Product Documentation
ADC
Current Release 13.1 13.0 12.1
查看PDF

Example 10: Policy-based RSA Encryption

September 14, 2021
Contributed by:
S C S

The RSA algorithm uses the PKEY_ENCRYPT_PEM() function to encrypt HTTP predefined and user-defined header or body content. The function accepts only RSA public keys (not private keys) and the encrypted data cannot be longer than the length of the public key. When the data being encrypted is shorter than the key length, the algorithm uses RSA_PKCS1 padding method.

In a sample scenario, the function can be used with B64ENCODE() function in a rewrite action to replace an HTTP header value with a value encrypted by an RSA public key. The data being encrypted is then decrypted by the recipient using the RSA private key.

You can implement the feature by using a rewrite policy. To do this, you must complete the following tasks:

  1. Add RSA public key as a policy expression.
  2. 创建重写操作。
  3. Create rewrite policy.
  4. Bind rewrite policy as global.
  5. Verify RSA encryption

Policy-based RSA encryption by using Citrix ADC command interface

Complete the following tasks to configure policy-based RSA encryption by using the Citrix ADC command interface.

To add RSA public key as a policy expression by using the Citrix ADC command interface:

add policy expression pubkey '"-----BEGIN RSA PUBLIC KEY-----MIGJAoGBAKl5vgQEj73Kxp+9yn1v5gPR1pnc4oLM2a0kaWwBOsB6rzCIy6znwnvwCY1xRvQhRlJSAyJbloL7wZFIJ2FOR8Cz+8ZQWXU2syG+udi4EnWqLgFYowF9zK+o79az597eNPAjsHZ/C2oL/+6qY5a/f1z8bQPrHC4GpFfAEJhh/+NnAgMBAAE=-----END RSA PUBLIC KEY-----"'

To add rewrite an action to encrypt an HTTP header request by using the Citrix ADC command interface:

add rewrite action encrypt_act insert_http_header encrypted_data

HTTP.REQ.HEADER("data_to_encrypt").PKEY_ENCRYPT_PEM(pubkey).B64ENCODE

To add rewrite policy by using the Citrix ADC command interface:

add rewrite policy encrypt_pol 'HTTP.REQ.HEADER("data_to_encrypt").EXISTS' encrypt_act

To bind rewrite policy global by using the Citrix ADC command interface:

bind rewrite global encrypt_pol 10 -type RES_DEFAULT

To verify RSA encryption by using the Citrix ADC command interface:

>curl -v -H "data_to_encrypt: Now is the time that tries men's souls" http://10.217.24.7/` * About to connect() to 10.217.24.7 port 80 (#0) * Trying 10.217.24.7... * connected * Connected to 10.217.24.7 (10.217.24.7) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.24.0 (amd64-portbld-freebsd8.4) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.3 > Host: 10.217.24.7 > Accept: */* > data_to_encrypt: Now is the time that tries men's souls > < HTTP/1.1 200 OK < Date: Mon, 09 Oct 2017 05:22:37 GMT < Server: Apache/2.2.24 (FreeBSD) mod_ssl/2.2.24 OpenSSL/0.9.8y DAV/2 < Last-Modified: Thu, 20 Feb 2014 20:29:06 GMT < ETag: "6bd9f2-2c-4f2dc5b570880" < Accept-Ranges: bytes < Content-Length: 44 < Content-Type: text/html < encrypted_data: UliegKBJqZd7JdaC49XMLEK1+eQN2rEfevypW91gKvBVlaKM9N9/C2BKuztS99SE0xQaisidzN5IgeIcpQMn+CiKYVlLzPG1RuhGaqHYzIt6C8A842da7xE4OlV5SHwScqkqZ5aVrXc3EwtUksna7jOLr40aLeXnnB/DB11pUAE= < * Connection #0 to host 10.217.24.7 left intact 
It works!
* Closing connection #0

Subsequent execution of this curl command with the same data to encrypt shows that the encrypted data is different each execution. This is because the padding inserts random bytes at the beginning of the data to encrypt, causing the encrypted data to be different each time.

>curl -v -H "data_to_encrypt: Now is the time that tries men's souls" http://10.217.24.7/` < encrypted_data: DaOjtl1Pl4DlQKf58MMeL4cFwFvZwhjMqv5aUYM5Iyzk4UpwIYhpRvgTNu2lXEVc1H0tcR1EGC/ViQncLc4EbTurCWLbzjce3+fknnMmzF0lRT6ZZXWbMvsNFOxDA1SnuAgwxWXy/ooe9Wy6SYsL2oi1sr5wTG+RihDd9zP+P14= >curl -v -H "data_to_encrypt: Now is the time that tries men's souls" http://10.217.24.7/ . . . < encrypted_data: eej6YbGP68yHn48qFUvi+fkG+OiO8j3yYLScrRBU+TPQ8WeDVaWnDNAVLvL0ZYHHAU1W2YDRYb+8cdKHLpW36QbI6Q5FfBuWKZSI2hSyUvypTpCoAYcHXFv0ns+tRtg0EPNNj+lyGjKQWtFi6K8IXXISoDy42FblKIlaA7gEriY=

Policy-based RSA encryption by using the GUI

The GUI enables you to complete the following tasks:

To add RSA public key as a policy expression by using the GUI:

  1. Sign into the Citrix ADC appliance and navigate toConfigurations>AppExpert>Advanced Expressions.
  2. In the details pane, clickAddto define an RSA public key as an advanced policy expression.
  3. In Create Expression page, set the following parameters:
    1. Expression name. Name of the advanced expression.
    2. Expression. Define RSA public key as an advanced expression using the Expression Editor.
    3. Comments. A brief description of the expression.
  4. ClickCreate.

To add rewrite an action to encrypt an HTTP header request by using the GUI:

  1. Sign into the Citrix ADC appliance and navigate toConfigurations>AppExpert>Rewrite>Actions.
  2. In the details pane, clickAddto add a rewrite action.
  3. In theCreate Rewrite Actionscreen, set the following parameters:
    1. Name. Name of the rewrite action.
    2. Type. Select action type as INSERT_HTTP_HEADER.
    3. Use the action type to insert a header. Enter the name of the HTTP header that needs to be rewritten.
    4. Expression. Name of the advanced policy expression associated to the action.
    5. Comments. A brief description of the rewrite action.
  4. ClickCreate.

To add rewrite advanced policy by using the GUI:

  1. Sign into the Citrix ADC appliance and navigate toConfigurations>AppExpert>Rewrite>Policies.
  2. In theRewrite Policiespage, clickAddto add a rewrite policy.
  3. In theCreate Rewrite Policypage, set the following parameters:
    1. Name. Name of the rewrite policy.
    2. Action. Name of the rewrite action to perform if the request or response matches this rewrite policy.
    3. Log Action. Name of message log action to use when a request matches this policy.
    4. Undefined-Result Action. Action to perform if the result of policy evaluation is undefined.
    5. Expression. Name of the advanced policy expression that triggers the action.
    6. Comments. A brief description of the rewrite action.
  4. ClickCreate.

To bind rewrite policy global by using the GUI:

  1. Sign into the Citrix ADC appliance and navigate toConfigurations>AppExpert>Rewrite>Policies.
  2. In theRewrite Policiesscreen, select a rewrite policy that you want to bind and clickPolicy Manager.
  3. In the Rewrite Policy Manager page, in the Bind Points section, set the following parameters:
    1. Bind Point. Select the binding point as Default Global.
    2. Protocol. Select the protocol type as HTTP.
    3. Connection Type. Select the connection type as Request.
    4. ClickContinueto view thePolicy Bindingsection.
    5. In thePolicy Bindingsection, select the rewrite policy and set the bind parameters.
  4. ClickBind.
Example 10: Policy-based RSA Encryption
September 14, 2021
Contributed by:
S C S
September 14, 2021
Contributed by:
S C S

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.