Configure secure communication with Security Proxy

The Security Proxy supports a secure listener. In order to secure all the traffic between Security Proxy and mobile application you need to configure TLS/SSL by:

Additionally, though not recommended, you can configure properties which have their default values:

The following table presents all properties described in this section:

Property Required Description
SECURITY_​PROXY_​SSL_​ENABLED yes Enable/disable TLS/SSL suport
SECURITY_​PROXY_​SSL_​DEFAULT_​CERTIFICATE yes if SSL enabled The ssl certificate of the server in PEM format
SECURITY_​PROXY_​SSL_​DEFAULT_​KEY yes if SSL enabled The ssl private key of the server in PEM format
SECURITY_​PROXY_​SSL_​PROTOCOLS no TLS/SSL protocol versions
SECURITY_​PROXY_​SSL_​CIPHERS no TLS/SSl cipher suites

Enable SSL

In order to enable TLS/SSL add SECURITY_PROXY_SSL_ENABLED=true to the docker-compose.yml file.

Provide certificate

This property specifies the certificate of the server (and possibly also the chain certificate). Please see the Nginx documentation on how to prepare the certificate and optionally certificate chain.

The certificates must be provided in the PEM format like in the example below:

SECURITY_PROXY_SSL_CERTIFICATE=-----BEGIN CERTIFICATE-----\nMIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\nPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\nEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\nrz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\nOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\nxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\naeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\nHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\nSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\nikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\nAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\nR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\nJDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\nOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n-----END CERTIFICATE-----\n

Note: The certificate needs to be provided in one line, so you need to replace all end of line characters to '\n' like it was done in the example above

Provide certificate key

The private key of the server certificate must be provided in the PEM format like in the example below:

SECURITY_PROXY_SSL_CERTIFICATE_KEY=-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg\nMBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxPc\n9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+\nX0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/Wc\nblK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WD\nH0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0\nGEs=\n-----END ENCRYPTED PRIVATE KEY-----\n

Note: The certificate key needs to be provided in one line, so you need to replace all end of line characters to '\n' like it was done in the example above

Specify protocols versions

You can specify versions of SSL/TLS protocols by setting the SECURITY_PROXY_SSL_CIPHERS property.

Note: It is highly recommended to use the default TLS/SSL protocols.

The default cipher suites used by Security Proxy are: TLSv1 TLSv1.1 TLSv1.2

Specify the cipher suite

You can specify the group of ciphers that will be used to encrypt and decrypt the communication between Security Proxy and mobile application by setting the SECURITY_PROXY_SSL_CIPHERS property.

Note: It is highly recommended to use the default cipher suites and TLS/SSL protocols.

The default cipher suites used by Security Proxy are:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

Adding additional certificates

Additional certificates can be defined in the same way as the default certificate. These certificates can be used for the resource gateways and transparent proxies with a server name. The following is an example of specifying two additional certificates:

  - SECURITY_PROXY_SSL_CIM_CERTIFICATE=
  - SECURITY_PROXY_SSL_CIM_KEY=
  - SECURITY_PROXY_SSL_RESOURCE_CERTIFICATE=
  - SECURITY_PROXY_SSL_RESOURCE_KEY=

In this example we have specified 2 additional certificates with the names CIM and RESOURCE. When configuring the transparent proxy or resource gateway they can be referred to by these names when using the SECURITYPROXY_BACK_END_TRANSPARENT_PROXIES<PROXYID>SSL_CERTIFICATE_NAME or SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS<RESOURCEID>_SSL_CERTIFICATE_NAME. Example:

  - SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_SSL_CERTIFICATE_NAME=CIM
  - SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_SSL_CERTIFICATE_NAME=RESOURCE

Note: The certificate and certificate key need to be provided in one line