Client Certificate-based Authentication Between WAF-as-a-Service and Backend Server

Last updated on 2024-09-18 06:10:57

The Barracuda WAF-as-a-Service supports client certificate-based authentication, significantly enhancing security by ensuring that only authenticated certificates can access backend servers. This security mechanism involves the Barracuda WAF-as-a-Service authenticating to the server using digital certificates. During the SSL/TLS handshake process, the client certificate is presented, allowing the server to verify the identity of the Barracuda WAF-as-a-Service.

Once mutual authentication is established, both parties use encryption keys to secure their communication. This ensures that all data transmitted during the SSL sessions is encrypted and decrypted properly, maintaining the integrity and confidentiality of the information exchanged.

To enable client certificate-based authentication:

On the WAF-as-a-Service web interface, go to the APPLICATIONS page and click on the application to which you want to enable client certificate-based authentication.
On the application page, click SERVERS in the left panel.
On the Servers page, click the three dots under MORE next to the server and select Edit Server.
On the Edit Server window, select the SSL tab.
1. Paste the certificate private key in the Private Key text box.
2. Paste the certificate in the Certificate text box.
3. Click Save.

Some customers use HashiCorp Vault to store “secrets” such as SSL certificates and private keys and other sensitive data and reference the path to these secrets on the Barracuda WAF-as-a-Service. This is supported with custom container deployments. In case of such a setup, the exported snapshot file will include the referenced secret mount path in the WAF-as-a-Service configuration. Secrets configured as part of the following configuration elements will be part of the exported snapshot file:

Server Certificate
Server Certificate Private Key