Cisco Cisco Web Security Appliance S170 사용자 가이드
12-15
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Enabling the HTTPS Proxy
Use the following OpenSSL command to convert a DER formatted certificate file to a PEM formatted
certificate file:
certificate file:
openssl x509 -inform DER -in
cert_in_DER
-outform PEM -out
out_file_name
You can also convert key files in DER format into the PEM format by running a similar OpenSSL
command.
command.
For RSA keys, use the following command:
openssl rsa -inform DER -in
key_in_DER
-outform PEM -out
out_file_name
For DSA keys, use the following command:
openssl dsa -inform DER -in
key_in_DER
-outform PEM -out
out_file_name
For more information about using OpenSSL, see the OpenSSL documentation, or visit
http://openssl.org.
http://openssl.org.
Enabling the HTTPS Proxy
To monitor and decrypt HTTPS traffic, you must enable the HTTPS Proxy on the Security Services >
HTTPS Proxy page. When you enable the HTTPS Proxy, you must configure what the appliance uses
for a root certificate when it sends self-signed server certificates to the client applications on the
network. You can upload a root certificate and key that your organization already has, or you can
configure the appliance to generate a certificate and key with information you enter.
HTTPS Proxy page. When you enable the HTTPS Proxy, you must configure what the appliance uses
for a root certificate when it sends self-signed server certificates to the client applications on the
network. You can upload a root certificate and key that your organization already has, or you can
configure the appliance to generate a certificate and key with information you enter.
Note
When AsyncOS for Web runs on a FIPS-compliant Web Security appliance, you must use the FIPS
management console to generate or upload the root certificate and key pair. When you generate or upload
certificates and keys using the FIPS management console, the keys are protected by the HSM card. For
more information on using the FIPS management console, see
management console to generate or upload the root certificate and key pair. When you generate or upload
certificates and keys using the FIPS management console, the keys are protected by the HSM card. For
more information on using the FIPS management console, see
Once the HTTPS Proxy is enabled, all HTTPS policy decisions are handled by Decryption Policies. You
can no longer define Access and Routing Policy group membership by HTTPS, nor can you configure
Access Policies to block HTTPS transactions. If some Access and Routing Policy group memberships
are defined by HTTPS and if some Access Policies block HTTPS, then when you enable the HTTPS
Proxy those Access and Routing Policy groups become disabled. You can choose to enable the policies
at any time, but all HTTPS related configurations are removed.
can no longer define Access and Routing Policy group membership by HTTPS, nor can you configure
Access Policies to block HTTPS transactions. If some Access and Routing Policy group memberships
are defined by HTTPS and if some Access Policies block HTTPS, then when you enable the HTTPS
Proxy those Access and Routing Policy groups become disabled. You can choose to enable the policies
at any time, but all HTTPS related configurations are removed.
Note
When you upload a certificate to the Web Security appliance, verify it is a signing certificate and not a
server certificate. A server certificate cannot be used as a signing certificate, so decryption does not work
when you upload a server certificate.
server certificate. A server certificate cannot be used as a signing certificate, so decryption does not work
when you upload a server certificate.
For more information about root certificates, see
Also on this page, you can configure what the appliance does with HTTPS traffic when the server
certificate is invalid.
certificate is invalid.
Note
For information on importing a custom root authority certificate, see
To enable the HTTPS Proxy: