-
AppExpert Applications and Templates
-
Configure application authentication, authorization, and auditing
-
-
Advanced Policy Expressions: Working with Dates, Times, and Numbers
-
Advanced Policy Expressions: Parsing HTTP, TCP, and UDP Data
-
Advanced Policy Expressions: IP and MAC Addresses, Throughput, VLAN IDs
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Example 10: Policy-based RSA Encryption
The RSA algorithm uses the PKEY_ENCRYPT_PEM() function to encrypt HTTP predefined and user-defined header or body content. The function accepts only RSA public keys (not private keys) and the encrypted data cannot be longer than the length of the public key. When the data being encrypted is shorter than the key length, the algorithm uses RSA_PKCS1 padding method.
In a sample scenario, the function can be used with B64ENCODE() function in a rewrite action to replace an HTTP header value with a value encrypted by an RSA public key. The data being encrypted is then decrypted by the recipient using the RSA private key.
You can implement the feature by using a rewrite policy. To do this, you must complete the following tasks:
- Add RSA public key as a policy expression.
- Create rewrite action.
- Create rewrite policy.
- Bind rewrite policy as global.
- Verify RSA encryption
Policy-based RSA encryption by using Citrix ADC command interface
Complete the following tasks to configure policy-based RSA encryption by using the Citrix ADC command interface.
To add RSA public key as a policy expression by using the Citrix ADC command interface:
add policy expression pubkey '"-----BEGIN RSA PUBLIC KEY-----MIGJAoGBAKl5vgQEj73Kxp+9yn1v5gPR1pnc4oLM2a0kaWwBOsB6rzCIy6znwnvwCY1xRvQhRlJSAyJbloL7wZFIJ2FOR8Cz+8ZQWXU2syG+udi4EnWqLgFYowF9zK+o79az597eNPAjsHZ/C2oL/+6qY5a/f1z8bQPrHC4GpFfAEJhh/+NnAgMBAAE=-----END RSA PUBLIC KEY-----"'
<!--NeedCopy-->
To add rewrite an action to encrypt an HTTP header request by using the Citrix ADC command interface:
add rewrite action encrypt_act insert_http_header encrypted_data
'HTTP.REQ.HEADER("data_to_encrypt").PKEY_ENCRYPT_PEM(pubkey).B64ENCODE'
To add rewrite policy by using the Citrix ADC command interface:
add rewrite policy encrypt_pol 'HTTP.REQ.HEADER("data_to_encrypt").EXISTS' encrypt_act
<!--NeedCopy-->
To bind rewrite policy global by using the Citrix ADC command interface:
bind rewrite global encrypt_pol 10 -type RES_DEFAULT
To verify RSA encryption by using the Citrix ADC command interface:
>curl -v -H "data_to_encrypt: Now is the time that tries men's souls" http://10.217.24.7/
* About to connect() to 10.217.24.7 port 80 (#0)
* Trying 10.217.24.7...
* connected
* Connected to 10.217.24.7 (10.217.24.7) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.24.0 (amd64-portbld-freebsd8.4) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.3
> Host: 10.217.24.7
> Accept: */*
> data_to_encrypt: Now is the time that tries men's souls
>
< HTTP/1.1 200 OK
< Date: Mon, 09 Oct 2017 05:22:37 GMT
< Server: Apache/2.2.24 (FreeBSD) mod_ssl/2.2.24 OpenSSL/0.9.8y DAV/2
< Last-Modified: Thu, 20 Feb 2014 20:29:06 GMT
< ETag: "6bd9f2-2c-4f2dc5b570880"
< Accept-Ranges: bytes
< Content-Length: 44
< Content-Type: text/html
< encrypted_data: UliegKBJqZd7JdaC49XMLEK1+eQN2rEfevypW91gKvBVlaKM9N9/C2BKuztS99SE0xQaisidzN5IgeIcpQMn+CiKYVlLzPG1RuhGaqHYzIt6C8A842da7xE4OlV5SHwScqkqZ5aVrXc3EwtUksna7jOLr40aLeXnnB/DB11pUAE=
<
* Connection #0 to host 10.217.24.7 left intact
<html><body><h1>It works!</h1></body></html>* Closing connection #0
Subsequent execution of this curl command with the same data to encrypt shows that the encrypted data is different each execution. This is because the padding inserts random bytes at the beginning of the data to encrypt, causing the encrypted data to be different each time.
>curl -v -H "data_to_encrypt: Now is the time that tries men's souls" http://10.217.24.7/
. . .
< encrypted_data: DaOjtl1Pl4DlQKf58MMeL4cFwFvZwhjMqv5aUYM5Iyzk4UpwIYhpRvgTNu2lXEVc1H0tcR1EGC/ViQncLc4EbTurCWLbzjce3+fknnMmzF0lRT6ZZXWbMvsNFOxDA1SnuAgwxWXy/ooe9Wy6SYsL2oi1sr5wTG+RihDd9zP+P14=
>curl -v -H "data_to_encrypt: Now is the time that tries men's souls" http://10.217.24.7/
. . .
< encrypted_data: eej6YbGP68yHn48qFUvi+fkG+OiO8j3yYLScrRBU+TPQ8WeDVaWnDNAVLvL0ZYHHAU1W2YDRYb+8cdKHLpW36QbI6Q5FfBuWKZSI2hSyUvypTpCoAYcHXFv0ns+tRtg0EPNNj+lyGjKQWtFi6K8IXXISoDy42FblKIlaA7gEriY=
Policy-based RSA encryption by using the GUI
The GUI enables you to complete the following tasks:
To add RSA public key as a policy expression by using the GUI:
- Sign into the Citrix ADC appliance and navigate to Configurations > AppExpert > Advanced Expressions.
- In the details pane, click Add to define an RSA public key as an advanced policy expression.
- In Create Expression page, set the following parameters:
- Expression name. Name of the advanced expression.
- Expression. Define RSA public key as an advanced expression using the Expression Editor.
- Comments. A brief description of the expression.
- Click Create.
To add rewrite an action to encrypt an HTTP header request by using the GUI:
- Sign into the Citrix ADC appliance and navigate to Configurations > AppExpert > Rewrite > Actions.
- In the details pane, click Add to add a rewrite action.
- In the Create Rewrite Action screen, set the following parameters:
- Name. Name of the rewrite action.
- Type. Select action type as INSERT_HTTP_HEADER.
- Use the action type to insert a header. Enter the name of the HTTP header that needs to be rewritten.
- Expression. Name of the advanced policy expression associated to the action.
- Comments. A brief description of the rewrite action.
- Click Create.
To add rewrite advanced policy by using the GUI:
- Sign into the Citrix ADC appliance and navigate to Configurations > AppExpert > Rewrite > Policies.
- In the Rewrite Policies page, click Add to add a rewrite policy.
- In the Create Rewrite Policy page, set the following parameters:
- Name. Name of the rewrite policy.
- Action. Name of the rewrite action to perform if the request or response matches this rewrite policy.
- Log Action. Name of message log action to use when a request matches this policy.
- Undefined-Result Action. Action to perform if the result of policy evaluation is undefined.
- Expression. Name of the advanced policy expression that triggers the action.
- Comments. A brief description of the rewrite action.
- Click Create.**
To bind rewrite policy global by using the GUI:
- Sign into the Citrix ADC appliance and navigate to Configurations > AppExpert > Rewrite > Policies.
- In the Rewrite Policies screen, select a rewrite policy that you want to bind and click Policy Manager.
- In the Rewrite Policy Manager page, in the Bind Points section, set the following parameters:
- Bind Point. Select the binding point as Default Global.
- Protocol. Select the protocol type as HTTP.
- Connection Type. Select the connection type as Request.
- Click Continue to view the Policy Binding section.
- In the Policy Binding section, select the rewrite policy and set the bind parameters.
- Click Bind.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.