WAF - Configuring your Application for SSL

Document created by Steve McBride on Mar 27, 2015Last modified by Rémi Le Mer on Sep 24, 2019
Version 4Show Document
  • View in full screen mode

Qualys WAF includes comprehensive support for encrypted web applications and, while configuration is very simple, there are a few key concepts to keep in mind to properly configure a web application for SSL support.


While we refer to SSL as the industry term for an encrypted web application, Qualys WAF no longer supports SSL v2, and disable SSL v3 by default.  Rather, encrypted application support on Qualys WAF is TLS 1.2, 1.1, or 1.0 only.  This means that if one requires SSLv3, then he/she enable it at the web app level (this should only occur if they need to support very old versions of Internet Explorer, as all modern browsers include TLS support).  The decision to remove support for SSLv3 was made due to the inherent insecurity of the protocol, as evidenced by the series of SSL breaches in the middle of 2014.


To configure Qualys WAF to support encryption is quite simple.  First, modify the application definition under "Assets" -> "Web Application", and ensure that https is enabled by either adding "https://" at the beginning of the Web Application URL, or by ticking the button represented by the green lock icon below:


Then, move to the "SSL Support" tab, which will initially be blank when unconfigured, as:


Now, configure the application by pulling the certificate into the top area (self-signed certificates are supported, even though they're likely to cause an error in the browser unless you've configured the browser properly for the certificate in use), and private key into the center area.  If the private key has a passphrase, tick the appropriate box and enter the passphrase from the key itself.  The final configuration is to set another passphrase, as seen here:


The "WAF SSL Passphrase" will be deployed to the key as it is placed on the WAF appliance, and will supersede the original key's passphrase.  This is done to help limit the risk of compromise of customer private keys and passphrases.  Now, make a note of the WAF SSL Passphrase, as it will be required in the next configuration step.


Now, SSH into the WAF appliance itself (or appliances, if multiple are deployed to protect this application).  The default SSH user is 'waf-user', and authentication will vary based on virtualization platform.  In EC2, use SSH key authentication as you would with any other EC2 instance.  In another virtualization environment, there is no default password; it will need to be set on first login.


In the screenshot, three commands have been issued.  The 'show' command simply shows the current tokens defined on the appliance.  As we can see here, the "waf_ssl_passphrase" token is not currently set, and will need to be set for the appliance to properly use the private key that was deployed in the Portal steps above.  Issuing a 'set waf_ssl_passphrase' command and assigning the WAF SSL Passphrase from the Portal will accomplish the final configuration step.  Critically, issue a 'save' command to ensure the key is configured persistently.  Now, the WAF services need to be restarted.  In the current version of the appliance, services cannot be restarted manually, so the last step to take is to reboot the device with the 'reboot' command.


The application and WAF appliances have now been configured properly to support SSL, so once the device restarts, the application should be accessible on "https://www.example.com" as defined above.

1 person found this helpful