Proxedo API Security based on VM environment: Administration Guide

Copyright © 2019 Balasys IT Ltd.. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balasys.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

Linux™ is a registered trademark of Linus Torvalds.

Windows™ 10 is registered trademarks of Microsoft Corporation.

The Balasys™ name and the Balasys™ logo are registered trademarks of Balasys IT Ltd.

The Proxedo™ name and the Proxedo™ logo are registered trademarks of Balasys IT Ltd.

AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.

Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER

Balasys is not responsible for any third-party websites mentioned in this document. Balasys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balasys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

2023-12-07 .Copyright

Preface

Typographical conventions

Before you start using this guide, it is important to understand the terms and typographical conventions used in the documentation. For more information on specialized terms and abbreviations used in the documentation, see the Glossary at the end of this document.

The following text formatting principles and icons identify special information in the document.

Tips provide best practices and recommendations.

Notes provide additional information on a topic, and emphasize important facts and considerations.

Warnings mark situations where loss of data or misconfiguration of the device is possible if the instructions are not obeyed.

Command: Commands you have to execute.
Emphasis: Reference items, additional readings.
/path/to/file: File names.
Parameters: Parameter and attribute names.

In the parameter listing tables the required parameters are also emphasized with bold text:

Key	Description
param1	This is a required parameter.
param2	This is an optional parameter.

Key

Description

param1

This is a required parameter.

param2

This is an optional parameter.

Additional marks used specifically in the Web User Interface (UI):

Key	Description
*	The elements marked with * in the configuration reference tables are mandatory to be configured.
(Default)	For some of the configuration elements there are recommended default values, marked as (Default). In case the value is not defined during the configuration, the default value will be considered for the actual element.
+	By clicking this sign you can add the actual element to the list of configuration elements.

Key

Description

The elements marked with * in the configuration reference tables are mandatory to be configured.

(Default)

For some of the configuration elements there are recommended default values, marked as (Default). In case the value is not defined during the configuration, the default value will be considered for the actual element.

By clicking this sign you can add the actual element to the list of configuration elements.

Contact and support information

This product is developed and maintained by Balasys IT Ltd..

Contact:

Balasys IT Ltd.
4 Alíz Street
H-1117 Budapest, Hungary
Tel: +36 1 646 4740
E-mail: <info@balasys.hu>
Web: http://balasys.hu/

Sales contact

You can directly contact us with sales-related topics at the e-mail address <sales@balasys.hu>, or leave us your contact information and we call you back.

Support contact

To access the Balasys Support System, sign up for an account at the Balasys Support System page. Online support is available 24 hours a day.

Balasys Support System is available only for registered users with a valid support package.

Support e-mail address: <support@balasys.hu>.

Training

Balasys IT Ltd. holds courses on using its products for new and experienced users. For dates, details, and application forms, visit the https://www.balasys.hu/en/services#training webpage.

1. Scope of this document

This document describes the Web User Interface for the Proxedo API Security in VM. The purpose of this document is to present the designed approach and the usage for the configuration of Proxedo API Security via Web User Interface (UI). The Web UI allows easy configuration for Proxedo API Security. All the functionalities are grouped visually and logically into thematic units which follow the logical built up of Proxedo API Security’s configuration. The primary intended audience of this document are system engineers and system designers for configuring Proxedo API Security systems.

2. Introduction to Proxedo API Security

2.1. What is Proxedo API Security

The Proxedo API Security (PAS) is a security solution that protects API serving endpoints. It is positioned in the network flow between consumers of the APIs (clients) and backend solutions serving the API (servers) as a transparent HTTP proxy.

Proxedo API Security can:

handle incoming Transport Layer Security v1 (TLS) connections from clients & outgoing TLS connections to servers separately and selectively
verify that the communication conforms to HTTP specifications
verify that the content of the messages conform to their specified content type
verify that the content of messages conform to API specification(s) as described in schemas
evaluate the level of risk with regards to the API call using the data collected from call data
provide rule-based protection against a variety of web-based application layer attacks
extract parts of the content of the messages and relay them to external data stores such as log servers, SIEM systems or other data warehouses

2.2. Where to start

Depending on what you need to do the following starting points are suggested:

To understand what the product does and how, see Overview of Proxedo API Security.
- If you are familiar with API terminology jump right to Architecture for Proxedo API Security.
See Installation of Proxedo API Security based on VMs if you need to set up a new PAS.
The Operation of Proxedo API Security based on VMs chapter is about how to manage a working system on the level of the operating system.
Configuration of Proxedo API Security on the Web User Interface contains in-depth information about everything that can be configured with the help of the Web User Interface.
If you are already familiar with the system and need to find a component that suits your needs consult the Matcher types, Comparators, Extractor types or Insight Target.

3. Overview of Proxedo API Security

3.1. Main features

3.1.1. TLS

Transport Layer Security v1 (TLS) (successor of the now obsoleted Secure Socket Layer v3 (SSL)) is a widely used crypto protocol, guaranteeing data integrity and confidentiality in many PKI and e-commerce systems.

The TLS framework inspects TLS connections, and also any other connections embedded into the encrypted TLS channel. TLS connections initiated from the client are terminated on the Proxedo API Security, and two separate TLS connections are built: one between the client and the firewall, and one between the firewall and the server. If both connections match the configuration settings of PAS (for example, the certificates are valid, and only the allowed encryption algorithms are used), PAS inspects the protocol embedded into the secure channel as well. Note that the configuration settings can be different for the two connections, for example, it is possible to permit different protocol versions and encryption settings.

3.1.2. Enforcement

Proxedo API Security acts as an HTTP proxy and verifies that the traffic passing through conforms to HTTP’s specifications. By using OpenAPI schemas, as defined in OpenAPI specifications (also known as Swagger), it also verifies that the traffic passing through conforms to the API endpoint’s specification and can log or deny non-conforming traffic.

PAS also provides its own versatile filtering system to control passing traffic.

3.1.3. Fraud Detection

The Fraud Detection module of Proxedo API Security reduces the number of fraudulent transactions by harnessing device fingerprinting and enriching incoming data with alternate sources to provide the best accuracy and details about transactions.

3.1.4. Rule-based Enforcement

Besides its positive security model approach, Proxedo API Security also has a web application firewall module. The WAF Enforcer protects against a variety of application layer attacks including credential theft, code injection, cross-site scripting (XSS), cookie poisoning, CSRF, SQL injection, DoS, ransomware, and more.

3.1.5. Insights

With Proxedo API Security it is possible to extract business-relevant information with extremely high resolution from the traffic and relay it to external data stores where further analysis can be implemented.

Thus, it is possible to feed Log Management solutions, Monitoring and SIEM systems, Data visualization tools with data extracted from the traffic, even to the level of specific fields deep inside API calls or URI parameters.

3.1.6. Security flow

The security flow binds most of PAS’s features together. It allows flexible configuration for handling the traffic. Multiple Enforcement, Filter and Insight plugins can be mix-and-matched with control over error policies.

3.1.7. High Availability

Proxedo API Security offers the high availability (HA) feature optionally. With the help of this feature, two identical PAS servers provide redundancy so that the network traffic is not disturbed in case any of the nodes fails. Support for synchronizing configuration and setting remote services' state is also implemented.

3.1.8. Monitoring

The Monitoring system of Proxedo API Security core leverages the widely accepted Simple Network Management Protocol (SNMP) to monitor its network components and to collect data on the components systematically. The monitoring capability of PAS core relies on the SNMP daemon. The collected data, organized into an information database and shared between the SNMP daemon and the Monitoring Manager is called Management Information Base (MIB). For the analysis of the collected data, the BALASYS-SNMP-MIB and the PAS-SNMP-MIB Management Information Base (MIB) documents can be downloaded from Balasys customer documentation. Further recommended MIB files are, SNMPv2-MIB, IF-MIB and UCD-SNMP-MIB.

For the monitoring implementation, PAS depends on the snmpd service on the underlying host operating system. Therefore if snmpd fails or is stopped, PAS also stops.

3.2. Main Concepts in Proxedo API Security

This chapter provides an overview of the Proxedo API Security solution, introduces its main concepts, and explains the relationship of the various components.

API Endpoint

Proxedo API Security protects API endpoints. An API endpoint is the serving part of the communication channel and is the collection of all functions of a service. It resides at a list of well-known top URIs under which all the functions are accessible. APIs have well-defined HTTP Endpoints for all exposed calls, resources etc., usually through providing a schema that describes all parameters of these URI paths, including possible HTTP response codes, the format and fields of the data structure in the request’s and response’s body.

Client

It is a consumer of API endpoints. It is the source of the requests.

Backend

The backend constitutes of one or more servers that serve the API endpoint. It receives the requests of the client and sends the responses.

HTTP message

It can be an HTTP request coming from the client or an HTTP response coming from the backend.

Call

An HTTP conversation constitutes of a request — response interchange of HTTP messages between the client and the backend. Whenever the direction is irrelevant in the context — it applies to both requests and responses — the message is named Call.

Listener

It is the part of PAS that listens to incoming traffic for given API Endpoints. It is bound to a network port. Clients address this port when accessing API Endpoints through the gateway.

TLS

Transport Layer Security is the cryptographic protocol that secures HTTPS communications. PAS can apply TLS encryption both when communicating with Clients and Backends. TLS encryption can also be used with Syslog Insight Target and Elastic Insight Target.

Security flow

It provides a collection of security rules that PAS applies to a Call. It is two series of Plugins: one for requests and one for responses.

Plugin

It is an element of the security flow that applies a specific security function. It has different types based on the role they do.

Decompressor: A Plugin responsible for decompressing compressed content in the HTTP message’s body. This ensures that the original content of the message is available for processing.
Compressor: A Plugin responsible for compressing the result of a flow and forwarding the compressed content.
Deserializer: A Plugin responsible for parsing the HTTP message’s body to structured data. This ensures that a message is well-formed. The structured data will also be consumed by other Plugins that operate on the body of the message.
Serializer: A Plugin responsible for serializing the structured data to the format of the HTTP message’s body.
Filter: A Plugin that rejects calls when they match defined rules.
Enforcer: A Plugin that validates calls against externally defined schemas.
Insight: A Plugin that extracts various data from the call and sends it to external systems (log servers, SIEMs, and other data analysis tools).

Brick

They are reusable components of Plugins. They can be defined on their own and then shared by multiple Plugins.

Error policy: It is a brick that defines what happens if the Plugin has found an error. It decides if calls are rejected or merely logged, and defines the details of the HTTP error response sent to the client if a call is rejected.
Matcher: It is a brick that decides if the Plugin should be executed for a given call by checking various data in the HTTP message.
Selector: Selector is a brick that can extract a piece of information from a call. It is used by Insight plugins.
Insight Target: It is a brick that defines an external system to send extracted data to. It is used by Insight plugins.

High Availability

This feature enables two nodes serving as redundant PAS endpoints. It helps ensure service continuity in case of a node failure while being transparent to clients.

3.3. Architecture for Proxedo API Security

Proxedo API Security is based on a micro-services architecture.

The components of the architecture are each responsible for well-defined subset of handling traffic between the client and the backend. Proxedo API Security is built up of three components:

Transport Director

It manages the transport layer of API connections:

handles network connections from the client
handles network connections towards the backends
handles TLS on these connections
load-balances between multiple backend servers
load-balances between multiple Flow Directors
enforces HTTP protocol validity in calls

Flow Director

It is responsible for the execution of the Plugins in the Endpoint’s flow and for applying Error Policies as necessary.

Insight Director

It manages the connections to Insight Targets. It is responsible for sending the data collected by Insight plugins to Insight Target systems.

The handling of a connection with the help of components is shown in this figure:

Figure 1. PAS Architecture

Incoming connections are accepted by the Transport Director.
- It handles TLS with the client if necessary.
It hands over the connection to the Flow Director.
- The Flow Director chooses the Endpoint based on the URL.
- The Flow Director applies the Endpoint specific Request Security Flow.
If an Insight plugin needs to send data to an external Insight Target it sends the collected data to the Insight Director.
The Insight Director sends the data further to the Insight Target with the appropriate protocol.
The Flow Director hands the connection back to the Transport Director.
The Transport Director then sends the data to the Backend.
- It handles TLS with the backends if necessary.
- It performs load balancing among Backend servers if necessary.

The same procedure is executed with the response coming from the Backend.

3.3.1. Understanding processing flow

The figure on Proxedo API Security architecture and the steps following that describe how client connection is handled. The following figure explains how calls are processed in more details:

Figure 2. PAS processing flow

As shown in the figure above, the incoming connection from the client is handled by the Transport Director, applying TLS if needed.
The Transport Director hands over the connection to the Flow Director, indicating which Listener the connection belongs to.
The Flow Director then chooses the Endpoint based on the URL in the request. First endpoint has matching URL is chosen.
The Flow Director then starts applying the request part of the Security Flow definition.
For each Plugin the Flow Director:
- Checks if the Plugin's matcher matches the request.
- If so, it executes the Plugin, if not, it executes the next Plugin.
- If the Plugin indicates success it executes the next Plugin.
- If the Plugin indicates an error it applies the Plugin's error policy. If the policy dictates to abort the connection:
  - It fills error details and hands back the connection to the Transport Director, aborting the execution of the flow.
  - The Transport Director closes the connection, sending error details to the client if allowed by the policy.
Once, the last Plugin has been executed the connection is handed back to the Transport Director.
The Transport Director initiates the connection towards the Backend:
- It handles load balancing if necessary.
- It handles TLS if necessary.
- It sends the request itself to the Backend server.
The Backend server sends its response to the Transport Director.
Once, the response has been received the Transport Director again hands over the connection to the Flow Director.
The Flow Director then starts applying the response part of the Security Flow definition, executing the Plugins as above.
Once, the last Plugin has been executed the connection is handed back to the Transport Director.
Finally, the Transport Director sends the response to the client.

Usually, Plugins are organized in the following manner:

A Decompressor Plugin extracts the compressed body.
A Deserializer Plugin processes the decompressed request to understand the details in the body.
Filters are applied to filter unnecessary traffic.
Enforcers are applied for detailed validation of calls.
Insights are applied to collect data from the call.
Serializer Plugin serializes the body
Compressor Plugin compresses the serialized body

Though the order of the plugins can be changed based on the needs, note the followings:

When a Plugin needs access to the request body it requires Deserialized data. It is therefore strongly recommended that the first plugin is a Decompressor followed by a Deserializer.
At the end of the flow it is strongly recommended to place a Serializer plugin followed by a Compressor.
Generally Insights are applied after Filters and Enforcers so that they are not executed on possibly invalid calls.
Anything that operates on the HTTP headers or the body of the message will be aware of the call direction: The same Plugin in the request and response flow will act on the request or response data.
However, the Flow Director handles a request-response exchange together, so you can still use details from the request in Plugins of the response flow. The most notable example of this is using URI or method matchers in the response flow.
Plugins in the request flow, however, cannot access details of the response flow (since they are not available yet.)

It is also worth noting that Insight Plugins instantly hand over data to the Insight Director, and let the execution continue.

3.3.2. Architecture with High Availability

In case of HA operation, the core component is configured on both nodes participating in the HA operation. The architecture and the process are identical on both nodes, but they are set up to work redundantly. Only one node (the master) of the cluster is receiving traffic actively.

This operation uses the following additional resources:

two nodes with PAS core installed

At the moment, only clusters of two are supported. It also means, that you will need to have a node with both management and core components installed, and a node with only core installed.
a virtual IP address through which the service is supposed to be accessible

The technical foundation of our HA solution is the Virtual Router Redundancy Protocol (VRRP). Once the requirements are properly set up, it operates as follows:

At startup, the nodes send keepalive messages to each other to see if the other node is available. Both of them consider themselves to be in BACKUP state until they make sure the other node is not in MASTER state. If both nodes are newly connected to the cluster, they participate in an election and the one with the higher priority becomes the MASTER.
After one of the nodes has become the MASTER, both of them keep sending keepalive messages so that they notice when the other node disappears.
A node (re)connecting to the cluster does not result in the reelection of the MASTER.

4. Installation of Proxedo API Security based on VMs

PAS is mainly distributed as Docker images, and is also completed with a .deb package that sets up the operational environment.

You can install the management and the core components either on one single node in Standalone setup or on two separate ones in Multi node setup using the automated deployment tool. The synchronization of the core configuration is provided by the storage component.

The specific sections on the installation of the different components provide details on how to install them on a node. The installation order of the components is described in section Installation scenarios.

For the multi node setup, we provide a core deployment tool along with the management component. Using that, you can deploy and configure the core and the storage components on the remote node. The main starting points of its usage are described in section Multi node setup using the automated deployment tool.

4.1. Prerequisites for installing PAS

The followings are needed prior to the installation of Proxedo API Security:

the licence for PAS
a technical user for accessing Balasys' download site and docker registry
the PAS storage, core and management .deb packages

You can download the .deb packages from the Balasys Download website.
one or two servers with Ubuntu 22.04 Operating System installed. See Installation scenarios.

Make sure, that there is no user or group named "pas" in the environment where Proxedo API Security is planned to be installed.

4.1.1. Minimum system requirements

Each server of the PAS installation must meet the following minimum system requirements:

Table 1. Minimum system requirements
Operating system	Ubuntu 22.04 LTS
CPU cores	4
Memory	4 GB
Disk	40 GB
Network	1 interface, 1 Gbps

This minimum configuration can run a maximum of two Flow Director instances on servers with the core component installed.

4.2. Installation scenarios

4.2.1. Standalone setup

For a standalone setup one server is needed.

There are two major installation methods available for the standalone setup:

Simplified installation - This simplified installation method directs the user with prompt windows throughout the installation process, offers default values.

Follow the instructions for simplified installation for standalone setup:

Simplified installation for the storage component
Simplified installation for the management component
Simplified installation for the core component

The simplified installation method is only available for the standalone setup.

Manual installation - For manual installation in a standalone setup, all of the components must be installed on the same node in the following order:

4.2.2. Multi node setup

For a multi node setup two servers are needed, one server for the PAS core and another server for the management component.

In a multi node setup there will be a management node and another node with the core component. The storage component must be installed and configured on both nodes. The installation must be done in the following order:

Management node
1. Storage component
2. Management component
Core node

The core node can be set up with the automation tool or manually installing the components in the following order:
1. Storage component
2. Core component

4.2.3. Multi node HA setup

Multi node HA setup is similar to the standard multi node setup, but in this scenario the management node will run the core component, as well. The installation order is the following:

Management node
Core node

Core node can be set up with the automation tool or manually installing the components in the following order:
1. Storage component
2. Core component

The HA component is included in the core component, and it must be configured after the installation. See High availability configuration.

4.3. Simplified installation method for the standalone setup

This simplified installation method is only available for the standalone setup. By choosing this installation method, the user is directed through the installation with the help of prompt windows and suggested default values.

4.3.1. Simplified installation for the storage component

Log in as root.
Update the OS' package list: apt update.

Install the PAS storage .deb package: apt install <path/to/deb>/proxedo-api-security-storage_<version>.deb.

This will:

Create a user named pas for running and configuring PAS, if it has not been created yet by the installation of other components previously.

pas user must not be created manually beforehand.
Install the necessary configuration files and helper scripts under /opt/balasys.

Create systemd services for managing the PAS storage component.

You need to use apt to install the .deb package locally as it installs its dependencies as well. dpkg will not resolve dependencies, and apt-get cannot install from a local file. Also note that to install PAS from the current directory, you must use the path ./ before the .deb package, or apt will try to download the package from a repository.

Define the registry you want to download the docker images from. Define it in the following format: example.com.

Figure 3. Registry to download the docker image from

Provide your user name for this registry.

Figure 4. User name for the docker registry

Define the password for the docker registry.

Figure 5. Password for the docker registry

Name the node.

This name will appear in the Service status dashboard. As this value is optional, you can leave it blank to skip naming the node.

Figure 6. Naming the node

Generate a TLS certificate to secure the storage access. Define the identifier to be used in the storage TLS certificate.

Figure 7. Identifier for TLS certificate

Provide a valid DNS name for the storage’s TLS certificate.

Figure 8. DNS name of the storage’s TLS certificate

Define if the existing configuration files need to be overwritten or not.

Figure 9. Confirming the need of existing configuration details

If the login to the docker registry is not successful, the following warnings are displayed:

Figure 11. Automatic generation of storage component failed

Change to the PAS user: su - pas.
1. Run pas-storage-update to download the docker images.
2. Start PAS storage: systemctl start proxedo-api-security-storage.
  
  This service is enabled by default, so the service starts on system restart.

4.3.2. Simplified installation for the management component

Log in as root.
Update the OS' package list: apt update.

Install the PAS storage .deb package: apt install <path/to/deb>/proxedo-api-security-mgmt_<version>.deb.

This will:

Create a user named pas for running and configuring PAS, if it has not been created yet by the installation of other components previously.

pas user must not be created manually beforehand.
Install the necessary configuration files and helper scripts under /opt/balasys.

Create systemd services for managing the PAS storage component.

Provide the number of the port where you want the PAS Web UI to be available at, over HTTP:

Figure 12. Defining port number for PAS Web UI over HTTP

Provide the number of the port where you want the PAS Web UI to be available at, over HTTPS:

Figure 13. Defining port number for PAS Web UI over HTTPS

Define if the existing configuration files shall be overwritten by this generated configuration.

Defining if existing configuration file shall be overwritten

Figure 14. Defining if the existing configuration file shall be overwritten

Confirm if you want to manually specify an administrator password.

Figure 15. Confirming if manual administrator password is to be set

If the administrator selects 'No', that is, the administrator does not want to manually define the administrator password, there are no further configuration windows.

Define the administrator password for the management component.

Figure 16. Defining password for the administrator

The following requirements must be met when defining the administrator’s password. The password must contain:

at least 12 characters
only alphanumeric characters
at least one lowercase character
at least one uppercase character
at least one number

Confirm your administrator password by reentering it.

Figure 17. Confirming the administrator password

If the administrator password does not meet the requirements, an error window appears with the information that the password verification failed.

Figure 18. Password verification failed

Change to the PAS user: su - pas.
1. Run pas-mgmt-update to download the docker images.
2. Run systemctl start proxedo-api-security-mgmt.

4.3.3. Simplified installation for the core component

Log in as root.
Update the OS' package list: apt update.

Install the PAS storage .deb package: apt install <path/to/deb>/proxedo-api-security_<version>.deb.

This will:

Create a user named pas for running and configuring PAS, if it has not been created yet by the installation of other components previously.

pas user must not be created manually beforehand.
Install the necessary configuration files and helper scripts under /opt/balasys.

Create systemd services for managing the PAS storage component.

Provide the number of Flow Director instances to run:

Figure 19. Defining the number of Flow Director instances

Provide the lower bound for the Transport Director’s first port range:

Figure 20. Defining the lower bound for the Transport Director’s first port range

Provide the upper bound for the Transport Director’s first port range:

Figure 21. Defining the upper bound for the Transport Director’s first port range

Provide the lower bound for the Transport Director’s second port range:

Figure 22. Defining the lower bound for the Transport Director’s second port range

Provide the upper bound for the Transport Director’s second port range:

Figure 23. Defining the upper bound for the Transport Director’s second port range

Define if the existing configuration files need to be overwritten or not.

Figure 24. Confirming the need of existing configuration details

Change to the PAS user: su - pas.
1. Run pas-update to download the docker images.
2. Run systemctl start proxedo-api-security.

Note that as a registry login takes place during the installation of the core storage component, if the registry login fails, pas-update will also fail.

4.4. Installation steps for the storage component

Log in as root.
Update the OS' package list: apt update.

Install the PAS storage .deb package: apt install <path/to/deb>/proxedo-api-security-storage_4.8.0_all.deb.

This will:

Create a user named pas for running and configuring PAS, if it has not been created yet by the installation of other components previously.

pas user must not be created manually beforehand.
Install the necessary configuration files and helper scripts under /opt/balasys.

Create systemd services for managing the PAS storage component.

Change to the PAS user: su - pas.
Set up parameters in /opt/balasys/etc/infrastructure/storage/docker-compose.conf. For details, see docker-compose.conf.
Run pas-storage-registry-login to set up authentication with the docker registry. Provide login credentials on the prompt. Contact support if you need assistance with your credentials.

Docker will, by default, save your credentials unencrypted in the home directory of the pas user. Using a password-management tool like pass is not enforced, but it is recommended.
Run pas-storage-update to download the docker images.
Run pas-storage-consul-gossip-keygen to generate gossip encryption key, and note it down. This key will be needed for the startup configuration. See Configuration options for the storage component.

This must be run only once, and the generated key must be used in the configuration of all storage components.
Run pas-storage-consul-bootstrap-ca to generate CA certificate for storage-storage communication.

This must be run only once on the management node. Do not execute it during the manual installation of the core node.

Run pas-storage-consul-gen-server-cert with --dns-name FQDN or with --ip-address IP parameter to generate the TLS certificate for storage-storage communication.

FQDN is the domain name, IP is the IP address of the managament or the core node.

There is no difference between using DNS or IP in the certificate, choose the one you prefer. Note, that in multi node setup the same DNS or IP address must be used in join_hosts parameter of the storage component’s configuration, according to your choice.

This must be run on the management node, even in the case of installing the core node in a multi node setup.

Set up startup configuration in /opt/balasys/etc/storage/config.yml.

For details, see Configuration options for the storage component.
Run pas-storage-checkconfig to validate the configuration.
Start PAS storage: systemctl start proxedo-api-security-storage.

This service is enabled by default, so the service starts on system restart.

4.5. Installation steps for the management component

Log in as root.
Update the OS' package list: apt update.

Install the PAS management .deb package: apt install <path/to/deb>/proxedo-api-security-mgmt_4.8.0_all.deb.

This will:

Create a user named pas for running and configuring PAS, if it has not been created yet by the installation of other components previously.

pas user must not be created manually beforehand.
Install the necessary configuration files and helper scripts under /opt/balasys.

Create systemd services for managing the PAS management component.

You need to use apt to locally install the .deb package as it installs its dependencies as well. dpkg will not resolve dependencies, and apt-get cannot install from a local file. Also note that to install PAS from the current directory, you must use the path ./ before the .deb package, or apt will try to download the package from a repository.

Change to the PAS user: su - pas.
Set up MINIO_* parameters in /opt/balasys/etc/infrastructure/mgmt/docker-compose.conf. You can also modify other parameters if necessary, including port numbers and the version. For details, see docker-compose.conf.

MINIO_* parameters must be the same as defined in the config.yml of the storage component.
Run pas-mgmt-registry-login to set up authentication with the docker registry. Provide login credentials on the prompt. Contact support if you need assistance with your credentials.

Docker will, by default, save your credentials unencrypted in the home directory of the pas user. Using a password-management tool like pass is not enforced, but it is recommended.

The following requirements must be met when defining the administrator’s password. The password must contain:

at least 12 characters
only alphanumeric characters
at least one lowercase character
at least one uppercase character
at least one number

Run pas-mgmt-update to download the docker images.
Set up startup configuration in /opt/balasys/etc/mgmt/config.yml.

For details, see Configuration options for the management component
Run pas-mgmt-checkconfig to validate the configuration.
Start PAS management: systemctl start proxedo-api-security-mgmt.

This service is enabled by default, so the service starts on system restart.

4.6. Installation steps for the core component

Log in as root.
Update the OS' package list: apt update.

Install the PAS .deb package: apt install <path/to/deb>/proxedo-api-security_4.8.0_all.deb.

This will:

Create a user named pas for running and configuring PAS, if it has not been created yet by the installation of other components previously.

pas user must not be created manually beforehand.
Install the necessary configuration files and helper scripts under /opt/balasys.

Create systemd services for managing PAS.

Change to the PAS user: su - pas.
Set up MINIO_* parameters and the number of Flow Director instances to run in /opt/balasys/etc/infrastructure/pas/docker-compose.conf. If necessary, also change the version you want to follow. For details, see docker-compose.conf.
Copy license.txt to /opt/balasys/etc/pas.
Run pas-registry-login to set up authentication with the docker registry. Provide login credentials on the prompt. Contact support if you need assistance with your credentials.

Docker will, by default, save your credentials unencrypted in the home directory of the pas user. Using a password-management tool like pass is not enforced, but it is recommended.
Run pas-update to download the docker images.
Start PAS: systemctl start proxedo-api-security.

The core component will wait for a running config before starting. To create a running config, please refer to Configuration of Proxedo API Security on the Web User Interface.

This service is enabled by default, so the service starts on system restart.

If you configured Certificate Revocation List (CRL) verification in any of your Backends or Listeners you need to enable CRL updates:

systemctl enable proxedo-api-security-crl-update.service
systemctl enable proxedo-api-security-crl-update.timer
systemctl start proxedo-api-security-crl-update.timer

4.7. Multi node setup using the automated deployment tool

For a multi node setup, you first need to have a functional management component installed on a node. Its storage needs to be set up to work in cluster with the node the core component is going to be deployed to. Along with the management component, you get the automated deployment tool that helps you manage your remote node and the core component on it.

4.7.1. Configuring multi-node setup

To deploy a core component on a remote node, the following prerequisites need to be met:

the core and the storage .deb packages are available on the management node
the license file is downloaded on the management node
a node with an Ubuntu is installed
a TLS certificate for the storage-storage communication is generated, see step 10 in Installation steps for the storage component
a user on the remote node is configured who can run sudo without providing password

As running sudo without a password grants virtually limitless privileges over the machine, it is strongly advised that SSH is only allowed using SSH keys.

To configure the automation and the remote nodes, you need to fill out three types of configuration files. However, before filling out the /opt/balasys/etc/automation/common_vars.yml file, make sure that the password to the docker registry is encrypted using Ansible Vault.

Example output for encryption

$ ansible-vault encrypt_string
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input)
my_docker_password!vault |
          $ANSIBLE_VAULT;1.1;AES256
62623166386564303866653766656133616463633035643134313062383634336363633836336661
6566323331306635613034653062396166316262383535660a323433663261663435323962633430
32636236393966643636636534626466626166366337303936386339663335653739306661303731
6162633732366234630a373364343536376336383035666165383533313530653463653162316461
65323731633135613330343334663231316135343464373738383962303165393236
Encryption successful

The part displayed in the following example can be used as the encrypted docker registry password in the /opt/balasys/etc/automation/common_vars.yml file.

Example output for encrypted password

!vault |
          $ANSIBLE_VAULT;1.1;AES256
62623166386564303866653766656133616463633035643134313062383634336363633836336661
6566323331306635613034653062396166316262383535660a323433663261663435323962633430
32636236393966643636636534626466626166366337303936386339663335653739306661303731
6162633732366234630a373364343536376336383035666165383533313530653463653162316461
65323731633135613330343334663231316135343464373738383962303165393236

pas-mgmt-deploy-core will request the Ansible Vault password that was used to encrypt the password for the docker registry. For more details, see Deployment and remote management commands.

Fill out the following three types of configuration files to configure the automation and the remote nodes:

/opt/balasys/etc/automation/inventory.yml: It provides the details of the nodes to deploy the core component to.
/opt/balasys/etc/automation/common_vars.yml: It defines the variables that are common among all nodes.
/opt/balasys/etc/automation/host_vars: It defines the directory holding variables for host-specific values. For each entry in inventory.yml, there must be a file in this directory. For example, if you have an entry named pas-node-1 in your inventory, you need to have a file named pas-node-1.yml in the host_vars directory.

The last step to do before deploying the core component on a remote node is to implement login. Complete the following steps:

Generate an SSH key.

pas@pas-node-mgmt:~$ ssh-keygen -t rsa -b 4096 -C "pas-node-1"

Add the SSH key to the user on the remote node which can run sudo without password.

deployment@pas-node-1:~$ mkdir -p ~/.ssh
deployment@pas-node-1:~$ cat <<generated_public_key_here>> >> ~/.ssh/authorized_keys
deployment@pas-node-1:~$ chmod 700 ~/.ssh/
deployment@pas-node-1:~$ chmod 600 ~/.ssh/authorized_keys

4.7.2. Deployment and remote management commands

To deploy core and manage it on the remote node, you need to run the pas-mgmt-deploy-core command. Running this command with different command line flags, you can execute different operations. See the list and explanation of possible operations as follows, or run pas-mgmt-deploy-core --help.

--deploy-core     Deploy the core component to all nodes. It will also be
                  started if not already running.
--restart-core    Restart the core component on all nodes. It will restart
                  ha-director as well.
--stop-core       Stop the core component on all nodes. It will stop
                  ha-director as well.
--deploy-ha       Deploy the HA component to all nodes. It will also be
                  started if not already running.
--restart-ha      Restart ha-director on all nodes.
--stop-ha         Stop ha-director on all nodes.
--sync-ntp        Copy NTP configuration to all nodes and restart the ntp
                  service.

5. Base system configuration for PAS based on VMs

This chapter explains configuration details for setting up a working PAS. Configuration settings are detailed here, provided by the .deb packages installed on an Ubuntu 22.04 LTS server.

The .deb packages carry convenience tools for managing the Proxedo API Security core and the management component, the actual installation and execution is done by Docker and docker-compose.

5.1. Overview of configuration directories

PAS consists of multiple components and each may have multiple configuration files for both infrastructure definition and bootstrapping. In this section, a general overview is provided about how the corresponding configuration directories are structured.

As a rule of thumb, every configuration file for PAS is available under /opt/balasys/etc, and right after installation of all the components, the directory tree looks like the following.

Tree of initial configuration files

/opt/balasys/etc/
├── automation
│   ├── common_vars.yml -> ../../usr/share/automation/roles/deploy-core/vars/main.yml
│   ├── host_vars -> ../../usr/share/automation/host_vars
│   └── inventory.yml -> ../../usr/share/automation/inventory.yml
├── ha
│   └── config.yml
├── infrastructure
│   ├── ha
│   │   └── docker-compose.yml
│   ├── mgmt
│   │   ├── docker-compose.conf
│   │   └── docker-compose.yml
│   ├── pas
│   │   ├── docker-compose.conf
│   │   └── docker-compose.yml
│   └── storage
│       ├── docker-compose.conf
│       └── docker-compose.yml
├── mgmt
│   └── config.yml
├── pas
└── storage
    └── config.yml

In general, the following rules apply:

/opt/balasys/etc/infrastructure holds the files to describe the infrastructure, the component will run in. Exposed ports and used images are the two most important parameters set up in the files in this directory.
/opt/balasys/etc/{ha,mgmt,pas,storage} hold the bootstrap configuration of the respective components. By default, only configuration files are created, but certificates, the license file, etc. also reside in these directories. They will be mounted to the containers so that the processes can use these files as well.
/opt/balasys/etc/automation makes necessary configuration available for remote core deployment. As seen in the directory tree, files in this directory are symbolic links to ease access to the actual files. During debugging, or after installation, their original directories may also be useful to look at.

As there are more directories and subdirectories linked to each package, the following table defines the corresponding directories for each package.

Table 2. Directories grouped by package ownership
Package	Directories
proxedo-api-security	/opt/balasys/etc/ha /opt/balasys/etc/pas /opt/balasys/etc/infrastructure/ha /opt/balasys/etc/infrastructure/pas
proxedo-api-security-mgmt	/opt/balasys/etc/mgmt /opt/balasys/etc/automation /opt/balasys/etc/infrastructure/mgmt
proxedo-api-security-storage	/opt/balasys/etc/storage /opt/balasys/etc/infrastructure/storage

5.2. config.yml

The main configuration of the storage, management and HA components is defined in the following files:

/opt/balasys/etc/storage/config.yml
/opt/balasys/etc/mgmt/config.yml
/opt/balasys/etc/ha/config.yml

The format of the files must adhere to the YAML 1.1 specification.

There are different sections in these configuration files, some of which, as for example, the 'common' section, might not need specific configuration. However, the default values of these sections must be set by {}.

See configuration examples in Appendix B.

5.2.1. Configuration options for the storage component

The file /opt/balasys/etc/storage/config.yml controls:

Standalone or Multi node setup
Storage intercommunication
Node name visible on Dashboard
MinIO keys

The configuration file has three main sections, namely common, consul and blob-store.

The 'common' section has no required parameters, the defaults can be set by {}.

Table 3. Storage configuration **common** options
Key	Default	Description
standalone_mode	true	This parameter must be set to true. It denotes whether the storage is run in standalone or in cluster mode. The non-standalone mode is not relevant in Kubernetes environment, therefore it is not supported.

Table 4. Storage configuration **consul** options
Key	Default	Description
bind_cluster_addr		The address to bind on as a cluster member. This will be used to communicate with other members. This is a required parameter.
gossip_encryption_key		The encryption key to use for the gossip protocol. It is a 32-byte shared key encoded into base64 format. Use `pas-storage-consul-gossip-keygen` to generate it. The same value must be used on different nodes in a multi node setup. This is a required parameter.
node_name		The name of the consul node. It must be unique in the cluster. This parameter sets the visible node name on the Status Dashboard. This is a recommended parameter.
log_level	INFO	The log level of consul. The possible values are: TRACE, DEBUG, INFO, WARN, ERR
server_tls	N/A	TLS settings for storage-storage communication. The certificates must be created using the `pas-storage-consul-bootstrap-ca` and `pas-storage-consul-gen-server-cert` scripts.
ca_path	consul-agent-ca.pem	The path of the CA file relative to /opt/balasys/etc/storage/.
cert_path	dc1-server-consul-0.pem	The path of the server cert file relative to /opt/balasys/etc/storage/.
key_path	dc1-server-consul-0-key.pem	The path of the server key file relative to /opt/balasys/etc/storage/.
join_hosts	N/A	The list of hosts to try for joining the cluster. Either the hostname or the IP address can be specified, and a port number is also necessary. Specify it on all nodes of the cluster.
hostname		The hostname of the storage node to join.
ip_address		The IP address of the storage node to join.
port	8301	The port used for the storage cluster. Do not modify it unless the port is changed in /opt/balasys/etc/infrastructure/storage/docker-compose.yml.

The options with ’N/A’ default value are such sections that cannot have exact values, only the values described afterwards in the table.

Table 5. Storage configuration **blob-store** options
Key	Default	Description
access_key		The access key used for connecting to MinIO. A preferably random generated string must be provided. Min length: 3 This is a required parameter.
secret_key		The secret key used for connecting to MinIO. A preferably random generated string must be provided. Min length: 8. This is a required parameter.
join_hosts	N/A	A list of hosts to try for joining the cluster. Either of the hostname or the ip_address can be specified, and a port number is also necessary.
hostname		The hostname of the storage node to join.
ip_address		The IP address of storage nodes to join.
port	9000	The port used for the storage cluster. Do not modify unless the port is changed in /opt/balasys/etc/infrastructure/storage/docker-compose.yml.

The options with ’N/A’ default value are such sections that cannot have exact values, only the values described afterwards in the table.

For configuration examples, see section Minimal storage configuration.

5.2.2. Configuration options for the management component

The /opt/balasys/etc/mgmt/config.yml file controls:

Web service parameters
Authentication
TLS settings

The configuration file has two main sections, namely frontend and configapi.

The default values for both frontend and configapi sections are automatically effective. If the attributes have to be configured with specific values, other than the default values, the {} curly braces have to be deleted and the new values have to be added.

Table 6. Management configuration **frontend** options
Key	Default	Description
server_name	`_`	The hostname the web server should serve the requests on. The default value means that the management interface will be served regardless of the provided hostname.
tls	N/A	This section configures TLS settings.
certificate_path	/tmp/tls/default.crt	The path to the server certificate. It most likely resides somewhere under /opt/balasys/etc/mgmt. The default path refers to an automatically generated certificate. It must not be trusted.
key_path	/tmp/tls/default.key	The path to the server private key. It most likely resides somewhere under /opt/balasys/etc/mgmt. The default path refers to an automatically generated key. It must not be trusted.
hsts_max_age	63072000	The maximum age attribute of the strict transport security header.
cors_api	N/A	This section configures cross origin request sharing options for API access.
allow_origin*		The value of the Access-Control-Allow-Origin header. This is a required parameter in case of enabled CORS API.

The options with ’N/A’ default value are such sections that cannot have exact values, only the values described afterwards in the table.

Table 7. Management configuration log level setting options - **configapi** section
Key	Default	Description
log_level	INFO	The log level can be set to DEBUG, INFO, WARNING, ERROR, CRITICAL.

Table 8. Management configuration user session options - **configapi** section
Key	Default	Description
session	N/A	This section configures the options for session lifetimes.
session_validity	600	The allowed lifetime of a login session token in seconds. It determines the time period between group membership and user existence checks. This DOES NOT control the length of a user session.
renew_validity	36000	The validity of the renew token. It determines for how long session tokens can be renewed. Therefore the maximum length of a user session is the sum of the two parameters.

The options with ’N/A’ default value are such sections that cannot have exact values, only the values described afterwards in the table.

For further details on configapi section parameters related to LDAP authentication, see Management configuration LDAP authentication options - configapi section.

For configuration examples on the management component, see section Minimal management configuration and section Management configuration with HTTPS (TLS) and LDAP authentication.

5.2.2.1. Configuring authentication and local users in PAS

There are two methods available to configure authentication in PAS:

htpasswd authentication
Lightweight Directory Access Protocol (LDAP) authentication

If there are no authentication rules configured for PAS, a file with an administrator user is automatically generated. The password of the automatically generated administrator user can be found in the journal under the pas-config-api identifier. Run journalctl --identifier pas-config-api | grep admin after the first start of the management component to get the password from the journal.

Using htpasswd for authentication and for the configuration of local users

By using htpasswd authentication, the administrator can define individual user credentials directly in the htpasswd file. This file is stored at /opt/balasys/etc/mgmt/users.htpass and its location cannot be configured. As local users are stored in an htpasswd file, the standard htpasswd tool needs to be used.

It is not possible to configure user groups, or to define different access levels for the users with htpasswd authentication, yet it is possible to define as many user credentials as necessary one by one. The user credentials are encrypted in the configuration file. If you want to add new users to the htpasswd file, run the htpasswd /opt/balasys/etc/mgmt/users.htpass username command and provide the password.

Example command and output

$ htpasswd /opt/balasys/etc/mgmt/users.htpass new-user
New password:
Re-type new password:
Adding password for user new-user

Consider the followings related to the command and the example output:

/opt/balasys/etc/mgmt/users.htpass denotes the path of the htpasswd file.
new-user is the name of the new user.

As a result, similar content is expected to appear in the referred file: new-user:$apr1$GDRF00xV$DmqFFfl.O5GWFpDjQl6tJ.

LDAP authentication

LDAP authentication is a more elaborate way to configure authentication for PAS. With LDAP authentication it is possible to define user groups and attach different levels of access to these users, however, PAS does not support different levels of authorization based on these attributes yet at the moment.

If LDAP authentication is used, only the administrator user - and no other user - can authenticate with the htpasswd file.

The following configapi parameters, which are part of the configuration file’s configapi section, take part in LDAP authentication:

Table 9. Management configuration LDAP authentication options - **configapi** section
Key	Default	Description
ldap	N/A	This section configures the options for LDAP authentication. LDAP authentication is disabled by default.
ldap_url*		The URL of the LDAP server. It must start with `ldap[s]://`. This is a required parameter in case of LDAP authentication.
bind_user*		The service user to use for searching the LDAP server. If the `use_ntlm` parameter is OFF, this must be the whole DN. If it is ON, it must be the Active Directory domain and the username concatenated by a backslash (eg. `AD_domain\administrator`). This is a required parameter in case of LDAP authentication.
bind_password*		The password of the service user. This is a required parameter in case of LDAP authentication.
use_ntlm	OFF	Set this parameter to ON to use NTLM authentication. This is only available when the LDAP server is Microsoft Active Directory.
tls_version	TLSv1_2	The TLS version for the LDAPS connection. It must be one of the following: SSLv23, TLS, TLS_CLIENT, TLS_SERVER, TLSv1, TLSv1_1, TLSv1_2.
validate_cert	no	Set it to yes to validate certificates.
ca_certs_file		This file contains the certificate files of the certificate authorities. Provide the path and filename for the certificate file. The certificate file must be in PEM format. See a single CA file configuration example in Single CA file example. In case a self-signed certificate is used, the server certificate must also be included in this file. In case a chain of certificates is used, the certificate of each level must be included in this file, beginning with the certificate of the signer of the server certificate, followed by the signer of that certificate up to the root certificate. For example on a Certificate chain with multiple CA, see Example on certificate chain with multiple CAs. In case multiple chains of certificates are used, the chains must be concatenated in the same file. The first matching chain will be used for verification. The above details are based on the Python SSL library documentation, available at https://docs.python.org/3.10/library/ssl.html#certificates.
user_base_dn*		The base DN under which users reside. This is a required parameter in case of LDAP authentication.
username_attribute	sAMAccountName	The attribute that contains the name of the user.
user_object_class	user	The object class of the users.
memberof_attribute	memberof	The attribute that contains membership information (groups) on user objects.
group_base_dn*		The base DN under which groups reside. This is a required parameter in case of LDAP authentication.
groupname_attribute	name	The attribute that contains the name of the group.
member_attribute	member	The attribute that contains membership information (users) on group objects.
group_object_class	group	The object class for groups.
allowed_groups*		A list of group names (as contained by 'groupname_attribute') allowed to log in. This is a required parameter in case of LDAP authentication.

5.2.3. Configuration options for the HA component

The file /opt/balasys/etc/ha/config.yml controls:

HA settings

The configuration file has a single section called ha, which does not have default values.

Table 10. HA configuration ha options
Key	Default	Description
interface		The network interface to use for VRRP communication.
virtual_router_id	1	The router ID to use in VRRP messages. Min: 1; Max: 255
priority		The VRRP priority of the node in the virtual router instance. Min: 1; Max: 254. One node needs to have a priority higher by 50 compared to all other nodes. For example: If the highest priority node has a priority of 150, all other nodes must have a priority of 100 or lower.
auth_pass		The authentication password to use in the VRRP protocol. It is an alphanumerical string of up to 8 characters.
virtual_ip		The virtual IP address to use for HA.

For a configuration example on HA, see section Minimal HA configuration.

5.3. docker-compose.yml

The main configuration of the running environment is defined in the following files:

/opt/balasys/etc/infrastructure/storage/docker-compose.yml
/opt/balasys/etc/infrastructure/pas/docker-compose.yml
/opt/balasys/etc/infrastructure/mgmt/docker-compose.yml
/opt/balasys/etc/infrastructure/ha/docker-compose.yml

They describe the containers running PAS.

The format of the files must adhere to the YAML 1.1 specification. For a brief overview of the YAML format look at the example here. For an in-depth reference of docker-compose configuration see its documentation.

This file controls:

the images to run the container from
the persistent data storage (docker volumes) to attach to the containers
the ports propagated to the containers
the environment variables available inside the containers
intra container communication channels (links)
log Insight Target configuration

Unless inevitable, these files shall not be modified. There are two cases when they might need to be modified:

If the provided environment needs to be modified for the setup to be debugged.
If the default behavior of logging into the system’s journal needs to be changed, change the logging parameters under all the services. See more details in docker-compose’s documentation.

If you modify these files, they will not be overwritten on package upgrade. Only interactive installations will notify on that.

Do not use docker-compose directly to manage the installation. Always use systemctl as it handles dependencies and scaling.

5.4. docker-compose.conf

Some aspects of how the services are run by docker-compose are configured through /opt/balasys/etc/infrastructure/storage/docker-compose.conf, /opt/balasys/etc/infrastructure/pas/docker-compose.conf and /opt/balasys/etc/infrastructure/mgmt/docker-compose.conf.

The format of this file is a shell environment file format: a key-value pair in each line, separated by an equal sign ("=").

There must not be spaces around the equal sign.

The configuration files of different components have a common portion along with other parameters that are only valid in one of them. For details, see the following tables.

There are no storage-specific configuration options.

Table 11. docker-compose.conf configuration common options
Key	Default	Description
PAS_IMAGE_TAG	4.8.0	The release track of Proxedo API Security to use. See Tracking version.
COMPOSE_FILE	/opt/balasys/etc/infrastructure/pas/docker-compose.yml or /opt/balasys/etc/infrastructure/mgmt/docker-compose.yml	The path to the compose file. You must not modify the default value.
COMPOSE_PROJECT_NAME	pas	The name used for the compose project. It must be kept synchronized over different files.
PAS_DOCKER_REGISTRY	docker.balasys.hu	The domain name of the docker registry to download images from.

Table 12. docker-compose.conf configuration management-specific options
Key	Default	Description
PAS_MGMT_WEBUI_HTTP_PORT	80	The port to expose for HTTP access of the management web user interface.
PAS_MGMT_WEBUI_HTTPS_PORT	443	The port to expose for HTTPS access of the management web user interface.
MINIO_ACCESS_KEY		The access key to be used for MinIO authentication. It must be the same as defined in /opt/balasys/etc/storage/config.yml.
MINIO_SECRET_KEY		The secret key to be used for MinIO authentication. It must be the same as defined in /opt/balasys/etc/storage/config.yml.

Table 13. docker-compose.conf configuration core-specific options
Key	Default	Description
PAS_FLOW_DIRECTOR_SCALE	1	The number of Flow Director instances to run. For details, see Scaling Flow Director.
PAS_TRANSPORT_DIRECTOR_PORT_RANGE1	49000-49100	A port range to expose to Transport Director. Listeners will work in this port range.
PAS_TRANSPORT_DIRECTOR_PORT_RANGE2	49101-49200	An additional port range to expose to Transport Director. Listeners will work in this port range.
MINIO_ACCESS_KEY		The access key to be used for MinIO authentication. It must be the same as defined in /opt/balasys/etc/storage/config.yml.
MINIO_SECRET_KEY		The secret key to be used for MinIO authentication. It must be the same as defined in /opt/balasys/etc/storage/config.yml.

Storage example:

PAS_IMAGE_TAG={revnumber}
COMPOSE_FILE=/opt/balasys/etc/infrastructure/storage/docker-compose.yml
COMPOSE_PROJECT_NAME=pas
PAS_DOCKER_REGISTRY=docker.balasys.hu

Management example:

PAS_IMAGE_TAG={revnumber}
COMPOSE_FILE=/opt/balasys/etc/infrastructure/mgmt/docker-compose.yml
COMPOSE_PROJECT_NAME=pas
PAS_DOCKER_REGISTRY=docker.balasys.hu

PAS_MGMT_WEBUI_HTTP_PORT=80
PAS_MGMT_WEBUI_HTTPS_PORT=443

MINIO_ACCESS_KEY=your_minio_access_key
MINIO_SECRET_KEY=your_minio_secret_key

Core example:

PAS_IMAGE_TAG={revnumber}
COMPOSE_FILE=/opt/balasys/etc/infrastructure/pas/docker-compose.yml
COMPOSE_PROJECT_NAME=pas
PAS_DOCKER_REGISTRY=docker.balasys.hu
PAS_FLOW_DIRECTOR_SCALE=1

PAS_TRANSPORT_DIRECTOR_PORT_RANGE1=49000-49100
PAS_TRANSPORT_DIRECTOR_PORT_RANGE2=49101-49200

MINIO_ACCESS_KEY=your_minio_access_key
MINIO_SECRET_KEY=your_minio_secret_key

Changing any of the values requires the restart of the service.

5.5. PAS restart policy

PAS service lifecycle is managed by systemd and is by default set to restart if any of the components fails at any point. To avoid infinite restarting, the number of restarts within a short period of time is also limited. As a result, if PAS core or management stops with a non-zero exit code 3 times within 100 seconds, the corresponding systemd unit will enter failed state.

The default restart policy and the options are identical for the storage, core and management components.

The relevant part of the service file looks as follows:

[Unit]
StartLimitIntervalSec=100
StartLimitBurst=3

[Service]
Restart=on-failure

Modifying the restart policy is possible by editing the service file in override mode. To do so, run systemctl edit proxedo-api-security-storage, systemctl edit proxedo-api-security or systemctl edit proxedo-api-security-mgmt. This will open a text editor and will let you define the parameters you wish to override. For example, if you want to switch off all default restart settings, enter the following text in the override editing window:

[Unit]
StartLimitIntervalSec=
StartLimitBurst=

[Service]
Restart=no

Possible values for Restart= are documented by systemd. We recommend using no to avoid automatic restarting by systemd or on-failure to make the service restart on non-zero exit codes. If you want a more fine-tuned restart policy, please consult the systemd.service(5) man page and configure the desired options.

To discard your overrides, run systemctl revert proxedo-api-security-storage, systemctl revert proxedo-api-security or systemctl revert proxedo-api-security-mgmt.

You only need to enter the parameters you want to change.

Overriding systemd units is only possible as root user.

5.6. Systemd Journal log limit setting

Systemd journal settings, namely the configuration of the RateLimitBurst and the RateLimitIntervalSec parameters limit the number of log messages. An insufficiently low number assigned to the number of RateLimitBurst parameter unnecessarily limits the number of log messages sent. The recommended value is 1 000 000. The interval value configured for RateLimitIntervalSec parameter also affects the rate limiting values for log messages. If in the time interval, specified by the RateLimitIntervalSec parameter, more messages are logged than specified in the RateLimitBurst parameter, than all further messages within that given time interval will be dropped. To turn off rate limiting, either parameter can be set to value '0'.

Even if the Verbosity or the Message Filter Expression parameters are configured to a high value in PAS, the above rate limitation settings still need to be considered.

Update this value in /etc/systemd/journald.conf.

[Journal]
RateLimitBurst=1000000

5.7. Tracking version

Proxedo API Security has a version number in the form of major.minor.patch. The docker image labels control what version the services are running at. The version tags point to a specific release and will never be changed once released. If the label is changed to a new version tag, the services will be upgraded at the restarts.

5.8. Scaling Flow Director

A single instance of Flow Director uses a single processor core. It is necessary to adjust the number of instances to use all the available cores. This is controlled by the PAS_FLOW_DIRECTOR_SCALE variable. As the Flow Director handles the most demanding duties among the components, it must be assigned most of the cores. If there are up to four cores available, assign three cores to the Flow Director, and the remaining one core will be suitable for the Transport and Insight Director. If there are more than four cores, assign two cores for the Transport and Insight Director and assign the rest to the Flow Director.

5.9. Configuration of dockerd

The docker daemon is configured through /etc/docker/daemon.json. The full documentation can be found in the official docker documentation.

Balasys recommends the use of the default configuration.

Do not use /etc/default/docker as it is ignored when systemd is used.

5.10. High availability configuration

5.10.1. HA Director

The HA functionality is implemented by the HA Director included in the core component. It uses keepalived in VRRP mode to provide the service.

It can be configured in two ways:

When installed and configured manually on the host running core, the configuration file /opt/balasys/etc/ha/config.yml should be filled out.
When installed using the automation tool, the following configuration files need to be filled in on the management node:
- /opt/balasys/etc/automation/common_vars.yml: Common HA parameters to be used on remote hosts.
- /opt/balasys/etc/automation/host_vars: Host-specific HA parameters to be used on remote hosts.

As at the moment, only clusters of two are supported, you can only implement HA by installing core alongside the management component as well. That instance you need to configure and set up manually, while you can use the automated deployment tool to deploy core and HA on the remote node.

5.10.2. HA restart policy

The default restart policy and the options are identical for the storage, core and management components.

The relevant part of the service file looks as follows:

[Unit]
StartLimitIntervalSec=100
StartLimitBurst=3

[Service]
Restart=on-failure

[Unit]
StartLimitIntervalSec=
StartLimitBurst=

[Service]
Restart=no

To discard your overrides, run systemctl revert proxedo-api-security-storage, systemctl revert proxedo-api-security or systemctl revert proxedo-api-security-mgmt.

You only need to enter the parameters you want to change.

Overriding systemd units is only possible as root user.

5.11. Setting up time synchronization

To ensure time synchronization on different nodes you need to configure NTP on them. The ntp package is already installed as a dependency, but it must be configured We recommend adding the following configuration to /etc/ntp.conf.

driftfile /var/lib/ntp/ntp.drift

restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1

server time.nist.gov prefer
server ip-time-1.cern.ch

Use your own NTP servers in the server directives if you have any, or adjust the given values to ones that are allowed by your policies.

After creating the configuration, run the following commands.

# Disable systemd-timesyncd
timedatectl set-ntp false

# Restart ntp
systemctl restart ntp

# Enable ntp so that it starts on system startup
systemctl enable ntp

6. Configuration of Proxedo API Security on the Web User Interface

This chapter explains configuration details for setting up a working Proxedo API Security (PAS) with the help of the Web User Interface.

The Proxedo API Security Web User Interface (UI) is installed together with the installation of Proxedo API Security. The URL for Proxedo API Security Web UI and the necessary credentials are generated when the management component is first started. The password for the administrator can be found in the journal under the pas-config-api identifier.

For information on how to set up more users, see section Configuring authentication and local users in PAS.

By using OpenAPI schemas, as defined in OpenAPI specifications (also known as Swagger), Proxedo API Security verifies that the traffic passing through conforms to the API endpoint’s specification. An OpenAPI Swagger schema detailing the Configuration API is available at: <frontend_url>/api/v1/openapi. <frontend_url> here refers to the URL address of the user’s Proxedo API Security Web User Interface.

6.1. Minimum configuration

It is possible to run PAS with a minimum, basic configuration. For a minimum configuration the following items need to be configured in the Web UI:

Listeners
- Port
- Endpoint
  For more details on the Listener's parameters, see Listeners’ configuration options.
Endpoint
- Name
- Url
  For more details on the Endpoint's parameters, see Endpoint configuration.
Security Flow
- Request
- Response
- Backend

This basic configuration can be further improved with the completion of more configuration units later. The minimum configuration can also be used to test the installation settings.

6.2. Login Page

The main component of the Login page is the login form where the user needs to provide the credentials in order to be authorized to use the Web UI of Proxedo API Security.

As part of the initial configuration of Proxedo API Security, the administrator defines the necessary credentials, which can now be used.

For accessing the Web User Interface:

Enter the valid user credentials.
Click the Log In button.

After a successful login, the user has access to the Proxedo API Security Web UI.

6.3. Proxedo API Security Web User Interface main page

The configuration elements are organized into a logical order for easier usage.

Figure 26. Proxedo API Security Web User Interface main page

The PAS Web UI has the following navigation areas:

The navigation areas are described here in more details:

Left navigation area (1): This navigation area (1) presents the navigation units available for configuration.
When opening up the Proxedo API Security Web UI, three main navigation units are available, that is, BRICKS, PLUGINS, and SERVICES.
These three main navigation units can be opened for further sub-navigation units by clicking on either the navigation item itself or on the arrow icon next to it. Alternatively, when the sub-navigation units are not in use, they can be hidden by clicking the arrow navigation icons next to the main navigation items, or similarly by clicking on the navigation item itself.
Top navigation area (2): This Top navigation area (2) presents the Changes, Status and Configuration Backup buttons in the top left corner. For more information on these services, see Status information on the configuration of Proxedo API Security services, Checking and finalizing changes in Proxedo API Security configuration and Backup and restore running or user configuration for Proxedo API Security. The Help and Logout buttons are presented in the top right corner.

Main configuration area (3): This is the main configuration area of the Web UI. Any navigation unit selected in the Left navigation area (1) presents the configuration details in this Main configuration area (3). The configuration details can be edited in this area.
In case there are already configured parameters, those are displayed in a table in the Main configuration area (3).
In order to add more configuration details, select the New navigation button in the upper right corner.

The Main configuration area (3) provides the following navigation and activity options. Note that some of these activities are also available when the configuration parameters are presented in list view:

Table 14. Navigation and activity options in the Main configuration area (3)
Navigation option	Description
	By selecting the New navigation button on the active window of a component, a new component can be configured.
	By selecting the Pen navigation button next to a component, the Web UI navigates back to the configuration page of the selected element. The so far configured details can be changed or new configuration details can be added.
	By selecting the Copy navigation button next to a component, the Web UI copies all the information of that component into a new instance, which instance can be saved with a new name, inheriting the same, copied parameters.
	By selecting the Bin button next to a component, the configuration element can be deleted. If an element is selected for deletion, a Warning appears, requesting confirmation on the deletion of the element.
	This icon is visible at the right side of every drop-down list during configuration. By selecting this icon it is possible to unselect an item of the drop-down list and to clear the selection field from any data. Clearing the field from data with the help of this icon gains importance when an earlier selected drop-down list item, saved in our configuration, has to be cleared from the configuration data.
	By selecting the Next page button it is possible to navigate to the next page of the parameter keys listed.

6.3.2. Naming Configuration components in the Web UI

When configuring the Proxedo API Security Web UI, name the configuration components with the usage of the English alphabet and numerals. When the name is composed of more than one word, use underscore. It is not allowed to use spacing or any special characters though.

6.4. BRICKS - Configuration units

Bricks are reusable components. They do not provide a complete security function themselves, instead, they are used as building blocks elsewhere (hence the name). They can be used by Plugins (like Selectors), or utilized by other bricks (like Extractors).

Certain bricks are so called default objects, which are in 'read-only' state and cannot be configured or modified. Such default objects are listed in the following table:

Table 15. Default objects - BRICKS
Default object name	Class
Always	Matcher
Never	Matcher
content_type_json	Matcher
content_type_json_regexp	Matcher
json_content	Matcher
content_type_xml_base	Matcher
content_type_xml_dtd	Matcher
content_type_xml_ext_parsed	Matcher
content_type_xml_regexp	Matcher
content_type_xml_text	Matcher
content_type_xml_text_ext_parsed	Matcher
xml_content	Matcher
error_policy	Error policy
enforcer_default	Error policy
insight_default	Error policy

These default objects are listed under the actual classes in the Web UI.

The BRICKS main page in the Web UI is as follows:

Figure 28. The BRICKS main page in the Web User Interface

Click on the BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the sign to open up the sub-navigation items of BRICKS.
Click on the sub-navigation unit you would like to configure. The details of the sub-navigation menu open up in the Main configuration area.

6.4.1. Error Policy

Error Policies define how to proceed if a Plugin decides to have found an error. For example, when an Enforcer plugin decides that the call is invalid.

It is the error policy that enables the user to act differently in case the error appears in a request or a response.

Every Plugin has a default error policy, namely, the 'error_policy', except for the Enforcer and the Insight Plugins, which have their own default error policies already configured for usage, the enforcer_default and the insight_default error policies.

6.4.1.1. Configuring Error policies

Error policies can be configured from the BRICKS main menu item.

Click on the BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the sign to open up the sub-navigation items of BRICKS.
Select Error Policy.

The configuration window that appears presents the default error policies, as listed in Default objects - BRICKS and the configuration values already set by the user:

Figure 29. Error policy’s main page in the Web User Interface

Click on the New navigation button to create an error policy.

Error Policies have default values for each of their fields.

An Error Policy contains the following settings:

Figure 30. Configuring error policies in the Web User Interface

The following table provides details on what values can be figured for an Error policy and what these values define for an Error policy. Configure the following options:

Table 16. Error policy configuration options
Key	Values	Default value	Description
Name*	It is a mandatory value. It can be defined in free text.		It is the name identifying the error policy. This name of the error policy can be referenced from other parts of the configuration, that is, the error policy is reusable.
Request	The available values are: abort log	Abort	It defines what action shall take place if there is an error on the request side: abort: the request is denied if the Plugin fails. Use the other parameters to control the content of the error sent to the client. log: the invalid requests are allowed, but are logged.
Request Silent	The parameter can be configured by switching it on or off. When it is switched on, the Plugins do not report on the denial of the invalid request. When it is turned off, the Plugins have the ability to report the error in detail in the body of the HTTP error request.	true	Do not report validation errors of the request to the client.
Request Code	The values are available from a drop-down list. If the elements of the drop-down list are selected, it will make the list of the actual request codes visible. The applicable request code can be selected.	422	It provides the HTTP status code to be used when denying invalid requests.
Request Message	The message can be provided in free text.	Request error	The reason is provided here in the HTTP response line when denying invalid requests.
Response	Response error mode: abort log	Abort	It defines what action shall take place if there is an error on the request side: abort: the request is denied if the Plugin fails. Use the other parameters to control the content of the error sent to the client. log: the invalid requests are allowed, but are logged.
Response Silent	The parameter can be configured by switching it on or off. When it is switched on, the Plugins do not report on the denial of the invalid response. When it is turned off, the Plugins have the ability to report the error in detail in the body of the HTTP error response.	true	Do not report validation errors of the response to the client.
Response Code	The values are available from a drop-down list. Note that the response codes are grouped, so that if the elements of the drop-down list are selected, further groups of response codes will be made visible in a tree structure. The applicable request code can be selected.	502	It provides the HTTP status code to be used when denying invalid requests.
Response Message	The message can be provided in free text.	Response error	The reason is provided here that can be used in the HTTP response line when denying invalid requests.

The default values in the above table represent the hard coded default values. They form a strict security policy: all errors are fatal, and only mistakes made by the client are reported in detail.

For configuring error policies, continue with completing the following steps:

Configure the necessary parameters for the error policy based on the details provided in the table Error policy configuration options.
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
Click the Save button.

The error policies configured here can be used in the Plugin’s configuration, by referencing their name.

6.4.2. Matcher

Matchers decide if the Plugin should be executed for a given call by checking various data in the HTTP message. They provide an extremely versatile way of defining the circumstances that must be met for the Plugin to execute.

Matchers need four pieces of information:

Name: The Name field can be defined in free text and it is not related to the extractor that will be used. This Name can be referenced in Plugins.
Type: This parameter defines what part of the call needs to be checked.
Comparator: The Comparator shows by what means the collected value of the call is compared with the provided pattern. (Some comparators also take flags or arguments.)
Expression: A regular expression specifies a set of strings that match it. A complete explanation on how to write expressions is not in the scope of this document.

The matchers can be used in Plugin configurations' match option by referencing their name.

There are some named Matchers available without explicit configuration:

always and never are instances of Always matcher and Never matcher.
json_content that matches requests with the Content-Type headers representing JSON.

Also note that no other matchers can be defined with these names.

Matchers internally utilize Extractors to fetch the information from the call to compare with. The Type of the matcher resembles the name of the extractor that will be used.

All matchers have a default comparator that is applied implicitly.

If you want to use comparator parameters, the comparator name should be given even if the default comparator is used.

6.4.2.1. Configuring Matchers

Matchers can be configured from the BRICKS main navigation item.

Click on the BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the sign to open up the sub-navigation items of BRICKS.
Select Matcher.

The configuration window that appears presents the default matchers, as listed in Default objects - BRICKS and the configuration values already set by the user:

Figure 31. Matchers' main page in the Web User Interface

Click on the New navigation button to configure a matcher.

The generic configuration page for matchers provides the following settings:

Figure 32. Configuring matchers in the Web User Interface

The configuration parameters for matchers are described in details in the following table:

Table 17. Matcher configuration options
Key	Values	Default value	Description
Name*	It is a mandatory value. It can be defined in free text.	It can be defined in free text.	The Name of the matcher which can be referenced in Plugins.
Type*	It is a mandatory value. For the available values, see Matcher types.		The preferred matcher type has to be selected from the drop-down list.

Provide the name of the matcher.
Choose the type of the matcher from the drop-down list.

Matcher types

Depending on the choice of the matcher type, some more required configuration fields might appear on this page. The following tables describe the matcher types in details and provide the necessary information for the additional configuration fields, required for setting the matcher types:

Matcher types and their settings - Simple matchers
Matcher types and their settings - Compound matchers
Matcher types and their settings - URI matchers
Matcher types and their settings - SOAP matchers

Matcher type Description

Always

This matcher always matches.

Never

This matcher never matches. It can be used to turn off a Plugin.

Call Direction

It matches the direction of the message (request or response).

Method

It matches the HTTP method of the request. Note that the method is case insensitive by definition, therefore the case will always be ignored.

When choosing the Method matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

Header

It matches the value of an HTTP header. Some HTTP headers can be present more than once in a call. To accommodate this, matching is completed against the value of each occurrence of the header. Matching occurs if there is any match. For example, if the Accept header was repeated as follows:

Accept: application/json
Accept: application/xml

Consequently, in this example above both header.accept: application/json and header.accept: application/xml would match.

To match against the header named server the key will be header.server, possibly completed with comparator specification, like header.server.regex.ignorecase.

While the values are not, the HTTP header names are case insensitive, so you can write them all lowercase in the configuration key.

The syntax of this matcher differs from the others because the name of the Header must be added.

While the values are not, the HTTP header names are case insensitive, so you can write them all lowercase in the configuration key.

Cookie

It matches the value of a key in the Cookie HTTP header. A Cookie header key can be present more than once in a call. To accommodate this, matching is completed against the value of each occurrence of the key. Matching occurs if there is any match.

Content Type

It matches the content type of the message. It is a more robust solution than using the Header matcher on the Content-Type header because that can contain parameters as well.

When choosing the Content type matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

Status

It matches the status code of the response.

See the default Status class comparator which allows convenient matching on HTTP status classes.

The available values for the Expression parameter are: Informational response, Successful response, Redirects, Client errors, Server Errors.

When choosing the Status matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

Raw Content

It matches the raw bytes of the request or response. It requires an expression in the form of a hexadecimal string. For example, for matching a PNG image file, the expression shall be '89504e470d0a1a0a', which is equivalent to '89 50 4e 47 0d 0a 1a 0a', as whitespaces can also be used.

Text Content

It matches the request’s or response’s content as a decoded string.

Client Address

It matches the client’s IP address (both IPv4 and IPv6).

Use the subnet type comparator with that matcher type. The subnet comparator examines if the IP address of the Client is in the specified subnet. The format for the input of the subnet comparator is the CIDR notation for IPv4 (for example, 192.0.2.0/24) and canonical prefix notation for IPv6 (for example, 2001:db8::/32).

Client Port

It matches the client’s port (TCP).

Server Address

It matches the server’s IP address (both IPv4 and IPv6).

Use the subnet type comparator with that matcher type. The subnet comparator examines if the IP address of the Server is in the specified subnet. The format for the input of the subnet comparator is the CIDR notation for IPv4 (for example, 192.0.2.0/24) and canonical prefix notation for IPv6 (for example, 2001:db8::/32).

Server Port

It matches the server’s port (TCP).

XPath

It matches the data from the body of an XML call with the help of the XPath expression.

XPath is a query language for XML. It is a very versatile tool for extracting the needed information from the body of the call, and organizing it according to needs.

A complete explanation on how to write XPath expressions is not in the scope of this document. To learn more about it visit the main website.

For more details on xpath configuration options, see XPath extractor configuration options.

JMESPath

It matches the data from the body of a JSON call with the help of the JMESPath expression. JMESPath is a query language for JSON. It is a very versatile tool for extracting the needed information from the body of the call, and for organizing it according to needs. A complete explanation on how to write JMESPath expressions is not in the scope of this document.

To learn more about it visit the: main website:

There is a tutorial.
There are examples.
There is also a formal specification.

When choosing the JMESPath matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

Fraud Detector Score

It matches the score value provided by the Fraud Detector plugin.

Table 19. Matcher types and their settings - Compound matchers
Any	Any is a Compound matcher that matches if any of its sub-matchers matches. The sub-matcher can also be a compound matcher.
All	All is a Compound matcher that matches if all of its sub-matchers match. The sub-matcher can also be a compound matcher.
None	None is a Compound matcher that matches if none of its sub-matchers match. The sub-matcher can also be a compound matcher.
One	One is a Compound matcher that matches if exactly one of its sub-matchers matches. The sub-matcher can also be a compound matcher.

Matcher type Description

URI matchers

A range of matchers is available to match different parts of the URI.

The structure of an URI looks as follows:

scheme://[username[:password]@]host[:port][/path][?query][#fragment]

That is, for example:

https://john.doe:secret123@example.com:8443/some/resource?foo=bar&baz=qux#some-anchor

The fragment part is used by the client locally, and is never sent in the HTTP requests, therefore PAS cannot do anything with it.

These matchers use the URI extractors. It has an extensive list of examples of what each extractor extracts from the URI.

URI

It matches against the whole request URI as received from the client.

When choosing the URI matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI netloc

It matches the network location in the URI.

It includes:

username and password if present
host
port if present unless scheme default

If the port is the default port for the scheme - that is 80 and 443 for HTTP and HTTPS, respectively - the port will not be included even if explicitly sent by the client. Therefore if the client used http://example.com:80/path then the netloc would be http://example.com, not http://example.com:80.

When choosing the URI netloc matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI origin

It matches the origin part of the URI.

It includes:

scheme
host
port if present, unless the default port for the scheme is used

If the port is the default port for the scheme - that is 80 and 443 for HTTP and HTTPS, respectively - the port will not be included, even if explicitly sent by the client. Therefore if the client used http://example.com:80/path, then the origin would be http://example.com, not http://example.com:80.

When choosing the URI origin matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI scheme

It matches the scheme of request (http or https). Note that the scheme is case insensitive by definition, therefore the case will always be ignored.

When choosing the URI scheme matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI username

It matches the username in the request if present.

When choosing the URI username matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI password

It matches the password in the request if present.

When choosing the URI password matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI host

It matches the host in the request.

When choosing the URI host matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI port

It matches the port of the request. Note that this matches the default port — that is 80 and 443 for HTTP and HTTPS, respectively — even if it is not explicitly in the request.

When choosing the URI port matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI path

It matches the path part of the URI.

The path is normalized to allow more robust matching and cleaner reporting. This means that:

If the path is missing / it is extracted.
Repeating forward-slash (/) characters are replaced with a single one.
dot (.) and double-dot (..) path segments are resolved.

Consequently, if the path present in the URI was //some/./nothere/../resource///./somewhere the path would be /some/resource/somewhere.

If you need to match the path exactly as received, use URI raw path matcher.

When choosing the URI path matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI raw path

It matches the path part of the URI, without the normalization of URI path matcher carried out.

If the path is missing, the match still runs against a single forward slash ("/").

It is recommended to use URI path matcher unless there is an explicit need for matching the raw path. One such example would be logging or filtering out badly formed requests.

When choosing the URI raw path matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI raw query

It matches the query part of the URI as a string. It is recommended to use URI query parameter matcher unless there is an explicit need for matching the raw string. An example on this might be if there is a match on foo=barbar or tofoo=bar as well, even though it was not intended.

When choosing the URI raw query matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

URI query parameter

It matches the value of a query parameter.

It is also valid for URIs to include a query parameter more than once. That is, it could be foo=bar&qux=quz&foo=baz. To accommodate this, matching is done against the value of each occurrence of the parameter. Matching occurs if any value is matched.

When choosing the URI query parameter matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

Table 21. Matcher types and their settings - SOAP matchers
Matcher type	Description
SOAP Matchers	A range of matchers is available to match different parts of the SOAP message. These matchers extend the xpath matcher with predefined expressions. They use the soap extractors. It has an extensive list of examples of what each extractor extracts from the SOAP message. When choosing the SOAP Matchers matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP version	SOAP version matches the soap message version. It identifies with the soap namespace. The possible values are: soapv1_1 - the message version is SOAP v1.1 soapv1_2 - the message version is SOAP v1.2 When choosing the SOAP version matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP envelope	It matches the soap envelope. When choosing the SOAP envelope matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP header	It matches the soap header. When choosing the SOAP header matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP body	It matches the soap body. When choosing the SOAP body matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP fault	It matches the soap fault. When choosing the SOAP fault matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP fault code	SOAP matchers extend the xpath matcher with predefined expressions. They use the SOAP extractors. It has an extensive list of examples of what each extractor extracts from the SOAP message. It matches the soap fault 'code'. The expression depends on the soap version. faultcode - it is the SOAP v1.1 node tag. Code - it is the SOAP v1.2 node tag. When choosing the SOAP fault code matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP fault detail	It matches the soap fault 'detail'. The expression depends on the soap version. Detail - it is the SOAP v1.1 node tag. Detail - it is the SOAP v1.2 node tag. When choosing the SOAP fault details matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP 1.1 fault faultstring	It matches the soap fault 'faultstring'. This matcher only works with soap version 1.1. When choosing the SOAP 1.1 fault faultstring matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP 1.1 fault faultactor	It matches the soap fault 'faultactor'. This matcher only works with soap version 1.1. When choosing the SOAP 1.1 fault faultactor matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP 1.2 fault reason	It matches the soap fault 'Reason'. This matcher only works with soap version 1.2. When choosing the SOAP 1.2 fault reason matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP 1.2 fault node	It matches the soap fault 'Node'. This matcher only works with soap version 1.2. When choosing the SOAP 1.2 fault node matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.
SOAP 1.2 fault role	It matches the soap fault 'Role'. This matcher only works with soap version 1.2. When choosing the SOAP 1.2 fault role matcher from the drop-down list, additional parameters appear. For more information on the configuration of these parameters, see Matcher types' additional configuration options.

For details on comparator types, see Types of comparators.

Depending on the matcher type selected, the administrator might need to fill in further parameters. These parameters are described in the following table.

Table 22. Matcher types' additional configuration options
Key	Values	Default value	Description
Comparator			The matchers need the information on the Comparator, which shows by what means the collected value of the call is compared with the provided pattern.
Type	The available comparator types can be checked from the drop-down list.	Equals	This configuration option has to be defined for the Comparator. For details on the comparator types, see Types of comparators.
Ignorecase		Off (False)	This configuration option has to be defined for the Comparator. It sets the IGNORECASE flag for the selected comparator type. For matcher types that work with numeric data type or with IP addresses, the 'Equals' and 'Not Equals' comparator types do not have ignorecase field.
Expression*			This configuration option has to be defined for the Comparator. A regular expression specifies a set of strings that match it.
JmesPath Expression			A complete explanation on how to write JMESPath expressions is not in the scope of this document. To learn more about it visit the: main website: There is a tutorial. There are examples. There is also a formal specification.
Query Parameter			It is also valid for URIs to include a query parameter more than once. That is, it could be foo=bar&qux=quz&foo=baz. To accommodate this, matching is done against the value of each occurrence of the parameter. Matching occurs if any value is matched.
Header			It extracts the value of an HTTP header. It is valid for some HTTP headers to be present more than once in a call. In this case, all the values are extracted as a list. It provides the name of the header in the configuration.
Namespaces			It defines the XML namespaces.
XPath Expression*			The expression to extract the node from the call to match against.
Multiline			It sets the Multiline flag for the Regex comparator.
Minimum*			It matches if the pattern is larger or equal to the value.
Maximum*			It matches if the pattern is smaller or equal to the value.
Source Plugin	Fraud Detector Plugins can be referenced here by selecting them from the drop-down list.	Last: In case there are more Fraud Detector plugins defined in the Security Flow, by using this default value, the selector will use the score value provided for the last run Fraud Detector plugin.	This parameter defines which Fraud Detector plugin shall be used in case there are more than one defined.

Configure the necessary parameters with the help of the above tables.
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
Click the Save button to save the configured matcher.

6.4.3. Selector

Selectors are responsible for collecting information from the call. They utilize Extractor bricks for this purpose.

Most extractors return simple string values. However, some (might) return dictionaries. For example, you can get all the HTTP headers, or all the URI query parameters.

They are used by Insight.

6.4.3.1. Configuring Selectors

The selector can be configured from the BRICKS main navigation item.

Click on the BRICKS main configuration item in the left navigation area. Alternatively you can also click on the sign to open up the sub-navigation items of BRICKS.
Select Selectors.

In the configuration window that appears, you can either see the empty parameter values that can be configured for the actual component or you can see already configured component(s) and their parameters. The already configured components with defined parameters can be default components available in the system by default, or can be components configured by the administrator:

Figure 33. Selector main page in the Web User Interface

Click on the New navigation button to configure the Selector.

The following configuration options appear for Selector:

Figure 34. Configuring Selector in the Web User Interface

The selector accepts the following configuration options:

Table 23. Selector configuration options
Key	Values	Default value	Description
Name*	It is a mandatory value. It can be defined in free text.		The name of the parameter can be referenced.
Type*	Choose the selector type from the drop-down list. For more details on the values, see Extractor types.		Extractors are used to extract data from the call. They are utilized by Selector (and Matcher as well). Extractors are included by their type in Selectors, and are used by a special syntax in matchers. For details, see Extractors and Extractor types.
Save As	The key under which the results of a selector are saved in the Insight plugin’s dictionary.	Top	If it is omitted, the result will be directly merged as top level keys. Name the configuration components with the usage of the English alphabet and numerals. When the name is composed of more than one word, use underscore. It is not allowed to use spacing or any special characters though.

Depending on what value is selected for the Type parameter, additional parameters might appear for configuration. The following table provides details on these additional parameters.

Table 24. Additional Selector configuration options
Key	Values	Default value	Description
Clear Text	It can be switched On or Off.
Namespaces	It defines the XML namespaces.
XPath Expression			The expression to extract the node from the call to match against.
Jmespath Expression			A complete explanation on how to write JMESPath expressions is not in the scope of this document. To learn more about it visit the: main website: There is a tutorial. There are examples. There is also a formal specification.
Expression*			A regular expression specifies a set of strings that match it.
Time Format	'YYYY-MM-DDTHH:mm:ss.SSSSSSZZ'	Set the format. See: Timestamp format options
Time Zone		UTC	It is the name of the time zone, or the time zone offset. The time zone can be specified by using the name, for example, "Europe/Budapest", or as the time zone offset in +/-HH:MM format, for example, +01:00).
Source Plugin	Fraud Detector Plugins can be referenced here by selecting them from the drop-down list.	Last: In case there are more Fraud Detector plugins defined in the Security Flow, by using this default value, the selector will use the score value provided for the last run Fraud Detector plugin.	This parameter defines which Fraud Detector plugin shall be used in case there are more than one defined.

Name the Selector key.
Fill in any more desired parameters.
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
Click the Save button if you have configured all the required parameters.

6.4.4. Insight Target

Insight Target bricks define where the data collected by the Insight will be sent to.

The Insight Target configuration tree contains named Insight Targets with their respective configuration.

Unlike other bricks, Insight Target configurations cannot be put inline into a Plugin’s configuration, they must always be configured here.

See the Insight Target configuration options for the available Insight Target types and their configuration options.

6.4.4.1. Data flattening

To ensure compatibility with a wide range of Insight Target types, the results collected by the Insight plugin are flattened. The path inside the complex data structure is encoded into the key for each value:

The merged key describes the path to the value in the data structure as a string.
The parts of the path will be separated by a forward slash character ("/").
Keys in nested dictionaries are added to the path by name.
List items are added to the path by their index.

You can control the separator with the Flatten separator configuration key that every Insight Target accepts.

6.4.4.2. Configuring Insight Targets

The Insight Target can be configured from the BRICKS main navigation item.

Click on the BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the sign to open up the sub-navigation items of BRICKS.
Select Insight Target.

Figure 35. Insight Target main page in the Web User Interface

Click on the New navigation button to configure the Insight Target.

Figure 36. Configuring Insight Target in the Web User Interface

The Insight Target accepts the following configuration options:

Table 25. *Insight Target* configuration options
Key	Values	Default value	Description
Name*	It is a mandatory value. It can be defined in free text.		It is the name identifying the Insight Target. This name of the Insight Target can be referenced from other parts of the configuration.
Type*	It is a mandatory value. The values can be selected from the drop-down list. The available values are: Local log Syslog Elastic		Local log: It logs the result of the insight in the local system log. For more details on configuration settings with Local log, see Local log Insight Target configuration parameters. Syslog: It sends the insight to a remote syslog server using the IETF syslog protocol defined in RFC5424. For more details on configuration settings with syslog, see table Syslog Insight Target configuration parameters. Elastic: It sends the insight to an Elasticsearch engine in JSON. For more details on configuration settings with syslog, see Elastic Insight Target configuration parameters.
Flatten	This parameter can be switched 'on' or 'off'.	On (True)	Flatten the Insight Target message.
Flatten Separator		/	It is the separator in the flattened message.
Level		3	It is the log level for the logged message.
Tag	The value can be selected from a drop-down list.	info	It is the log tag for the logged message.
Message		It is the message of the insight if present, otherwise it is empty.	It is the message part of the log message.

Provide the name for your Insight Target configuration.
Select the Insight Target type.
Continue with the Syslog, Elastic and Local log configurations with the help of the following tables: Syslog Insight Target configuration parameters, Elastic Insight Target configuration parameters and Local log Insight Target configuration parameters.

The following table presents the configuration parameters for the Local log Insight Target type:

Table 26. Local log *Insight Target* configuration parameters
Key	Values	Default value	Description
Flatten	This parameter can be switched 'on' or 'off'.	On (True)	Flatten the Insight Target message.
Flatten separator		/	It is the separator in the flattened message.
Level		3	It provides the log level for the logged message.
Tag		info	It is the log tag for the logged message.
Message		The message of the insight if present, otherwise it is empty.	It is the message part of the log message.

The following table presents the configuration parameters for the syslog Insight Target type:

Table 27. Syslog *Insight Target* configuration parameters
Key	Values	Default value	Description
Flatten		True	It flattens the Insight Target message.
Flatten Separator		/	It is the separator in the flattened message.
Remote Connection	Host: Mandatory value. Port: The available values are integers. Protocol: The available values are: TCP and UDP. IP Protocol: The available values are: 4 and 6, corresponding to IPv4 and IPv6. Use TLS: The available values are True or False. Syslog TLS: Select the Syslog TLS* brick you want to use for the Insight Target.	Protocol: TCP, Port: 601 (6514 if Use TLS is True.) Protocol: UDP, Port: 514 IP Protocol: 4 Use TLS: False	Host: The hostname or the IP address of the syslog server. Port: Add the port number here to connect to the remote system. Protocol: Add the transport protocol to send messages over. The available values are: TCP and UDP. IP Protocol: The internet protocol version of the given driver. Use TLS: It enables using TLS for the Syslog communication. Syslog TLS: It is mandatory if the Use TLS* option is set to True.
Flush Lines			It specifies how many lines are flushed to a destination at a time. The Insights Director waits for this number of lines to accumulate and sends them off in a single batch. Increasing this number increases the throughput, as more messages are sent in a single batch, but also increases the message latency.
Data Format	The possible values are: SData, JSON.	SData	This is the data format of the insight.
Second Fraction Digits	Integer between 0 and 6 inclusive	3	The number of digits representing the fractions of seconds in the Syslog timestamp.
Time Zone	See table Time zones for time zone names.	GMT	The name of the time zone (for example, "Europe/Budapest") or the time zone offset in +/-HH:MM format (for example, +01:00).
Report Config Load		False	It reports the event of a configuration being loaded with a cryptographic hash of the loaded configuration. This informs the Insight Target about changes in the configuration.
Mask Credit Card Numbers		False	It masks the middle section of recognised credit card numbers in any fields of the log message. Recognised credit cards are from one of the following issuers: American Express, Discover Card, Mastercard, VISA.
Enable Heartbeat		False	It enables sending heartbeat (-- MARK --) messages to the Insight Target.
Heartbeat	Frequency: A number greater than or equal to 1. Mode: The possible values are: 'idle' (heartbeat messages are only sent when there is no traffic towards the Insight Target) and 'periodical' (heartbeat messages are sent regardless of activity).	Frequency: 30 Mode: 'periodical'	Frequency: The number of seconds between heartbeat messages. Mode: The operation mode of the heartbeat functionality.

The following table presents the configuration parameters for the Elastic Insight Target type:

Table 28. Elastic *Insight Target* configuration parameters
Key	Values	Default value	Description
Flatten		True	It flattens the Insight Target message.
Flatten Separator		/	It is the separator in the flattened message.
Remote Connection			Settings related to the remote connection.
Username*			The username to authenticate with on the servers.
Password*			The password to authenticate with on the servers.
Servers*	It is a mandatory value. There are two values to be configured: Host: The hostname or IP address of the Elasticsearch instance. Port: The port on host* to connect to. Defaults to 9200. (Add the values by clicking the '+' sign.)		The list of Elasticsearch servers. Messages will be load balanced between servers if multiple servers are given.
Index*			It is the name of the index in the Elasticsearch instance.
Use TLS		False	Enables using TLS in the connection towards the Elastic servers.
Elastic TLS*	Reference to a File Brick of type Elastic TLS.		The TLS configuration towards the Elastic servers. Mandatory if Use TLS is set to True.
Workers		4	The number of workers to use for communicating with the Elasticsearch servers. Should at least equal the number of servers.
Mask Credit Card Numbers		False	It masks the middle section of recognised credit card numbers in any fields of the log message. Recognised credit cards are from one of the following issuers: American Express, Discover Card, Mastercard, VISA.

Configure any more desired parameter details.
Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
Click Save to save your configuration settings for the Insight Target.

6.4.5. TLS

Transport Layer Security (TLS) is the cryptographic protocol that secures HTTPS communications. PAS can apply TLS encryption both when communicating with Clients and Backends. TLS encryption can also be used with Syslog and Elastic Insight Targets.

When HTTPS is used the TLS settings must be configured.

These parameters are used by the Insight Director and the Transport Director. For options that reference a file the path is relative to /opt/balasys/var/persistent/ inside the Transport Director container. This directory is a docker volume and by default mounted from the /opt/balasys/var/persistent/transport-director directory in the host system.

6.4.5.1. Configuring the TLS

TLS can be configured from the BRICKS main navigation item.

Click on the BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the sign to open up the sub-navigation items of BRICKS.
Select TLS.

Figure 37. TLS main page in the Web User Interface

Click on the New navigation button to configure TLS.

TLS contains the following settings:

Figure 38. Configuring TLS in the Web User Interface

The configuration of the first two parameters determines the TLS type and from these two steps on, it is either a Backend TLS configuration, a Client TLS configuration, a Syslog TLS configuration or an Elastic TLS configuration.

6.4.5.1.1. Configuring the Client TLS

The following parameters need to be configured for Client TLS:

Configuring TLS in the Web User Interface TLS options

Figure 39. Configuring Client TLS in the Web User Interface, TLS options

Configuring TLS in the Web User Interface Certificate options

Figure 40. Configuring Client TLS in the Web User Interface, Certificate options

Name the Client TLS configuration.
Select the Type of the TLS, Client TLS in this case, from the drop-down list to configure TLS.

For details on these parameters, see the following table:

Table 29. TLS configuration
Key	Values	Default value	Description
Name*	Mandatory value. Can be defined in free text.		The name of the parameter can be referenced.
Type*	Mandatory value. Choose the required value from the drop-down list.		Client TLS, Backend TLS, Syslog TLS and Elastic TLS configurations can be defined here.

Configure the mandatory parameters for Client TLS, based on the information provided in Table Client TLS configuration.

Table 30. Client TLS configuration
Key	Values	Default value	Description
Certificate			Configuration for the X.509 certificate used for TLS connections on the listener.
Certificate File*	Reference to a File Brick of type Server Certificate.		The certificate to be presented to clients.
Key File*	Reference to a File Brick of type TLS Key.		The private key corresponding to the certificate file.
Options			TLS protocol options used on the listener.
Ciphers		ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305: DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384	Specifies the allowed ciphers. Can be set to all, high, medium, low, or a string representation of the selected ciphers.
Minimum TLS Version	Select one of the following options in the drop-down menu: TLS v1.0 TLS v1.1 TLS v1.2 TLS v1.3	TLS v1.2	It defines the minimum version of TLS. Minimum TLS version must be less than or equal to the maximum TLS version.
Maximum TLS Version	Select one of the following options in the drop-down menu: TLS v1.0 TLS v1.1 TLS v1.2 TLS v1.3	TLS v1.3	It defines the maximum version of TLS. Maximum TLS version must be greater than or equal to the minimum TLS version.
Timeout		300	It drops idle connection if the timeout value (in seconds) expires.
Enable Session Cache	The parameter can be switched on or off.	Off (false)	Store session information in the session cache. Set this option to 'On' to enable TLS session reuse.
Session Cache Size		20480	It defines the number of sessions stored in the session cache for TLS session reuse.
Disable Ticket	The parameter can be switched on or off.	Off (false)	Session tickets are a method for TLS session reuse, described in RFC 5077. Set this option to 'On' to disable TLS session reuse using session tickets.
Cipher Server Preference	The parameter can be switched on or switched off.	On (true)	Use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection.
Disable Renegotiation	The parameter can be switched on or off.	On (true)	Set this parameter On to disable client-initiated renegotiation.
Diffie-Hellman Parameters File	Reference to a File Brick of type Diffie-Hellman Parameters.		Contains the Diffie-Hellman parameters to be used by the TLS connection.
Prioritize ChaCha20-Poly1305	The parameter can be switched on or off.	Off (False)	Set this parameter On to prioritize using the ChaCha20-Poly1305 encryption.
Enable Verification		Off (False)	It is an option for verifying client side X.509 certificates. By default no client verification takes place.
Client Verification			Client verification options
Trusted Certs	You can upload trusted certificates in a ZIP file.		This is a Certificate File element from among the Brick components.
Required	The parameter can be switched on or off.	On (true)	If it is set to True, PAS requires a certificate from the peer.
Trust Level	The values can be selected from the drop-down list. The available values are: none untrusted full	full	It defines the trust level for certificate verification: none: Accept even invalid certificates, for example self-signed certificates. untrusted: Both trusted and untrusted certificates are accepted. full: Only valid certificates signed by a trusted CA are accepted.
Verify Depth		4	It defines the length of the longest accepted CA verification chain. PAS will automatically reject longer CA chains.
CA Directory	You can upload the trusted CAs in a ZIP file.		This is a Certificate File element from among the Brick components.
Verify CRL	The parameter can be switched on or off.	Off (false)	If it is set to True, PAS checks the CRLs (Certificate Revocation Lists) associated with trusted CAs. CRLs will load automatically if PAS verifies the certificate of the peer.
Intermediate Revocation Check Type	The values can be selected from the drop-down list. The available values are: none soft_fail hard_fail	hard_fail	The revocation check type for all certificates in the chain, except the Leaf Certificate: none: Ignore the result certificate revocation status check soft_fail: It fails if the check is successful and the certificate is revoked, it will pass otherwise hard_fail: It passes only if the check is successful and the certificate is not revoked
Leaf Revocation Check Type	The values can be selected from the drop-down list. The available values are: none soft_fail hard_fail	hard_fail	The revocation check types for the Leaf certificate are as follows: none: With this option the result of the certificate revocation status check is ignored soft_fail: It fails if the check is successful and the certificate is revoked, it passes otherwise hard_fail: It passes only if the check is successful and the certificate is not revoked

Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
Save the Client TLS configuration by clicking Save.

6.4.5.1.2. Configuring Backend TLS

The following parameters need to be configured for Backend TLS:

Figure 41. Configuring Backend TLS in the Web User Interface, TLS options

Figure 42. Configuring Backend TLS in the Web User Interface, Certificate options

Name the Backend TLS configuration.
Select Backend TLS from the drop-down list to configure Backend TLS.

For details on these parameters, see the following table:

Table 31. TLS configuration
Key	Values	Default value	Description
Name*	Mandatory value. Can be defined in free text.		The name of the parameter can be referenced.
Type*	Mandatory value. Choose the required value from the drop-down list.		Client TLS, Backend TLS, Syslog TLS and Elastic TLS configurations can be defined here.

Configure the mandatory parameters for Backend TLS, based on the information provided in Table Backend TLS configuration.

The configuration parameters are described in details in the following table:

Table 32. Backend TLS configuration
Key	Values	Default value	Description
Enable Certificate		Off/False	It is an option for enabling backend side X.509 certificates. By default no backend verification takes place.
Certificate			Configuration for the X.509 certificate used for TLS connections on the listener.
Certificate File*	Reference to a File Brick of type Client Certificate.		The certificate to be presented to the backend.
Key File*	Reference to a File Brick of type TLS Key.		The private key corresponding to the certificate file.
Options			TLS protocol options used on the listener.
Ciphers		ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305: DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384	Specifies the allowed ciphers. Can be set to all, high, medium, low, or a string representation of the selected ciphers.
Minimum TLS Version	Select one of the following options in the drop-down menu: TLS v1.0 TLS v1.1 TLS v1.2 TLS v1.3	TLS v1.2	It defines the minimum version of TLS. Minimum TLS version must be less than or equal to the maximum TLS version.
Maximum TLS Version	Select one of the following options in the drop-down menu: TLS v1.0 TLS v1.1 TLS v1.2 TLS v1.3	TLS v1.3	It defines the maximum version of TLS. Maximum TLS version must be greater than or equal to the minimum TLS version.
Timeout		300	It drops idle connection if the timeout value (in seconds) expires.
Enable Session Cache	The parameter can be switched on or off.	Off (false)	Store session information in the session cache. Set this option to 'On' to enable TLS session reuse.
Session Cache Size		20480	It defines the number of sessions stored in the session cache for TLS session reuse.
Disable Ticket	The parameter can be switched on or off.	Off (false)	Session tickets are a method for TLS session reuse, described in RFC 5077. Set this option to 'On' to disable TLS session reuse using session tickets.
Enable Verification		Off/False	It is an option for verifying Backend side X.509 certificates. By default no backend verification takes place.
Backend verification			Backend verification options
Trusted Certs	You can upload trusted certificates in a ZIP file.		A directory where trusted IP addresses-certificate assignments are stored. When a peer from a specific IP address shows the certificate stored in this directory, it is accepted regardless of its expiration or issuer CA. Each file in the directory should contain a certificate in PEM format. The filename must be the IP address.
Trust Level	The values can be selected from the drop-down list. The available values are: none untrusted full	full	It defines the trust level for certificate verification: none: Accept even invalid certificates, for example self-signed certificates. untrusted: Both trusted and untrusted certificates are accepted. full: Only valid certificates signed by a trusted CA are accepted.
Verify Depth		4	It defines the length of the longest accepted CA verification chain. PAS will automatically reject longer CA chains.
CA Directory	You can upload the trusted CAs in a ZIP file.		It is a directory where the trusted CA certificates are stored. CA certificates are loaded on-demand from this directory when PAS verifies the certificate of the peer.
Verify CRL	The parameter can be switched on or off.	Off (false)	If it is set to True PAS checks the CRLs (Certificate Revocation Lists) associated with trusted CAs. CRLs will load automatically if PAS verifies the certificate of the peer.
Check Subject	The parameter can be switched on or off.	Off (false)	If it is set to, PAS compares the subject of the server-side certificate with application-layer information (for example, it checks whether the Subject matches the hostname in the URL).
Intermediate Revocation Check Type	The values can be selected from the drop-down list. The available values are: none soft_fail hard_fail	soft_fail	The revocation check types for all certificates in the chain, except for the Leaf Certificate are as follows: none: If this options is set, the certificate revocation status check results are ignored soft_fail: If this option is set, the certificate revocation check fails, if the check is successful and the certificate is revoked. The check passes otherwise. hard_fail: If this option is set, the check passes only if the check is successful, and the certificate is not revoked.
Leaf Revocation Check Type	The values can be selected from the drop-down list. The available values are: none soft_fail hard_fail	soft_fail	The revocation check type for the Leaf Certificate. none: The result of the Certificate Revocation Status Check is ignored. soft_fail: If this option is set, the certificate revocation check fails, if the check is successful and the certificate is revoked. The check passes otherwise. hard_fail: If this option is set, the check passes only if the check is successful, and the certificate is not revoked.

Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
Click the Save button if you have configured all the required parameters.

6.4.5.1.3. Revocation checks for certificates

PAS tries to complete both CRL and OCSP-stapling checks for certificates.

The result for a certificate, according to the revocation check types is as follows:

Table 33. Certificate revocation checks
CRL check	OCSP stapling check	Soft fail result	Hard fail result
PASS	PASS	PASS	PASS
PASS	unsuccessful	PASS	PASS
unsuccessful	PASS	PASS	PASS
unsuccessful	unsuccessful	PASS	FAIL
PASS	FAIL	FAIL	FAIL
FAIL	PASS	FAIL	FAIL
unsuccessful	FAIL	FAIL	FAIL
FAIL	unsuccessful	FAIL	FAIL
FAIL	FAIL	FAIL	FAIL

6.4.5.1.4. Configuring Syslog TLS

The following parameters need to be configured for Syslog TLS:

Figure 43. Configuring Syslog TLS in the Web User Interface

Name the Syslog TLS configuration.
Select the Type of the TLS, Syslog TLS in this case, from the drop-down list to configure TLS.

For details on these parameters, see the following table:

Table 34. TLS configuration
Key	Values	Default value	Description
Name*	Mandatory value. Can be defined in free text.		The name of the parameter can be referenced.
Type*	Mandatory value. Choose the required value from the drop-down list.		Client TLS, Backend TLS, Syslog TLS and Elastic TLS configurations can be defined here.

Configure the mandatory parameters for Syslog TLS, based on the information provided in Table Syslog TLS configuration.

Table 35. Syslog TLS configuration
Key	Values	Default value	Description
Enable Client TLS Authentication		Off (false)	Option for enabling TLS authentication towards the server.
Client TLS Authentication			Configuration for the X.509 certificate used for TLS connections on the Insight Target.
Certificate File*	Reference to a File Brick of type Client Certificate.		The certificate to be used for the connection.
Key File*	Reference to a File Brick of type TLS Key.		The private key corresponding to the certificate file. The private key file must not be encrypted.
Options			TLS protocol options used on the Syslog Insight target.
Ciphers	Colon-separated list of ciphers from the list supported by OpenSSL 3.0.2.	ECDH+AESGCM: DH+AESGCM:ECDH+AES256: DH+AES256:ECDH+AES128: DH+AES:!aNULL:!MD5: !DSS!aNULL: !MD5: !DSS	Specifies the allowed ciphers.
Disable TLS v1.2	Can be switched on or off. If it is set ON it does not allow using TLSv1.2 in the connection.	Off (false)	Disables the usage of TLSv1.2 in the connection.
Disable TLS v1.3	Can be switched on or off. If it is set ON it does not allow using TLSv1.3 in the connection.	Off (false)	Disables the usage of TLSv1.3 in the connection.
ECDH Curve List	Add the names of one or more ECDH curves. The possible values are the ones supported by OpenSSL 3.0.2.	empty list	A list of curves permitted in the connection when using Elliptic Curve Cryptography (ECC).
Peer Verify	Select one of the following options in the drop-down menu: optional-trusted, optional-untrusted, required-trusted, required-untrusted	required-trusted	Defines the verification method of the peer. The four possible values are a combination of two properties of validation: whether the peer is required to provide a certificate (required or optional prefix), and whether the certificate provided needs to be valid (trusted or untrusted suffix).
Diffie-Hellman Parameters File	Reference to a File Brick of type Diffie-Hellman Parameters.		Contains the Diffie-Hellman parameters to be used by the TLS connection.
Enable Verification		Off (false)	Option for enabling the verification of server side X.509 certificates.
Server Verification*			Server verification options are mandatory if Enable Verification is set to True.
CA Directory	Select the CA File brick representing your CA directory.		CA directory containing the trusted CA and CRL files.
Verify CRL		Off (false)	Verifies that certificates used in the connection are not revoked by any CRLs in the CA directory.

Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
Save the Syslog TLS configuration by clicking Save.

6.4.5.1.5. Configuring Elastic TLS

The following parameters need to be configured for Elastic TLS:

Figure 44. Configuring Elastic TLS in the Web User Interface

Name the Elastic TLS configuration.
Select the Type of the TLS brick, Elastic TLS in this case, from the drop-down list to configure the encryption used with the Elastic server.

For details on these parameters, see the following table:

Table 36. TLS configuration
Key	Values	Default value	Description
Name*	Mandatory value. Can be defined in free text.		The name of the parameter can be referenced.
Type*	Mandatory value. Choose the required value from the drop-down list.		Client TLS, Backend TLS, Syslog TLS and Elastic TLS configurations can be defined here.

Configure the mandatory parameters for Elastic TLS, based on the information provided in Table Elastic TLS configuration.

Table 37. Elastic TLS configuration
Key	Values	Default value	Description
Enable Client TLS Authentication		Off (false)	Option for enabling TLS authentication towards the server.
Client TLS Authentication			Configuration for the X.509 certificate used for TLS connections on the Insight Target.
Certificate File*	Reference to a File Brick of type Client Certificate.		The certificate to be used for the connection.
Key File*	Reference to a File Brick of type TLS Key.		The private key corresponding to the certificate file. The private key file must not be encrypted.
Options			TLS protocol options used on the Elastic Insight target.
Ciphers	Colon-separated list of ciphers from the list supported by OpenSSL 3.0.2.	ECDH+AESGCM: DH+AESGCM:ECDH+AES256: DH+AES256:ECDH+AES128: DH+AES:!aNULL:!MD5: !DSS!aNULL: !MD5: !DSS	Specifies the allowed ciphers.
TLS Version	Select one of the following options in the drop-down menu: TLS v1.0 TLS v1.1 TLS v1.2 TLS v1.3	TLS v1.2	Defines the TLS version used in the connection.
Peer Verify		On (true)	Defines whether the peer is verified. If set to true, the peer is required to provide a certificate, and the certificate provided needs to be valid.
Enable Verification		Off (false)	Option for enabling the verification of the X.509 certificate presented by the Elastic server.
CA Directory	Select the CA File brick representing your CA directory.		CA directory containing the trusted CA and CRL files.

Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
Save the Elastic TLS configuration by clicking Save.

6.4.6. File

The File configuration element enables the administrator to upload files used by various plugins.

6.4.6.1. Configuring File

File can be configured from the BRICKS main navigation item.

Click on the BRICKS main configuration item in the Left navigation area. Alternatively you can also click on the sign to open up the sub-navigation items of BRICKS.
Select File.

Figure 45. File main page in the Web User Interface

Click on the New navigation button to configure File.

File contains the following settings:

Figure 46. Configuring File in the Web User Interface

File has the following configuration parameters:

Table 38. File configuration parameters
Key	Values	Description
Name*	It is a mandatory value. The name can be provided in free text.	It defines the file-related configuration.
Type*	It is a mandatory value. The available values are: Swagger OpenAPI 3.0 OpenAPI 3.1 XSD WSDL CA Certificates Diffie-Hellman Parameters TLS Key Client Certificate Server Certificate See table Requirements for specific file types for specific requirements for each type.	The type selected here defines by which PLUGINS it can be used. The file uploaded here with the Type Swagger, for example, can be used by Swagger Plugins.
File*	It is a mandatory value. The required file can be uploaded here.
Passphrase	String value, could be empty.	Only available for TLS Key files. The passphrase to access an encrypted private key. Leave empty if the private key is unencrypted.

Click the Validate button to check if the defined parameters are suitable and adequate for configuring the component. If the configuration of the component is erroneous or not adequate, the Web UI provides a warning that the 'Component validation failed'. Also a warning with information on the missing details appears at the problematic field for the user. If the configuration of the component is satisfactory, after clicking the Validate button, the user receives the 'Component Validation successful' notification.
Save the configuration by clicking the Save button.

Table 39. Requirements for specific file types
File type	Requirements
CA	The file must be a flat ZIP file with the CA certificates inside. It can contain copies of the certificates named following the `<hash>.0` format. The value of the `<hash>` part can be produced with the following command: `openssl x509 -noout -hash -in /path/to/cert/file`. These copies will be generated automatically after saving if they are not present already, and the original File brick will be overwritten. It can contain CRL files, and it also can contain the copies of them following the `<hash_of_the_related_ca_file>.r0` format. The hash can be produced as described above. These copies will be generated automatically after saving if they are not present already, and the original File brick will be overwritten.
Certificates	The file must be a flat ZIP file with the certificates inside. The certificates must be named after IPv4 or IPv6 addresses.
Diffie-Hellman Parameters	Must be in PEM format. Must be a parameters file, such as one generated by the `openssl dhparam` utility.
TLS Key	Must be in PEM format. Must be a private key file. Could be encrypted or unencrypted. If the file is encrypted, the passphrase must be provided in the Passphrase field.
Client Certificate	Must be in PEM format. Must be a certificate file. Must have a Common Name attribute, and have the CLIENT_AUTH ExtendedKeyUsage.
Server Certificate	Must be in PEM format. Must be a certificate file. Must have a Common Name attribute, and have the SERVER_AUTH ExtendedKeyUsage.
Swagger	The file must be a Swagger schema as described in the OpenAPI 2.0 specification.
OpenAPI 3.0	The file must be an OpenAPI 3.0 schema as described in the OpenAPI 3.0 specification.
OpenAPI 3.1	The file must be an OpenAPI 3.1 schema as described in the OpenAPI 3.1 specification.
XSD	The file must be an XML Schema Definition as described in XML Schema Part 1: Structures, XML Schema Part 2: Datatypes, XSD 1.1 Part 1: Structures and XSD 1.1 Part 2: Datatypes.
WSDL	The file must be a WSDL service descriptor as described in the Web Services Description Language 1.1 specification.

File editor

Files in certain File brick types are editable when configuring the File brick. A File editor is available for the following types:

Swagger
OpenAPI 3.0
OpenAPI 3.1

The uploaded file can be opened and edited by clicking the Edit button. The contents of the file open inside a new window, with the Edit tab selected:

The editor can be closed without saving any changes to the file with the Close button. The changes are saved and the editor is closed with the Save button.

The Overview tab shows errors if there are any, and the structure of the schema that the file describes:

6.4.7. Common configuration elements for BRICKS

6.4.7.1. Extractors

Extractors are used to extract data from the call.

Extractors are not independent configuration components, but common configuration elements that are utilized by Matchers and Selectors. In fact, when configuring matchers and selectors, it is extractors that are listed at their type fields. Extractors are configured and used as part of matchers and selectors. There are no named extractors.

Most extractors return simple string values. However, some (might) return dictionaries. For example, you can get all the HTTP headers, or all the URI query parameters.

See the Extractor types for more details on extractors and their configuration options.

The following table provides details on extractor types:

Key Description

Method

It extracts the HTTP method of the request. It does not require configuration.

Status

It extracts the status code of the response. It does not require configuration.

JMESPath

It extracts data from the body of a JSON call with the help of a JMESPath expression.

JMESPath is a query language for JSON. It is a very versatile tool for extracting the needed information from the body of the call, and organizing it according to requirements. A complete explanation on how to write JMESPath expressions is not in the scope of this document.

To learn more about it visit the: main website:

There is a tutorial.
There are examples.
There is also a formal specification.

Header

It extracts the value of an HTTP header. It is valid for some HTTP headers to be present more than once in a call. In this case, all the values are extracted as a list. It provides the name of the header in the configuration.

Header Force List

Is a Header extractor that returns a list even if there is only a single extracted value.

Header First

Is a Header extractor that only returns the first extracted value even if there is a list of extracted values.

Headers

The Headers extractor returns all the headers from the call. The results are stored as a dictionary, therefore it is recommended to omit the 'save as' key if you use this from a selector. It is valid for some HTTP headers to be present more than once in a call. In such cases all the values are stored under the header’s key as a list. It does not require configuration.

Fraud Detector Score

It extracts the score value provided by the Fraud Detector plugin.

URI

It extracts the whole request URI as received from the client. It does not require configuration.

URI Netloc

It extracts the network location in the URI. It does not require configuration.

It includes:

username and password if present
host
port if present unless scheme default

URI Origin

It extracts the origin part of the URI. It does not require configuration.

It includes:

scheme
host
port if present, unless the default port for the scheme is used

URI Scheme

It extracts the scheme of the request (http or https). It does not require configuration.

URI Username

It extracts the username in the request if present. It does not require configuration.

URI Password

It extracts the password in the request if present. It does not require configuration.

URI Host

It extracts the host in the request. It does not require configuration.

URI Port

It extracts the port of the request, the default port — that is 80 and 443 for HTTP and HTTPS, respectively — even if it is not not displayed explicitly in the request. It does not require configuration.

URI Path

It extracts the path part of the URI. It does not require configuration.

The path is normalized to allow more robust matching and cleaner reporting. This means that:

If the path is missing / it is extracted.
Repeating forward-slash (/) characters are replaced with a single one.
dot (.) and double-dot (..) path segments are resolved.

Consequently, if the path present in the URI was //some/./nothere/../resource///./somewhere the path would be /some/resource/somewhere.

If you need to extract the path exactly as received, use URI raw path parameter.

URI Raw Path

It extracts the path part of the URI, without the normalization of URI path carried out.

NOTE: If the path is missing a single forward slash ("/") is extracted.

It does not require configuration.

URI Raw Query

It extracts the query part of the URI as a string. It does not require configuration.

URI Query

It extracts the query part of the URI. It does not require configuration.

URI Query Param

It extracts the value of a query parameter. It is also valid for URIs to include a query parameter more than once. That is, it could be 'foo=bar&qux=quz&foo=baz'. In this case both values are extracted as a list. Provide the name of the parameter in the configuration.

URI Query Param Force List

Is an URI Query Param extractor that returns a list even if there is only a single extracted value.

URI Query Param First

Is an URI Query Param extractor that only returns the first extracted value even if there is a list of extracted values.

Client Address

It extracts the client’s IP address.

Client Port

It extracts the client’s port (TCP).

Server Address

It extracts the server’s IP address.

Server Port

It extracts the server’s port (TCP).

Parsed Content

It extracts the content. It does not require configuration.

Raw Content

It extracts the raw bytes of the request or response. It saves the results as a base64 encoded string.

Text Content

It extracts the request’s or response’s content as a decoded string.

Cookie

It extracts the values for a given key from the Cookie HTTP header. It is valid for multiple key-value pairs to be present in a Cookie header for the same key. In this case, all the values are extracted as a list. It requires the name of the Cookie key in the configuration.

Cookie Force List

Is a Cookie extractor that returns a list even if there is only a single extracted value.

Cookie First

Is a Cookie extractor that only returns the first extracted value even if there is a list of extracted values.

Cookies

The Cookies extractor returns all the key-value pairs from the Cookie header. The results are stored as a dictionary, therefore it is recommended to omit the 'save as' key if you use this from a selector. It is valid for multiple key-value pairs to be present in a Cookie header for the same key. In such cases, all the values are stored under the Cookie’s key as a list. It does not require configuration.

Content Type

It extracts the content type from the HTTP header. It does not require configuration.

Content Type Charset

It extracts the charset from the content type HTTP header. It does not require configuration.

Call Direction

It extracts the call direction (request, response). It does not require configuration.

Session Id

It extracts the internal identifier of the HTTP session in keep-alive HTTP connections. Its 'Include request counter' option enables adding a request counter representing the number of requests in the session.

Backend Response Time

Extracts the time spent between the sending the request towards the server and receiving the response from the server, in milliseconds. Only returns a value in a response flow.

Static

It extracts a string, integer, number, object, array, boolean as string from the configuration.

Timestamp

It extracts the current time. Also see the tables on Configuring timestamps and Timestamp format options.

XPath

It extracts data from the body of an XML call with the help of a XPath expression.

XPath is a query language for XML. It is a very versatile tool for extracting the needed information from the body of the call, and organizing it according to needs.

A complete explanation on how to write XPath expressions is not in the scope of this document. To learn more about it visit the main website.

Also see table XPath extractor configuration options.

Provide the XPath expression in the configuration. Depending on the expression, the return value is a single node or a list of nodes. If you want a single value or a list independent from the expression, use XPath First or XPath Force List.

XPath Force List

It works like XPath but it returns a list even if there is only a single extracted value.

XPath First

It works like XPath but it only returns the first extracted value even if there is a list of extracted values.

SOAP Version