Module 3 - Protect Arcadia API with Adv. Waf and APM (Bearer SSO)

In this lab we will deploy a BIG-IP security policy based on Adv. WAF and APM, in front of the NGINX+ API GW. In order to make life better and simple for DevOps, we will delegate all the Authentication layer to APM. APM will authenticate JWT tokens coming from different providers with different keys, and we will use APM Bearer SSO in order to share a unique JWT key with the API gateways.

Note

APM will download keys from external providers automatically (by using OIDC discovery process) and will use another an unique key for internal SSO with NGINX API Gateways. This will allow DevOps to know only one key for all their deployments. And SecOps will manage the external providers.

../../_images/archi.png

Configure NGINX Controller with a new Identity Provider

  1. In the left menu, click on Identity Provider icon

  2. Create a new Identity Provider as below. Use the JSON code below for the JWK

    {
"keys": [
      {
      "k": "aWxvdmVuZ2lueA",
      "kid": "9876543210",
      "kty": "oct"
      }
   ]
}

    Note

    I invite you to decode the “k” value to know what is the key. As you can notice, we don’t use a RSA key, but a secret (just to simplify the lab). This secret is BASE64 encoded.

    ../../_images/identity-provider.png

  3. Assign this Identity Provider with your API Definition

    1. Get back to your API definition and edit the Published API

      ../../_images/edit-published1.png

    2. Click on routing and edit the Security Settings

      ../../_images/edit-security.png

    3. Click on Add Authentication

      ../../_images/add-auth.png

    4. Select the provider created previouly JWT Bearer SSO and Bearer

      ../../_images/auth.png

    5. Click Done and Submit

    6. Click Submit again

  4. Make a quick test with Postman by sending a request to the Arcadia API like Last Transactions or Buy stocks

    1. You can see a 401 Unauthorized

      ../../_images/401.png

Note

As you don’t insert any JWT token in your request, the API GW rejected the request. It is time to configure APM to inject this JWT Bearer SSO

Configure Adv. WAF and APM

Note

In this lab we will use Access Guided Configuration and we will do some custom tuning in the policies. There are several ways to protect API with BIG-IP, but at the moment, we will focus on AGC so that you can understand how it works. GSA team is working on a dedicated UDF Blueprint for API Declarative WAF policy with v16.0

  1. Connect to the Jumhost (user / user)

  2. Open Chrome and connect to the BIG-IP (admin / admin)

  3. Delete the existing vs-arcadia-api Virtual Server in the BIG-IP. We are going to create a new one from the Guided Configuration.

  4. Create a JWK Bearer SSO key. If you remember below, the key (encoded64) was aWxvdmVuZ2lueA, and decoded64 ilovenginx

    1. Click Access > Federation > JSON Web Token > Key Configuration

    2. Create a new key as below with the value ilovenginx as Shared Secret

      ../../_images/bearer-key.png

    Warning

    Don’t forget to set an ID. It is mandatory in order to use this key in the Bearer SSO profile

  5. In Access, click on Guided Configuration and select the template API Protection Proxy in API Protection group

    ../../_images/AGC-1.png

  6. Configure the template as below.

    Warning

    The AGC template does not support yet OpenAPI spec file Version 3. But only Version 2. We will use another version of the OAS file.

    Note

    The OAS file is located in Downloads directory and its name is swaggerArcadia2.json

    1. Check the boxes Use Rate Limiting and OAuth 2.0

      ../../_images/AGC-2.png

      • Select the default Servrer at the bottom of the screen

      ../../_images/AGC-3.png

      Note

      You can notice the URI and the back server have been imported from the OAS2 file

      ../../_images/AGC-4.png ../../_images/AGC-5.png

    2. Select AzureAD AAD-F5Sales as provider

      Warning

      Due to a bug in AGC, we can’t add more providers here. We will modify the list later on directly in the APM configuraiton (ID 835509)

      ../../_images/AGC-6.png

    3. Configure Signle Sign-On Settings as below

      ../../_images/AGC-7.png

      Note

      We will focus on Claims later on

    4. Configure Rate Limiting as below. We will limit request per user based on their Email address extracted from the JWT token. The value used for the User ID Key is subsession.oauth.scope.last.jwt.Email

      ../../_images/AGC-8.png

    1. Configure the Virtual Server as below

      • VS : 10.1.10.18

      • Log All Requests

      • Client SSL arcadia_client_ssl

        ../../_images/AGC-9.png

    2. Click Deploy

  7. Now we have to add manually the 2 more providers in the APM configuration (due to the BUGID in AGC 6.0)

    1. Unstrict the configuration in AGC, by clicking on the lock icon and approve the change.

      ../../_images/unstrictness.png

    2. Click Access > Federation > JSON Web Token > Provider List and edit the existing profile

    3. Add provider1 and provider2 into the list

      ../../_images/provider-list.png

Note

Congratulation, Arcadia API is protected by an Advanced WAF (you can check the policy) and APM in order to authenticate requests from 3 providers.

Note

I invite you to check the Access > API Protection configuration

Warning

In order to use Oauth with Azure AD, you have to force an update of the Azure JWT keys. In Federation > Oauth Client / Resource Server > Provider, click on Start button to force APM to download the new keys.

../../_images/refresh_keys.png

Test your protected API with Authentication, WAF and Rate Limiting

  1. Open Postman and select the Arcadia API collection

  2. Select one call, the one you want.

  3. F5ers only - For F5 partners and customers, please jump to the next bullet point. In authentication select Oauth 2.0. We will start with an Azure AD provider - similating a partner having an AAD subcription and wanting to use it.

    1. Click Get New Token

    2. I have already set the values for the Oauth Client. As a reminder, here, Postman is the Oauth Agent - it is requesting the Access Token

      ../../_images/oauth2.png

    3. Authenticate with your Corporate F5 account. If it fails, it means you are not part of the F5 Sales Azure tenant (Open an IT Ticket)

    4. When done, click Use token and send your request.

    Note

    It passes. Token is approved by APM, and a new token is generated by APM and sent to the NGINX API GW (Bearer SSO)

  4. Available for F5ers, partners and customers. Now, try with the 2 other providers (partner1 and partner2)

    1. You can find the tokens on the desktop in the file JWT tokens.txt

    2. Don’t use Oauth 2.0, as we already have the tokens. But use Bearer Token instead. I generated these tokens from the website http://jwtbuilder.jamiekurtz.com/

    Partner 1:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwYXJ0bmVyMSIsImlhdCI6MTU5MzQ1NTk4NSwiZXhwIjoxNjg4MDYzOTg1LCJhdWQiOiJhcGkuYXJjYWRpYS1maW5hbmNlLmlvIiwic3ViIjoiYXBpLmFyY2FkaWEtZmluYW5jZS5pbyIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjoiTWFuYWdlciJ9.JRboDfKWvSLVU3md6OULGifoVxJ-ryx7y-0DKrOlPOM

    Partner 2:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwYXJ0bmVyMiIsImlhdCI6MTU5MzQ1NTk4NSwiZXhwIjoxNjg4MDYzOTg1LCJhdWQiOiJhcGkuYXJjYWRpYS1maW5hbmNlLmlvIiwic3ViIjoiYXBpLmFyY2FkaWEtZmluYW5jZS5pbyIsIkdpdmVuTmFtZSI6IkJvYiIsIlN1cm5hbWUiOiJUaGUgU3BvbmdlIiwiRW1haWwiOiJib2JAc3BvbmdlLmNvbSIsIlJvbGUiOiJDb250cmFjdG9yIn0.aqTxd6X4z7EFijJsyiuq8mZAKMLG519Bmjz1ra24L-s

  5. Test the Rate Limiting by sending 4 calls with the same token. The 4th will be block. You can notice the reponse code 429 Too Many Requests

    ../../_images/ratelimit.png

  6. Send an attack

    1. Select the call POST Buy Stocks XSS attack

    2. Send the request and notice the 200 OK response. It means the WAF didn’t block the request

    3. Check why and change your policy accordingly.

Note

Tip : attack signatures are in Staging mode