Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Using the SSL Private Server Key to Enable Inspection of SSL Traffic

    To inspect the HTTP payload of HTTPS traffic, the IDP Series device must first decrypt the session. Your security policy can examine both the SSL session and the HTTP payload.

    The IDP Series solution supports SSL inspection in two ways:

    • Using server private keys. Use this method when inspecting traffic to internal servers where you have access to the server private key.
    • Using the SSL forward proxy feature. Use this method when the server private key method is not practical (for example, for traffic to servers on the WWW).

    Note: If you enable both methods, the IDP Series device performs SSL inspection using the SSL forward proxy method and does not use the server private keys.

    The following procedure provides the basic steps you take to implement inspection using the SSL server private keys.

    To use the SSL private server key to enable inspection of SSL traffic:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Add the private keys for known destination servers to the IDP Series device keystore:

      1. Use SCP or FTP to copy your SSL server private key file to the IDP Series device. The IDP Series device does not run an FTP server, so you have to initiate the FTP session from the IDP Series device.
      2. If necessary, change permissions so you can use the scio utility to manage the file. For example:

        [root@defaulthost admin]# chmod 777 /tmp/server.key

        Note: Changing permissions for the file should suffice. If you still encounter issues, change ownership as well:

        [root@defaulthost admin]# chown idp:idp /tmp/server.key
      3. Add the key to the IDP Series device keystore using the following syntax:

        [root@defaulthost admin]# scio ssl add key key_path [password password] server server_IP

        For example:

        [root@defaulthost admin]# scio ssl add key /tmp/server.key server
      4. Display the key ID from the IDP Series device keystore by entering the following command:

        [root@defaulthost admin]# scio ssl list all
      5. Add any other servers that use the same key using the following syntax:

        [root@defaulthost admin]# scio ssl add server server_IP key key_ID
    3. Enter the following command to enable decryption:

      [root@defaulthost admin]# scio const -s s0 set sc_ssl_decryption 1
      scio: setting sc_ssl_decryption to 0x1

    Changes you make to kernel constants from the CLI do not persist across restarts. To make your change persistent:

    1. Open the /usr/idp/device/bin/user_funcs file in a text editor, such as vi.
    2. Add the constant below the line user_start_end(). For example:
      $SCIO const -s s0 set sc_ssl_decryption 1
    3. Save the file.
    4. Restart the IDP engine:

      [root@defaulthost admin]# restart

      Restarting the IDP engine can take several moments.

    You can also use the NSM Device Manager to turn on the SSL decryption feature. However, you cannot use NSM to manage the SSL keys.

    Figure 1 shows the location of the SSL decryption setting in NSM.

    Figure 1: NSM Device Manager: SSL Decryption Setting

    Image s036683.gif

    To enable SSL decryption with NSM:

    1. In the NSM Device Manager, double-click the IDP Series device to display the device configuration editor.
    2. Click Sensor Settings.
    3. Click the Run-time Parameters tab.
    4. Expand the Run-time Parameters group.
    5. Select Enable SSL decryption support.
    6. Click OK.
    7. Push the updated configuration from NSM to the IDP Series device.

    Published: 2011-02-08