Europe/Zagreb |
HT |
America/Port-au-Prince |
HU |
Europe/Budapest |
ID |
Asia/Jakarta |
ID |
Asia/Pontianak |
ID |
Asia/Makassar |
ID |
Asia/Jayapura |
IE |
Europe/Dublin |
IL |
Asia/Jerusalem |
IM |
Europe/Isle_of_Man |
IN |
Asia/Kolkata |
IO |
Indian/Chagos |
IQ |
Asia/Baghdad |
IR |
Asia/Tehran |
IS |
Atlantic/Reykjavik |
IT |
Europe/Rome |
JE |
Europe/Jersey |
JM |
America/Jamaica |
JO |
Asia/Amman |
JP |
Asia/Tokyo |
KE |
Africa/Nairobi |
KG |
Asia/Bishkek |
KH |
Asia/Phnom_Penh |
KI |
Pacific/Tarawa |
KI |
Pacific/Enderbury |
KI |
Pacific/Kiritimati |
KM |
Indian/Comoro |
KN |
America/St_Kitts |
KP |
Asia/Pyongyang |
KR |
Asia/Seoul |
KW |
Asia/Kuwait |
KY |
America/Cayman |
KZ |
Asia/Almaty |
KZ |
Asia/Qyzylorda |
KZ |
Asia/Qostanay |
KZ |
Asia/Aqtobe |
KZ |
Asia/Aqtau |
KZ |
Asia/Atyrau |
KZ |
Asia/Oral |
LA |
Asia/Vientiane |
LB |
Asia/Beirut |
LC |
America/St_Lucia |
LI |
Europe/Vaduz |
LK |
Asia/Colombo |
LR |
Africa/Monrovia |
LS |
Africa/Maseru |
LT |
Europe/Vilnius |
LU |
Europe/Luxembourg |
LV |
Europe/Riga |
LY |
Africa/Tripoli |
MA |
Africa/Casablanca |
MC |
Europe/Monaco |
MD |
Europe/Chisinau |
ME |
Europe/Podgorica |
MF |
America/Marigot |
MG |
Indian/Antananarivo |
MH |
Pacific/Majuro |
MH |
Pacific/Kwajalein |
MK |
Europe/Skopje |
ML |
Africa/Bamako |
MM |
Asia/Yangon |
MN |
Asia/Ulaanbaatar |
MN |
Asia/Hovd |
MN |
Asia/Choibalsan |
MO |
Asia/Macau |
MP |
Pacific/Saipan |
MQ |
America/Martinique |
MR |
Africa/Nouakchott |
MS |
America/Montserrat |
MT |
Europe/Malta |
MU |
Indian/Mauritius |
MV |
Indian/Maldives |
MW |
Africa/Blantyre |
MX |
America/Mexico_City |
MX |
America/Cancun |
MX |
America/Merida |
MX |
America/Monterrey |
MX |
America/Matamoros |
MX |
America/Mazatlan |
MX |
America/Chihuahua |
MX |
America/Ojinaga |
MX |
America/Hermosillo |
MX |
America/Tijuana |
MX |
America/Bahia_Banderas |
MY |
Asia/Kuala_Lumpur |
MY |
Asia/Kuching |
MZ |
Africa/Maputo |
NA |
Africa/Windhoek |
NC |
Pacific/Noumea |
NE |
Africa/Niamey |
NF |
Pacific/Norfolk |
NG |
Africa/Lagos |
NI |
America/Managua |
NL |
Europe/Amsterdam |
NO |
Europe/Oslo |
NP |
Asia/Kathmandu |
NR |
Pacific/Nauru |
NU |
Pacific/Niue |
NZ |
Pacific/Auckland |
NZ |
Pacific/Chatham |
OM |
Asia/Muscat |
PA |
America/Panama |
PE |
America/Lima |
PF |
Pacific/Tahiti |
PF |
Pacific/Marquesas |
PF |
Pacific/Gambier |
PG |
Pacific/Port_Moresby |
PG |
Pacific/Bougainville |
PH |
Asia/Manila |
PK |
Asia/Karachi |
PL |
Europe/Warsaw |
PM |
America/Miquelon |
PN |
Pacific/Pitcairn |
PR |
America/Puerto_Rico |
PS |
Asia/Gaza |
PS |
Asia/Hebron |
PT |
Europe/Lisbon |
PT |
Atlantic/Madeira |
PT |
Atlantic/Azores |
PW |
Pacific/Palau |
PY |
America/Asuncion |
QA |
Asia/Qatar |
RE |
Indian/Reunion |
RO |
Europe/Bucharest |
RS |
Europe/Belgrade |
RU |
Europe/Kaliningrad |
RU |
Europe/Moscow |
UA |
Europe/Simferopol |
RU |
Europe/Kirov |
RU |
Europe/Astrakhan |
RU |
Europe/Volgograd |
RU |
Europe/Saratov |
RU |
Europe/Ulyanovsk |
RU |
Europe/Samara |
RU |
Asia/Yekaterinburg |
RU |
Asia/Omsk |
RU |
Asia/Novosibirsk |
RU |
Asia/Barnaul |
RU |
Asia/Tomsk |
RU |
Asia/Novokuznetsk |
RU |
Asia/Krasnoyarsk |
RU |
Asia/Irkutsk |
RU |
Asia/Chita |
RU |
Asia/Yakutsk |
RU |
Asia/Khandyga |
RU |
Asia/Vladivostok |
RU |
Asia/Ust-Nera |
RU |
Asia/Magadan |
RU |
Asia/Sakhalin |
RU |
Asia/Srednekolymsk |
RU |
Asia/Kamchatka |
RU |
Asia/Anadyr |
RW |
Africa/Kigali |
SA |
Asia/Riyadh |
SB |
Pacific/Guadalcanal |
SC |
Indian/Mahe |
SD |
Africa/Khartoum |
SE |
Europe/Stockholm |
SG |
Asia/Singapore |
SH |
Atlantic/St_Helena |
SI |
Europe/Ljubljana |
SJ |
Arctic/Longyearbyen |
SK |
Europe/Bratislava |
SL |
Africa/Freetown |
SM |
Europe/San_Marino |
SN |
Africa/Dakar |
SO |
Africa/Mogadishu |
SR |
America/Paramaribo |
SS |
Africa/Juba |
ST |
Africa/Sao_Tome |
SV |
America/El_Salvador |
SX |
America/Lower_Princes |
SY |
Asia/Damascus |
SZ |
Africa/Mbabane |
TC |
America/Grand_Turk |
TD |
Africa/Ndjamena |
TF |
Indian/Kerguelen |
TG |
Africa/Lome |
TH |
Asia/Bangkok |
TJ |
Asia/Dushanbe |
TK |
Pacific/Fakaofo |
TL |
Asia/Dili |
TM |
Asia/Ashgabat |
TN |
Africa/Tunis |
TO |
Pacific/Tongatapu |
TR |
Europe/Istanbul |
TT |
America/Port_of_Spain |
TV |
Pacific/Funafuti |
TW |
Asia/Taipei |
TZ |
Africa/Dar_es_Salaam |
UA |
Europe/Kiev |
UA |
Europe/Uzhgorod |
UA |
Europe/Zaporozhye |
UG |
Africa/Kampala |
UM |
Pacific/Midway |
UM |
Pacific/Wake |
US |
America/New_York |
US |
America/Detroit |
US |
America/Kentucky/Louisville |
US |
America/Kentucky/Monticello |
US |
America/Indiana/Indianapolis |
US |
America/Indiana/Vincennes |
US |
America/Indiana/Winamac |
US |
America/Indiana/Marengo |
US |
America/Indiana/Petersburg |
US |
America/Indiana/Vevay |
US |
America/Chicago |
US |
America/Indiana/Tell_City |
US |
America/Indiana/Knox |
US |
America/Menominee |
US |
America/North_Dakota/Center |
US |
America/North_Dakota/New_Salem |
US |
America/North_Dakota/Beulah |
US |
America/Denver |
US |
America/Boise |
US |
America/Phoenix |
US |
America/Los_Angeles |
US |
America/Anchorage |
US |
America/Juneau |
US |
America/Sitka |
US |
America/Metlakatla |
US |
America/Yakutat |
US |
America/Nome |
US |
America/Adak |
US |
Pacific/Honolulu |
UY |
America/Montevideo |
UZ |
Asia/Samarkand |
UZ |
Asia/Tashkent |
VA |
Europe/Vatican |
VC |
America/St_Vincent |
VE |
America/Caracas |
VG |
America/Tortola |
VI |
America/St_Thomas |
VN |
Asia/Ho_Chi_Minh |
VU |
Pacific/Efate |
WF |
Pacific/Wallis |
WS |
Pacific/Apia |
YE |
Asia/Aden |
YT |
Indian/Mayotte |
ZA |
Africa/Johannesburg |
ZM |
Africa/Lusaka |
ZW |
Africa/Harare |