Oracle Cloud Infrastructure Documentation

Setting Up Certificate Authentication

Learn how to set up certificate authentication and Vault secrets to use for network traffic decryption.

If you want to use decryption rules, you must set up mapped secrets to use in a decryption profile. A mapped secret is a secret that you create in Oracle Cloud Infrastructure Vault and then map to an inbound or outbound SSL key. The secrets are used to decrypt and inspect SSL/TLS traffic with SSL Forward Proxy or SSL Inbound Inspection.

See Mapped Secrets and Decryption Profiles for more information about how the certificate is used with a policy.
Important

  • If you plan on using SSL forward proxy or SSL inbound inspection, set up your Oracle Cloud Infrastructure Vault and secrets before you begin creating your policy.
  • Only one SSL forward proxy secret is allowed for each policy.
Task 1: Allow the Network Firewall service to access Vault secrets
Create an IAM policy that allows the Network Firewall service to access and use your Vault secrets:
allow service ngfw-sp-prod to read secret-family in compartment <compartment_name>
Warning

If this permission is revoked at any point in the future, the service can't access your mapped secret, and the firewall stops decrypting traffic.
Task 2: Create a vault and master key to store the certificate
  1. Ensure you have an IAM policy that lets you create vaults, keys, and secrets in the Vault service. For example:
    Allow group SecurityAdmins to manage vaults in tenancy

Allow group SecurityAdmins to manage keys in tenancy

Allow group SecurityAdmins to manage secret-family in tenancy
    For more information, see IAM Details for the Vault Service.
  2. Create a vault to store the certificate in.
  3. Create a master encryption key in the vault.
    Important

    The master key must be a symmetric key. You cannot encrypt secrets with asymmetric keys.
Task 3: Store the certificate

You can use a self-signed or ca-signed certificate with OCI Network Firewall Service.

Oracle provides a script that you can use to generate a self-signed certificate.
Important

  • The Network Firewall service validates the provided certificate and stores it in the trustroot. To successfully validate the certificate, you must provide the entire SSL certificate chain (including the intermediate certificates root certficate and private key). Upload certificates in .pem format which are wrapped in the following .json template.

  • If the leaf certificate specified in the "certKeyPair" is a forward-trust certificate, then it should have Certificate Authority Signing capability. Set the CA flag to "true".

    In this example, if "LEAF_CERT_01_PEM_CONTENT" is a forward-trust certificate, its CA flag must be set to "true". 
    {
  "caCertOrderedList" : [
    "ROOT_CERT01_PEM_CONTENT",
    "INTERMEDIATE_CERT01_PEM_CONTENT",
    "INTERMEDIATE_CERT02_PEM_CONTENT",
  ],
  "certKeyPair": {
    "cert" : "LEAF_CERT_01_PEM_CONTENT",
    "key":   "PRIVATE_KEY_01_PEM_CONTENT"
  }
}
If you want to use a self-signed OpenSSL certificate, you can use an Oracle provided script to create one:
  1. Download and install OpenSSL.
  2. Download and install Perl.
  3. Download the script from the Oracle GitHub repository.
  4. Run the script using the following command. Replace <test.test.com> with the DNS name of the webserver you need to protect: 
    ./create-certificate inbound <test.test.com>
    or 
    ./create-certificate forward <test.test.com>
Task 4: Create secrets in the vault

Create a secret in the vault for each certificate you want to use.

  1. Open the navigation menu, click Identity & Security, and then click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment where you want to create a secret.

  3. Choose the vault you created in Task 2: Create a vault and master key to store the certificate.

  4. Click Secrets, and then click Create Secret.
  5. In the Create Secret dialog box, choose a compartment from the Create in Compartment list. (Secrets can exist outside the compartment the vault is in.)
  6. Click Name, and then enter a name to identify the secret. Use a name that corresponds to the type of certificate the secret contains. For example, "ssl-inbound-inspection-certificate".
  7. Click Description, and then enter a brief description of the secret to help identify it.
  8. Choose the master encryption key you created in Task 2: Create a vault and master key to store the certificate.
  9. Specify the format of the secret contents as Plain-Text.
  10. Click Secret Contents, and then copy the certificate contents into the field. (The maximum allowable size for a secret bundle is 25 KB.)
  11. When you are finished, click Create Secret.