Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Sensitive data configuration for JSON parameter

Hi expert I want to mask data to prevent operators see some sensitive data in ASM event logs. When user login to my application, event log will show a record of http request like this.

{"req":{"app":"MyMoABC","srv":"MyMoAuthen","op":"login","header":{"pwd":"111111","user":"2222222222222"}}}

I have operator team who can access f5 GUI and see this logging, so I try to configure sensitive data in Security››Application Security>>Content Profiles>>JSON Profiles to hide sensitive data. After I create a new JSON profile, I can see the tab "Sensitive Data Configuration". I try to add a couple of Element Name such as req, header, pwd then I assosiate this json profile with parameter that matched the request pattern. But event log still show everything without masking data. Did I miss something? Any advice would be appreciated.
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I've tested this on 11.6 (but sure i've tested previously on 11.5.1), anyway it worked for me. The only difference was I added JSON profile to a URL, not a parameter. Could you try that as a test?

Otherwise what you are doing appears sound.

HTH,

N

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

you can mask it with a json profile. There you have to insert the element name and thats it.
But it depends on you release. An older one doesn't has the json profile feature.

0
Comments on this Answer
Comment made 23-Feb-2015 by chaloempone 78
Hi Torti, Could you please give me some example if I need to hide "pwd" value for this json request. {"req":{"app":"MyMoABC","srv":"MyMoAuthen","op":"login","header":{"pwd":"111111","user":"2222222222222"}}} PS I use version 11.5.1
0
Comment made 23-Feb-2015 by Torti 806
what happens, if you insert pwd into the sensitive data list? that should be enough.
0
Comment made 23-Feb-2015 by chaloempone 78
Nothing happen after I add pwd in the sensitive data list > update > apply policy then try to login my application again. Event log still show plain text without masking data.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
  1. Go to Security >> Application Security: Content Profiles: JSON Profiles and verify that you have create a JSON profile.

  2. At the bottom of the JSON profile properties screen, click Sensitive Data Configuration and verify that the "Element Name" matches the name of the parameter you are trying to protect.

  3. Now the question is are you trying to associate your JSON profile with a URL or with a parameter? If it's a URL, you need to ensure that said URL is part of the Allowed URLs list for your policy. If it is, go to the Advanced properties of the URL, and change the default value for header-based content profile to "Parsed as JSON." Then select your JSON profile from the Profile Name List menu to assign it to that URL.

  4. It's easier if your JSON profile is configured to protect a parameter. First, make sure that the PWD parameter (or whatever the name is) is an allowed parameter. If it is, make sure the Parameter Value Type is "JSON value." Then select your JSON profile from the JSON Profile list to assign it to that parameter. That should do it.

0
Comments on this Answer
Comment made 23-Feb-2015 by Torti 806
its json traffic, so it should be Option 3
0
Comment made 25-Feb-2015 by chaloempone 78
Hi all, I can see the legal login request in ASM Event Log, so it can confirm that URL and parameter should match with the right configuration. Since this project allow only /json URL and has many JSON parameter, I've associated JSON parameter {"req":{"app":"MyMoABC","srv":"MyMoAuthen","op":"login","header":{*}}} with a JSON profile asm_json_sensitive which has pwd in the sensitive data list. This is a current configuration that still doesn't work. Today, I try to add a "*" parameter and associate it with asm_json_sensitive profile and wait for client to test. I'll inform the result again then.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi all, The masking is work after I change "Request Body Handling" in URL properties from "FORM data" to JSON in URL properties menu. Thanks for every suggestions.

0