SSL Decrypt

License: For information on licensing, refer to the Volume Based License (VBL)

SSL Decrypt application delivers decrypted traffic to out-of-band tools that can then detect threats entering the network. Secure Socket Layer (SSL) is a cryptographic protocol that adds security to TCP/IP communications such as Web browsing and email. The protocol allows the transmission of secure data between a server and client who both have the keys to decode the transmission and the certificates to verify trust between them.

Upload SSL Keys

To upload an SSL private key, do the following:

1. Go to Inventory > Resources > Security > SSL Keys.
2. Click Add. The Create SSL Key page appears.
3. Enter the following details:

   Field	Description
   Key Alias	Enter a name for the key.
   Comment	Enter a description
   Key Type	Select the either of the key type:
   PEM
   PassPhrase (optional)	SSH passphrases allows you to protect your private key from being used with out the passphrase. Enter the passphrase created with the private key.
   SSL Key Store	Enter the SSL Key Store in which the Key is stored.
   Private key	Enter the Private Key using any of the following options: Copy and Paste Install from URL Install from Local Directory
   Certificate	Enter the Certificate using any of the following options: Copy and Paste Install from URL Install from Local Directory
   PKCS12
   PassPhrase	SSH passphrases allows you to protect your private key from being used with out the passphrase. Enter the passphrase created with the private key.
   SSL Key Store	Enter the SSL Key Store in which the Key is stored.

4. Click Save.

Note:  SSL Decrypt application does not support HSM.

The following actions can also be performed from the SSL Keys Page:

Field	Description
Edit	To edit a SSL Key, select the key from the list in the SSL Keys page and click the Edit button.
Delete	To delete a SSL Key, select the key from the list in the SSL Keys page and click the Delete button.
Delete all	Use this button to delete all the SSL Keys in the SSL Keys page.
View certificate	To view the certificate associated with the particular SSL Key, select the key from the list in the SSL Keys page and click the View Certificate button.

Create SSL Service

After uploading a private key, you can add a service. A service maps to a physical server, such as an HTTP server. One server can run multiple services. A service is a combination of an IP address and a server port number.

Prerequisite

Before creating a service, upload a private key as described in Upload SSL Keys

To create a SSL service, do the following:

1. Go to Inventory > Resources > Security > SSL Service. The SSL Services page appears.
2. Click Add. The Create SSL Service page appears.
3. On the Create SSL Service page, enter the following details:

   Field	Description
   Alias	Enter a name for the SSL Service.
   Default Service	Enable this to use default service.
   Server IP Address	Enter the IP address of the server in which the service runs.
   Server Port	Enter the port number of the server.

4. Click Save.

The following actions can also be performed from the SSL Service Page:

Field	Description
Edit	To edit a SSL Service, select the service from the list in the SSL Service page and click the Edit button.
Delete	To delete a SSL Service, select the service from the list in the SSL Service page and click the Delete button.
Delete all	Use this button to delete all the SSL Service in the SSL Service page.

Key Mapping

After adding the SSL Service, now you map the private key with the service using Key Mapping.

To map a key with the service, follow the steps given below,

1. Go to Inventory > Resources > Security > SSL Key Mapping. The SSL Key Mapping page appears.
2. Click Add.
3. Enter the Key Mapping Alias.
4. Select the SSL Service and Key Alias from the drop-down.
5. Click Save.

The following actions can also be performed from the SSL Keys Page:

Field	Description
Edit	To edit a SSL Service, select the service from the list in the SSL Service page and click the Edit button.
Delete	To delete a SSL Service, select the service from the list in the SSL Service page and click the Delete button.
Delete all	Use this button to delete all the SSL Service in the SSL Service page.

SSL Key Store

SSL Key Store is a repository, that allows you to save all the key under a single location. You can create multiple key stores and in each key store you can store multiple keys.

1. Go to Inventory > Resources > Security > SSL Key Store. The SSL Key Store page appears.
2. Click Add.
3. Enter the Key Store Alias and Comment.
4. Click Save.

The following actions can also be performed from the SSL Key Store Page:

Field	Description
Edit	To edit a SSL Key Store, select the Key Store from the list in the SSL Key Store page and click the Edit button.
Delete	To delete a SSL SSL Key Store, select the SSL Key Store from the list in the SSL Key Store page and click the Delete button.
Delete all	Use this button to delete all the SSL Key Store in the SSL Key Store page.

Add SSL Decrypt to Monitoring Session

After mapping your keys with service, to add GigaSMART applications to V series 2, follow the steps given below,

1. Drag and drop SSL Decrypt from APPLICATIONS to the graphical workspace.
2. Click the SSL Decrypt application and select Details.
   
3. Enter the following details in the Application quick view:

   Fields	Description
   Alias	Enter the alias name for the application.
   Enable	Enable the box to enable SSL Decryption.
   Key Map	Select the Key Map from the list of available Key Maps. Refer to Key Mapping for more details on how to map the key to SSL Service.
   In Port	Enter the source port number from which the traffic should be fetched.
   Out Port	Enter the destination port number to which the decrypted traffic should be delivered.
   Session Timeout	Enter the value in seconds after which the session should be timeout. The default value is 300 seconds.
   Pending Session Timeout	Enter the value in seconds after which the session must timeout if the session is in pending state
   Tcp Syn Timeout	Enter the value in seconds after which the session must timeout when the session does not synchronize TCP.
   Decrypt Fail Action	Select Pass to allow the traffic to pass through the application when the decryption fails and select Drop to drop the traffic before passing through the application when the decryption fails.
   Key Cache Timeout (sec)	Enter the value in seconds until which the key cache information can be reused for resumption.
   Ticket Cache Timeout (sec)	Enter the value in seconds until which the ticket cache information can be reused for resumption.
   Non-ssl Traffic	Select Pass to allow the non-SSL traffic to pass through the application and select Drop to drop the non- SSL traffic before passing through the application.

4. Click Save.
5. Click Deploy. The Select nodes to deploy the monitoring session page appears.
6. Select the GigaVUE V Series Nodes you want to deploy and select an interface for each GigaVUE V Series Node. Then, click Deploy.

View Application Statistics

After adding SSL Decrypt application to the monitoring session, to view the application statistics, open the Monitoring Session Statistics page. Refer to View Monitoring Session Statistics for more detailed information.

1. Click View Monitoring Session Diagram. The monitoring session diagram appears, click the SSL Decrypt application.
2. The ssl-decrypt application statistics page appears.
3. You can view the following in the SSL application statistics page:
   • Application: The application statistics are displayed here.
   • Sessions: To view the session summary and session details of the SSL Decryption application, select the V Series Node IP and enter the Server Name and Client/ Server IP address. Then click Apply.
   • Server Certificates: To view the server certificate statistics, select the V Series Node IP from the drop-down and enter the Key Alias. Then, click Apply.
   • Services: All the service related statistics are displayed here. To view the statistics, select the V Series Node IP and the Service Alias from the drop-down and click Apply.
   • Error Codes: The error messages are displayed here.

Server Certificates, Services and Error Codes pages has Refresh and Reset button, which helps you to refresh and reset the statistics.

Keep in mind the following when using SSL Decrypt application:

1. On updating the keys, service, or key maps which are already used in a monitoring session, the monitoring session is dynamically updated, and you need not re-deploy the monitoring session. You can also see if the updated keys, services, or key maps were successfully updated to the monitoring session and the respective GigaVUE V Series Nodes on the All Events page. Refer to Overview of Events for detailed information on Events.
2. When deleting a key that is part of a Key Map and that Key Map is used in a monitoring session which is already deployed, then the key will be removed from the Key Map. If that key is the only available entry in the Key Map, then it will not be removed.
3. When deleting a key that is part of a Key Map and that Key Map is used in a monitoring session that is not deployed, then the key will be removed from the Key Map and if that key is the only available entry in the Key Map, the whole key map will be removed from the monitoring session.
4. When deleting a service that is part of a Key Map and that Key Map is used in a monitoring session which is already deployed, then the service will be removed from the Key Map. If that service is the only available entry in the Key Map, then it will not be removed.
5. When deleting a service that is part of a Key Map and that Key Map is used in a monitoring session which is not deployed, then the service will be removed from the Key Map and if that service is the only available entry in the Key Map, the whole key map will be removed from the monitoring session.