Based on the protocol selected, the dependent fields in the Tunnel screen vary. The following image illustrates the settings that are specific to the HTTP protocol.
The options for the Inbound Transport Settings field in the Tunnel Details screen specific to the HTTP Protocol type are described in the following table.
1 Listening Interface: IP address through which sensitive data enters the DSG. The following Listening Interface options are available:
2 Port:Port linked to the listening address.
3 TLS Enabled: Select to enable TLS features.
4 Certificate: Certificate applicable for a tunnel.
5 Cipher Suites: Colon separated list of Ciphers.
6 TLS Mutual Authentication: CERT_NONE is selected as default. Use CERT_OPTIONAL to validate if a client certificate is provided or CERT_REQUIRED to process a request only if a client certificate is provided. If TLS mutual authentication is set to CERT_OPTIONAL or CERT_REQUIRED, then the CA certificate must be provided.
7 CA Certificates: A CA certificate chain. This option is applicable only if the value client certificate is set to 1 (optional) or 2 (required). Client certificates can be requested at the tunnel and the RuleSet level for authentication. On the Tunnels screen, you can configure the ca_reqs parameter in the Inbound Transport Settings field to request the client certificate. Similarly, on the Ruleset screen, you can toggle the Required Client Certificate checkbox to enable or disable client certificates. Based on the combination of the options in the tunnel and the RuleSet, the server executes the transaction. If the certificate is incorrect or not provided, then server returns a 401 error response.
The following table explains the combinations for the client certificate at the tunnel and the RuleSet level.
TLS Mutual Authentication (Tunnel Screen) | Required Client Certificate (Enable/Disabled) (Ruleset Screen) | Result |
---|---|---|
CERT_NONE | Disabled | The transaction is executed |
Enabled | The server returns a 401 error response. | |
CERT_OPTIONAL | Disabled | The transaction is executed |
Enabled | If the client certificate is provided, then transaction is executed. If the client certificate is not provided, then the server returns a 401 error response. | |
CERT_REQUIRED | Disabled | The transaction is executed |
Enabled | The transaction is executed |
8 DH Parameters: The .pem filename that includes the DH parameters. Upload the .pem file from the Certificate/Key Material screen. The Diffie-Hellman (DH) parameters define the way OpenSSL performs the DH Key exchange.
9 ECDH Curve Name: Supported curve names for the ECDH key exchange.The Elliptic curve Diffie–Hellman (ECDH) protocol allows key agreement and leverages elliptic-curve cryptography (ECC) properties for enhanced security.
10 Certificate Revoke List: Path of the Certificate Revocation List (CRL) file. For more information about CRL error message that appears when a revoked certificate is sent, refer to the CRL error. The ca.crl.pem
file includes a list of certificates that are revoked. Based on the flags that you provide in the verify_flags setting, SSL identifies certificate verification operations that need to performed. The CRL verification operations can be VERIFY_CRL_CHECK_LEAF or VERIFY_CRL_CHECK_CHAIN.
When you try to access the DSG through HTTPS using such a revoked certificate, the DSG returns the following error message.
11 Verify Flags Set to one of the following operations to verify the CRL:
12 SSL Options|Set the required flags that reflect the TLS behavior at runtime. A single flag or multiple flags can be used.It is used to define the supported SSL options in the JSON format. The DSG supports TLS v1.2
.|For example, in the following JSON, TLSv1
and TLSv1.1
are disabled.{
|
“options”: [“OP_NO_SSLv2”,
“OP_NO_SSLv3”,
“OP_NO_TLSv1”,
“OP_NO_TLSv1_1”]
}
13 Advanced Settings Set additional advanced options for tunnel configuration, if required, in the form of JSON.|In a scenario where an ESA and two DSG nodes are in a cluster, by using the Selective Tunnel Loading functionality, you can load specific tunnel configurations on specific DSG nodes.
Options | Description | Default (if any) | Notes |
---|---|---|---|
idle_connection_timeout | Timeout set for an idle connection. The datatype for this option is seconds. | 3600 | |
max_buffer_size | Maximum value of incoming data to a buffer. The datatype for this option is bytes. | 10240000 | |
max_write_buffer_size | Maximum value of outgoing data to a buffer. The datatype for this option is bytes. | 10240000 | This parameter is applicable only with REST streaming. |
no_keep_alive | If set to TRUE, then the connection closes after one request. | false | |
decompress_request | Decompress the gzip request body | false | |
chunk_size | Bytes to read at one time from the underlying transport. The datatype for this option is bytes. | 16384 | |
max_header_size | Maximum bytes for HTTP headers. The datatype for this option is bytes. | 65536 | |
body_timeout | Timeout set for wait time when reading request body. The datatype for this option is seconds. | ||
max_body_size | Maximum bytes for the HTTP request body. The datatype for this option is bytes. | 4194304 | Though the DSG allows to configure the maximum body size, the response body size will differ and cannot be configured on the DSG. The response body size that the gateway will send to the HTTP client is dependent on multiple factors, such as, the complexity of the rule, transform rule configured in case you use regex replace, size of response received from destination, and so on. If a request is sent to the client with the response body size greater than the value configured in the DSG, then the following response is returned and the DSG closes the connection: 400 Bad Request In earlier versions of the DSG, the DSG closed the connection and sent 200 as the response code. |
max_streaming_body_size | Maximum bytes for the HTTP request body when HTTP streaming with REST is enabled. The datatype for this option is bytes. | 52428800 | |
maximumBytes | This field is not supported for the DSG 3.0.0.0 release and will be supported in a later DSG release. | ||
maximumRequests | This field is not supported for the DSG 3.0.0.0 release and will be supported in a later DSG release. | ||
thresholdDelta | This field is not supported for the DSG 3.0.0.0 release and will be supported in a later DSG release. | ||
write_cache_memory_size | For an HTTP blocking client sending a REST streaming request, the DSG processes the request and tries to send the response back. If the client type is blocking, then DSG will store the response to the memory till the write_cache_memory_size limit is reached. The DSG then starts writing to the disk.The file size is managed using the write_cache_disk_size parameter.The value for this setting is defined in bytes. |
| |
write_cache_disk_size | Set the file size that holds the response after the write_cache_memory_size limit is reached while processing the REST streaming request sent by an HTTP blocking client.After the write_cache_disk_size limit is reached, the DSG starts writing to the disk.The data on the disk always exists in an encrypted format and the disk cache file is discarded after the response is sent. The value for this setting is defined in bytes. |
| |
additional_http_methods | Include additional HTTP methods, such as, PURGE LINK, LINE, UNLINK, and so on. | ||
cookie_attributes | Add a new HTTP cookie to the list of cookies that the DSG accepts. | [“expires”, “path”, “domain”, “secure”, “httponly”, “max-age”, “version”, “comment”, “priority”, “samesite”] | |
compress_response | Compresses the response sent to the client if the client supports gzip encoding, i.e. sends Accept-Encoding:gzip. | false |
The dh_params parameter points to a .pem file. The .pem file includes the DH parameters that are required to enable DH key exchange for improved protection without compromising computational resources required at each end. The value accepted by this field is the file name with the extension (.pem). The DSG supports both RSA certificates and Elliptic Curve Digital Signature Algorithm (ECDSA) certificates for the ECDHE protocol. The RSA certificates are available as default when the DSG is installed, while to use ECDSA certificates in the DSG, you must generate an ECDSA certificate and the related key. The following procedure explains how to generate the ECDSA certificate and key.
To generate dhparam.pem file:
Set the SSL options in the Inbound Transport settings as given in the following example.
/opt/protegrity/alliance/config/dhparam/dhparam.pem
From the ESA CLI Manager, navigate to Administration > OS Console.
Execute the following command to generate the dhparam.pem file.
openssl dhparam -out /opt/protegrity/alliance/config/dhparam/dhparam.pem 2048
Note: Ensure that you create the dhparam directory in the given path. The path /opt/protegrity/alliance/config/dhparam is the location where you want to save the .pem file. The value 2048 is the key size.
openssl genpkey -paramfile dhparam.pem -out dhkey.pem
The ecdh_curve_name parameter is the curve type that is required for the key exchange. The OpenSSL curves that are supported by DSG are listed in Supported OpenSSL Curve Names.
You can configure additional inbound settings that apply to HTTP from the Global Settings page on the DSG Web UI.