Setting Up Certificate Authentication
Learn how to set up certificate authentication and Vault secrets to use for network traffic decryption.
If you want to use decryption rules, you must set up mapped secrets to use in a decryption profile. A mapped secret is a secret that you create in Oracle Cloud Infrastructure Vault and then map to an inbound or outbound SSL key. The secrets are used to decrypt and inspect SSL/TLS traffic with SSL Forward Proxy or SSL Inbound Inspection.
- If you plan on using SSL forward proxy or SSL inbound inspection, set up your Oracle Cloud Infrastructure Vault and secrets before you begin creating your policy.
- Only one SSL forward proxy secret is allowed for each policy.
allow service ngfw-sp-prod to read secret-family in compartment <compartment_name>
If this permission is revoked at any point in the future, the service can't access your mapped secret, and the firewall stops decrypting traffic.
- Ensure you have an IAM policy that lets
you create vaults, keys, and secrets in the Vault service. For
example:
For more information, see IAM Details for the Vault Service.Allow group SecurityAdmins to manage vaults in tenancy Allow group SecurityAdmins to manage keys in tenancy Allow group SecurityAdmins to manage secret-family in tenancy
- Create a vault to store the certificate in.
- Create a master encryption key in the
vault.Important
The master key must be a symmetric key. You cannot encrypt secrets with asymmetric keys.
You can use a self-signed or ca-signed certificate with OCI Network Firewall Service.
- The Network Firewall service validates the provided certificate and stores it in the trustroot. To successfully validate the certificate, you must provide the entire SSL certificate chain (including the intermediate certificates root certficate and private key). Upload certificates in
.pem
format which are wrapped in the following.json
template. -
If the leaf certificate specified in the
"certKeyPair"
is a forward-trust certificate, then it should have Certificate Authority Signing capability. Set theCA
flag to"true"
.In this example, if"LEAF_CERT_01_PEM_CONTENT"
is a forward-trust certificate, itsCA
flag must be set to"true"
.{ "caCertOrderedList" : [ "ROOT_CERT01_PEM_CONTENT", "INTERMEDIATE_CERT01_PEM_CONTENT", "INTERMEDIATE_CERT02_PEM_CONTENT", ], "certKeyPair": { "cert" : "LEAF_CERT_01_PEM_CONTENT", "key": "PRIVATE_KEY_01_PEM_CONTENT" } }
- Download and install OpenSSL.
- Download and install Perl.
- Download the script from the Oracle GitHub repository.
- Run the script using the following command. Replace <test.test.com> with the DNS name of the webserver you need to protect:
or./create-certificate inbound <test.test.com>
./create-certificate forward <test.test.com>
Create a secret in the vault for each certificate you want to use.
- Open the navigation menu, click Identity & Security, and then click Vault.
- Under List Scope, in the Compartment list, click the name of the compartment where you want to create a secret.
-
Choose the vault you created in Task 2: Create a vault and master key to store the certificate.
- Click Secrets, and then click Create Secret.
- In the Create Secret dialog box, choose a compartment from the Create in Compartment list. (Secrets can exist outside the compartment the vault is in.)
- Click Name, and then enter a name to identify the secret. Use a name that corresponds to the type of certificate the secret contains. For example, "ssl-inbound-inspection-certificate".
- Click Description, and then enter a brief description of the secret to help identify it.
- Choose the master encryption key you created in Task 2: Create a vault and master key to store the certificate.
- Specify the format of the secret contents as Plain-Text.
- Click Secret Contents, and then copy the certificate contents into the field. (The maximum allowable size for a secret bundle is 25 KB.)
- When you are finished, click Create Secret.