Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Create Fully Compatible JSON Templates from Custom PEM Certificates for OCI Network Firewall

Introduction

Oracle Cloud Infrastructure Network Firewall (OCI Network Firewall), a robust network security solution provides advanced security features, including decryption profiles. These profiles enable the firewall to decrypt and inspect SSL/TLS traffic for enhanced security.

In this tutorial, we will simplify the process of generating fully compatible JSON templates based on Privacy Enhanced Mail (PEM) certificates, allowing you to configure decryption profiles effectively within OCI Network Firewall without getting unnecessary mapped secrets parsing errors (i.e. Mapped Secret ‘Mapped-secret’ Failed. Unable to fetch secret).

To employ decryption rules effectively, it is essential to establish mapped secrets for utilization in a decryption profile. These mapped secrets are initially created within Oracle Cloud Infrastructure Vault and subsequently linked to either SSL Inbound Inspection or SSL Forward Proxy modes.

What is OCI Network Firewall

The Oracle Cloud Infrastructure Network Firewall represents a cutting-edge managed firewall service that is built using Palo Alto Networks’ Next-Generation Firewall Technology (NGFW). It offers machine learning-powered firewall capabilities to protect your OCI workloads and is easy to consume on OCI. As an OCI native firewall-as-a-service offering, OCI Network Firewall enables you to begin to take advantage of the firewall features without the need to configure and manage additional security infrastructure. The OCI Network Firewall instance is highly scalable with built-in high availability and can be created in a virtual cloud network (VCN) and subnet of your choice

The Network Firewall service provides deep insights into the flow of data entering your cloud environments, addressing both incoming and inter-subnet/inter-VCN communication. In essence, it offers visibility into North-south network traffic and East-West network traffic.

By following this tutorial, you will be able to create the JSON templates based on CA certificates (including intermediate ones) plus the public and private certificate pairs needed for decryption.

Objectives

• Download and Install Perl.

• Download and Install OpenSSL.

• Provide a simple scripting code to simplify the creation of JSON templates including the requested PEM certificates to enable the SSL decryption process.

• Test the scripts.

Prerequisites

• An active OCI tenancy. You must have the necessary permissions to create and manage network resources in OCI.

• A basic understanding of Linux OS, OCI, Oracle Linux, including how to install and configure softwares in Linux.

• A good understanding about how to use the OCI Console or OCI CLI to create and manage network resource.

• A good understanding about how to use and configure OCI Network Firewall.

Task 1: Configure JSON Template for Setting Up Certificate Authentication

We have created a Linux script in order to create a well-formatted JSON file from your own certificates. For more Information, see Setting Up Certificate Authentication.

This is how the JSON file looks like.

{
 "caCertOrderedList" : [
   "ROOT_CERT01_PEM_CONTENT",
   "INTERMEDIATE_CERT01_PEM_CONTENT",
   "INTERMEDIATE_CERT02_PEM_CONTENT",
 ],
 "certKeyPair": {
   "cert" : "LEAF_CERT_01_PEM_CONTENT",
   "key":   "PRIVATE_KEY_01_PEM_CONTENT"
 }
}

You can learn how to build the JSON file from the mandatory certificates depending on the decryption mode, as follows:

• caCertOrderedList, Certificate Authority certificates (CAs):

  • SSL Inbound Inspection: This is the mode where you protect SSL/TLS traffic from clients to targeted network servers (any server you have the certificate for and can import onto the Network firewall) and block suspicious sessions. If your server certificate, also known as leaf certificate, is signed by intermediate CA certificates, we recommend uploading the entire chain certificate [“CA root”,”intermediate CA 1”, “intermediate CA 2” …].

    Note: In caCertOrderedList, upload the entire CA chain certificates to avoid client-side server certificate authentication issues, as some clients may not have the complete CA chain installed in their trusted store.

  • SSL Forward proxy: This is the mode where you protect SSL/TLS traffic going to external sites, it functions as an SSL forward proxy. Use this mode when decrypting and inspecting traffic from internal users to the web. For obvious reasons, you do not own the external sites certificates private keys, therefore Firewall cannot use it to decrypt and capture the session master key during TLS negotiation (RSA) like it does in SSL Inbound Inspection. In this mode, the Firewall will act as a man-in-the-middle, making a copy of the received certificates from external web servers a will sign it with a CA that is in our possession (ideally an Enterprise CA). This “copied” certificate, called Impersonation certificate. Check Point Number 5.

    Note: In caCertOrderedList, upload the entire Enterprise chained CA certificate [“Enterprise CA root”, “Enterprise CA intermediate 1”, “Enterprise CA intermediate 2” …].

• certKeyPair, Server certificate and its private key:

  • SSL Inbound Inspection: In an inbound Inspection mode, these are the targeted servers that you want to protect using Network Firewall (i.e. App Load balancer) from external clients. As mentioned above, these targeted servers are servers you have the entire certificate (private key + certificate) and are under your control. Here is where you install the server public certificate in “cert” field and private key in “key” field.

  • SSL Forward proxy: In an SSL Forward proxy mode, you are protecting internal clients SSL/TLS traffic going to external sites/webs. As mentioned above, you do not own the external sites certificates (private+public certificate), therefore Firewall needs to impersonate the received certificates to act as a man-in-the-middle proxy. In order to do so, we need to install a custom CA or enterprise CA (root or non-root) along with its private key into the Firewall, so the Firewall will be able to sign the copy of the received server certificates (impersonation) using the CA private key. In certKeyPair, install the enterprise CA certificate in “cert” field and its private key in “key” field.

    Note: The problem we have observed is that many customers use their text editors, copying and pasting their certificates with the proposed JSON format, and this results in incorrect JSON. This problem is related to the differences between Windows and linux line breaks “\r\n”.

    The error you may encounter from OCI console when creating the Network Firewall could be “Mapped Secret ‘Mapped-secret’ Failed. Unable to fetch secret”.

1. Create the mentioned JSON file with your certificates.

   • Make sure you have root access to a Linux VM. We do recommend Oracle Linux 7 or above.

   • Download and Install OpenSSL.

   • Download and Install Perl.

2. Copy the following code.

   cat > certificates.json << EOF
   {
   "caCertOrderedList" : [
     "$(perl -pe 's/\n/\\n/' ca.cert.pem)"
     $(for ((i=1; i<=10; i++)); do
       intermediate_file="ca.intermediate${i}.pem"
       if [ -f "$intermediate_file" ]; then
           echo -n ", \"$(perl -pe 's/\n/\\n/' "$intermediate_file")\""
       fi
     done)
   ],
   "certKeyPair": {
     "cert" : "$(perl -pe 's/\n/\\n/' cert.pem)",
     "key":   "$(perl -pe 's/\n/\\n/' key.pem)"
   }
   }
   EOF
   

3. Paste to Linux VM file with extension sh.

   vi create_json.sh
   

4. Press the ESC key, enter colon : and enter wq. Press Enter to write file and quit editor.

5. After the file is created you need to make the script executable.

   chmod +x create_json.sh
   

6. Now that we have the script ready, we need to bring the needed certificates to create the final JSON file. The script needs the following PEM files names:

   • ca.cert.pem: This is the ROOT CA certificate that was used to sign your internal web server’s certificate in an SSL Inbound mode. Additionally it could be the root Enterprise CA that will be used in a Forward Proxy mode.

   • ca.intermediateX.pem: If the CA being used has intermediate/chained certificates, add them as ca.intermediate1.pem, ca.intermediate2.pem and so on (up to ten). This will make sure clients won’t have authentication issues by not having them installed in their Trusted CA store.

   • cert.pem: This is the server’s certificate (public) that you are protecting in SSL Inbound Mode. Alternatively it can be the the Enterprise CA certificate in a Forward Proxy mode.

   • key.pem: This is the server’s certificate private key that you are protecting in SSL Inbound Mode. Alternatively it can be the Enterprise CA certificate private key in a Forward Proxy mode.

7. Execute the script.

   ./create_json.sh
   

   It will generate a file named certificates.json that you can easily copy and paste into your vault/secret to be used in your OCI Network Firewall Policy.

Related Links

• Overview of Network Firewall

• Setting Up Certificate Authentication

• Using OCI Network Firewall for SSL decryption

• OCI Network Firewall - Concepts and Deployment

Acknowledgments

• Authors - Luis Catalán Hernández (OCI Cloud Network Specialist and Multi Cloud), Sachin Sharma (OCI Cloud Network Specialist)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Create Fully Compatible JSON Templates from Custom PEM Certificates for OCI Network Firewall

F89630-01

November 2023

Copyright © 2023, Oracle and/or its affiliates.