Generic Template for SafeNet App Gateway

Perform the following steps to add Generic Template for SafeNet App Gateway in STA:

1. In the Add Application window, search and select Generic Template for SafeNet App Gateway (from the list of available applications).

   

2. Enter a Display Name (can be a custom name) for the application and then click Add.

   

3. Under Application Setup, perform the following steps:

   1. In the PUBLIC URI field, enter the application name of your protected application hosted at the internal server. For example, <application name> or use "/" to protect all the applications.

      > The PUBLIC URI must be unique for all the sub applications of the same parent.
      > The application name should not start with "/".

   2. In the INTERNAL URL field, enter the URL of internal server hosting the protected application (https://<ipaddress>). If the default port is different from 443 and 80, then append port number in the URL (https://<internalhost>:<portnumber>). It is recommended to use https. For example, https://internal-ps.example.com:8000/

      > If Fully Qualified Domain Name (FQDN) is used, Internal URL must be in lower case and should be added in the deployed container's host file /etc/hosts.
      > The Internal URL must be same for all the sub applications of the same parent.
      > If the docker container restarts, then re-enter the FQDN.

   3. From the AUTHENTICATION SCHEME dropdown, select an option to configure the authentication scheme as hosted on the internal application server for the protected application. The options are:

      • CUSTOM: Anonymous authentication. Anonymous authentication gives users access to a website without prompting for a username or password.

      • HTTP BASIC: Http basic authentication. Under Basic authentication, the http request with authorization header passes Base64 encoded username and password to provide a secure way to enforce access control to the web resources.

      • FORM AUTHENTICATION: Form based authentication. In form based authentication, the HTML form element is used to send user credentials to the server for authentication. The request body contains the credentials that are sent to the protected application.

      For the form-based application supporting the CSRF token, refer to this section.

   4. [Mandatory] In the LOGIN URL field, enter the relative login URL of the protected application. For example, use /formauthdemo/login as the relative login URL for https://sas.sta.test.thales.com/formauthdemo/Login.

      This field is only available for Form based authentication.

   5. [Optional] In the LOGOUT URL field, enter the relative logout URL of the protected application. For example, use /formauthdemo/logout as the relative logout URL for https://sas.sta.test.thales.com/formauthdemo/Logout.

      This field is only available for Form based authentication.

   6. Click Add Attributes to add a header attribute. Additional required parameters can be passed to the protected application in the form of header, cookie, params, and form.

      1. From the TYPE dropdown, select the required option. The following options are available:

         > Header: Allows to send the request in form of the header.

         > Cookie: Allows to send the values in form of cookies.

         > Params: If selected, it allows to send values in the form of query string.

         > Form: If selected, then while login, it sends the mapped values in the form body. If the custom value attribute is mapped as $password, then during login, the agent replaces it with the actual user password before sending it to the protected application.

         The Form type is only available for Form based authentication scheme.

      2. In the NAME field, enter a name of the attribute.
      3. From the VALUE dropdown, select the attribute to be mapped with the header attribute parameter. Header attribute value represents the login ID of the user on the application and is sent as a part of the authentication process.

         In case of Custom Value, you can enter a value of your choice in the ADDITIONAL INFORMATION field.

         

      • Click to delete a particular header attribute.

      • Click to add an additional header attribute.

4. Click Save And Continue.

   

Cross-Site Request Forgery (CSRF) Support for SafeNet App Gateway

Cross-Site Request Forgery (CSRF) support for SafeNet App Gateway is used to prevent form-based applications from DOS attacks. If any application supports CSRF token, then it is required to add application attributes in the sub-app manually by editing the .agent file. The CSRF token implementation is supported through the custom plugin method described here.

Configuring the .agent file

Perform the following steps to configure the .agent file to use the support of CSRF token:

1. Navigate to the .agent file that you have downloaded earlier from STA.

2. Open the .agent file and edit using any text editor.

3. In the .agent file, locate your your sub-app that supports CSRF token (identified by FriendlyName) and add the following application attributes manually:

   "ApplicationAttributes": {
   "csrf_settings": {
   "token_name": "<token_name>",
   "token_transport": "<Cookie | Form | Header>"
   }
   },

   where,

   1. token_name: Specifies the name of the CSRF token.

   2. token_transport: Specifies the type of the token. For example, cookie, form, or header.

   

4. Copy the value of FriendlyName from the .agent file and save it. It will be used later.

Installing the agent

Perform the steps mentioned in this section. Now, perform the following steps:

1. On the docker machine's terminal, run the following command to navigate to the docker container:

   sudo docker exec -it <container_name> /bin/bash

2. Navigate to safeNetApplicationGateway\src\customPlugins by using the following command:

   cd src\customPlugins

3. Copy the files inside the CSRF_Template directory (customPlugin.lua and customPluginTemplate.html) and paste to CustomPlugins folder by using the following command:

   cp -r CSRF_Template/* .

4. Edit the customPlugin.lua file using any text editor like vim. Replace <Friendly Name> with the name of the sub-app that you have copied earlier. For example, CSRF_Application.

   

5. Save and exit from the docker container.

6. Now, perform the steps mentioned in Configuring the Agent section.

Customizing the GET function of application attributes

The CSRF token value of the applications are configured differently. In our implementation, the CSRF token value is obtained by performing a GET call to the end application. If your application configuration is different, then to customize the current implementation, perform the following steps:

1. On the docker machine's terminal, run the following command to navigate to the docker container:

   sudo docker exec -it <container_name> /bin/bash

2. Navigate to safeNetApplicationGateway\src\helper by using the following command:

   cd src\helper

3. Edit the luaHelper.lua file using any text editor like vim. Customize the getCSRFTokenValue function based on the implementation of your CSRF-based application.

4. Save and exit from the docker container.