ServiceNOW SSL Offload


3 comments

Avatar

MICHAEL BOMBA

If using a current LoadMaster OS build (e.g. 7.2.43) then the following is possible.

The following template was created to support a federal user configuring LoadMaster to provide https access to ServiceNow. The ServiceNow servers were not configured for https due to the difficulty in adding Federal certificates to the ServiceNow servers. Instead, a KEMP  LoadMaster was configured in the path to accept https connections, decrypt, and send the resulting http traffic to the ServiceNow servers. 

The template has a body modification rules as there are embedded http objects in the ServiceNow application. Since the user connects only over https, there was no path to these http objects. To fix this the KEMP appliance rewrote all http objects in a web page to https. This allowed the user to select these objects and connect via https to the KEMP appliance. 

KEMP templates are simple text (ascii) files that contain instructions for the automatic creation of a virtual service. Templates created from an existing virtual service normally use the .txt suffix. The process to create a template for ServiceNow is listed below.

Create a new ascii (text) file named ServiceNow.txt

Cut and paste the below into the ServiceNow.txt file

Using the KEMP Web UI, under VIrtual Services/Templates - upload this template.

Create a new virtual service and select this template. All you need to do now is add the real servers (your ServiceNow IIS servers) and test.

YOU MAY NEED TO SET A DIFFERENT PERSISTENCE MODE FOR THIS VIRTUAL SERVICE

--------CUT BELOW-----

 

%TYPE% VS
%NAME% ServiceNow
%COMMENT% Generated by vipdump $Revision: 16279 $
%PORT% 443
%PROT% tcp
%TVERSION% 4

rules
add "ServiceNowRewrite_2088_10045_%RAND%"
type replacebody
value "/http:\/\//"
replacement "https://"
exit

exit
vip tcp/%VIP%+%PORT%
name "%REALNAME%"
mtype "http"
sslaccel
tlstype 1
cipherset "Default"
forcel7
cookie "test"
healthcheck "tcp"
persist "cookie-src"
schedule "rr"
ptimeout 28800
errcode 302
checkurl "/"
checkversion 1
checkport 16000
addbrule ServiceNowRewrite_2088_10045_%RAND%
exit

------------- CUT ABOVE ------------

0

Avatar

Nick Smylie

Hi Herminio Frami

The high majority of our customers will use SSL re-encryption if their server/app supports encrypted.  The few times they do not is if there is some configuration that will not allow them to use SSL re-encryption or if their server/app only works on port 80.

0

Avatar

MICHAEL BOMBA

The US Government requires encryption between enclaves. It does not require encryption inside an enclave. If your application does not require SSL/TLS be configured and the LoadMaster is in the same enclave as the application server, then you can use the LoadMaster to perform SSL Offload and still meet current US Government requirements related to use of TLS 1.1 and above to provide encryption of data in motion between enclaves. 

If your application does require SSL or TLS and the version of SSL or TLS no longer meets security requirements, (e.g. your web site uses SSL3 and cannot upgrade to TLS1.1), you can use the LoadMaster to terminate inbound requests using TLS1.1, 1.2, 1.3 and then reencrypt using SSL3 to the application server. To the outside world you are using approved TLS versions without changing your application server. 

There are some cautions to the use of SSL Offload. SSL Offload breaks user certificate based user authentication. SSL Offload and reencrypt will break SAML authentication. Body rewrite rules are needed if the web site presents http based links to the user (rule is to rewrite any "http://" to "https://").

0

Please to leave a comment.

Didn't find what you were looking for?