CYAN SECURE WEB HOWTO January 2009 Applies to: CYAN Secure Web 1.6 and above
allows you to inspect SSL encrypted traffic. Therefore all filter mechanisms can be applied to HTTPS traffic. Without, all data requested via the HTTPS protocol are not discernible by CYAN Secure Web. These data can include unwanted content, data or even viruses. Only the URL of the first request can be checked without SSL intercept. Contents 1 Overview...1 2 Enable SSL intercept...3 3 Set up your CA certificate...4 3.1 Create a CA certificate...4 3.2 Import CA certificate...5 3.3 Export CA certificate...6 4 Supply your CA certificate to the browser...7 4.1 Supply your CA certificate to Internet Explorer...7 4.2 Supply your CA certificate to Firefox...8 5 Browse your certificate store...9 6 SSL intercept settings in profiles...10 7 Cluster Mode...11 8 Troubleshooting...12 1 Overview CYAN Secure Web with HTTP Intercept enabled acts as Man-in-the-middle to a HTTPS connection. It accepts the encrypted connection from the client and opens a second encrypted connection to the server. To accept the client connection, a certificate must be supplied by Secure Web to prove it's identity. This certificate differs from the certificate of the original web site. Today's browsers recognize such behaviour and display a warning message to the user for each connection. To avoid these warnings, CYAN Secure Web signs all certificates with a Certificate Authority (CA) certificate. If the same CA certificate is added to the browser's certificate management system, then the certificate is seen as valid and no warning will be displayed. Every time a client requests a page from an SSL encrypted server, CYAN Secure Web creates the client side certificate for this request. This certificate is then stored and all further requests to the same server will get the same certificate. By default, these certificates are valid for 30 days. After this period has elapsed, a new certificated will be generated. If you need more information, please feel free to contact Cyan Networks Support at support@cyan-networks.com. 2008 CYAN Networks Software GmbH - 1 -
2 Enable SSL intercept Here you will find, how to set up the basic parameters of SSL intercept. Open your Web browser and type in the address of your CYAN Secure Web installation: https://<your IP address>:9992/sweb You can either use the IP address or the host name of the machine. After a successful connection, log into the user interface and change to Server / HTTPS / HTTPS intercept: Enable SSL intercept activates the intercept mode. If this setting is diabled, then all requests to SSL encrypted servers will be supplied without applying filters. CYAN Secure Web can check the incoming SSL requests, if they included protocol is HTTP (i.e. an HTTPS request) or any other protocol. You may want to disable Allow non HTTP to deny all clients that utilize the HTTPS proxy with other protocols than HTTP. Certificate expiration defines, how long (in hours) a generated client certificate is valid. After this time has elapsed, a new certificate will be generated. By default this value is 30 days. If a certificate is expired, it stays in the cache, until a new certificate for the same server is generated. To periodically check for expired certificates and delete them, you need to enable Delete expired certificates and set the interval in minutes, how often the cache should be checked with the Check every setting. The certificate store does not have to be on the same machine as CYAN Secure Web. The SCert daemon host and port settings specify the location of the certificate manager daemon. This is usually localhost (or 127.0.0.1). For cluster installations, this setting needs to be changed. Refer to chapter 6 for more information about the cluster mode. 2008 CYAN Networks Software GmbH - 2 -
3 Set up your CA certificate To avoid warnings by the browser for each HTTPS request, CYAN Secure Web needs a certficate authority (CA) certificate, which is supplied to the browser as well. This CA certificate can be generated directly within the user interface, or you can import your own CA certificate. 3.1 Create a CA certificate Within the user interface change to Server / HTTPS / Certificate Authority: Now click on Edit CA certificate and enter your CA data: Country is your 2 letter country code. (e.g. US) State or Province Locality (e.g. City) Organisation (e.g. your company) Organisational unit (e.g. section name) Common name (e.g. your name or an identifier for the certificate) You need to enter all of this data for the certificate to be valid. After you click on Create CA certificate, the certificate is stored for further use, and you will see your CA certificate data. 2008 CYAN Networks Software GmbH - 3 -
3.2 Import CA certificate To import a CA certificate, you need to supply the certificate and private key in PEM format. Open Server / HTTPS / Import CA Paste your certificate into the Certificate section and your private key into the Private key section and then click on Import certificate. If you change to Server / HTTPS / Certificate Authority, you should see your CA data displayed now. 2008 CYAN Networks Software GmbH - 4 -
3.3 Export CA certificate If you created a CA certificate or need to get the certificate for any reason, open Server / HTTPS / Export CA You can export both the certificate and the private key on this dialog. Both are exported in PEM format. You will need the certificate file to supply it to your clients. Note: If you export the private key, be sure to keep it safe. Anybody holding your private key can adopt your identity. 2008 CYAN Networks Software GmbH - 5 -
4 Supply your CA certificate to the browser You need to import the CA certificate in all browsers to avoid warning messages. Every time you change the CA certificate in CYAN Secure Web, you need to supply them again to your browsers. 4.1 Supply your CA certificate to Internet Explorer Open your Internet Options and select the tab Content. Here you will see a Certificates button. When you click on this button, the browser's certificate manager will open. Go to the tab Trusted Root Certificate Authorities and click on Import there. Now specify the path and filename of your CA certificate and click on Next twice, then Finish. Now you should see your certificate in the trusted root certificates list. Close the certificate manager and your internet settings. 2008 CYAN Networks Software GmbH - 6 -
4.2 Supply your CA certificate to Firefox Open the Preferences and select Advanced. Here you will find a tab Encryption containing the View Certificates button. After you click on this button, the certificate manager will open. Go to the Authorities tab and click on Import there. After you select to CA certificate file, you need to enable the This certificate can identify web sites setting and click on Ok. Now you should see your certificate in the Authorities list. Close the certificate manager and your preferences. 2008 CYAN Networks Software GmbH - 7 -
5 Browse your certificate store If you open Server / HTTPS / Certificates, you will see a list of all certificates created by CYAN Secure Web. After you click on Refresh, the certificates are displayed with the server name (including the target port) and the expiry date of the certificate. You can click on Delete to remove a single certificate, or on Delete All to remove all files from the certificate store. If you removed a certificate, the next request to the certificate's server will generate it again. Note: If you supply a new certificate authority (CA) certificate, you need to delete all certificates signed with the old CA certificate. 2008 CYAN Networks Software GmbH - 8 -
6 SSL intercept settings in profiles Some SSL intercept settings can be modified for each profile. Open Profiles / <Profile name> / SSL: If you disable the SSL intercept enabled setting, no HTTPS requests which have this profile assigned will be intercepted. Enter hosts you want to be excluded from SSL interception into the Exception List. You can add regular expressions here to define multiple hosts with one entry. With the Inherit exception list setting enabled, all entries into the parent profile's exception list will be added here too. Note: If you enable SSL intercept here, it has to be enabled globally to work. 2008 CYAN Networks Software GmbH - 9 -
7 Cluster Mode In cluster mode, only one certificate daemon is running for the whole cluster. Thus all Secure Web nodes will get the same certificates for a target host. Otherwise, the browser would display an error message, if the request is server by two different Secure Web nodes. To point the Secure Web certificate requests to the cluster's certificate daemon, go to Server / HTTPS / Setup and set the Scert daemon host setting to the cluster IP. 2008 CYAN Networks Software GmbH - 10 -
8 Troubleshooting Your browser displays a warning for every HTTPS request Did you supply the CA certificate to your browser? You need to do this for the browser to stop alerting. Did you upload or create a new CA certificate on the Secure Web? If you did, you need to delete all certificates from the certificate store. Since Secure Web is caching the certificates for a few minutes, you need to wait until the cache entry is revalidated. Secure Web does not accept your CA certificate The supplied certificate must be in PEM format. Some services do not work with SSL intercept enabled The service could expect a certain certificate from the web server, and since Secure Web does sent a generated certificate to the client, it does not meet this expectation. You need to exclude the target of this service from SSL interception. 2008 CYAN Networks Software GmbH - 11 -