The Barracuda Web Application Firewall (WAF) protects web applications and performs SSL/TLS encryption/decryption for HTTPS applications. Integration with Venafi certificate life cycle management enables administrators to easily manage the certificate life cycle and prevent application outages or such incidents that may occur due to certificate expiration.
Venafi’s Trust Protection Platform (TPP) integrates with the Barracuda WAF for the purposes of SSL/TLS certificate life cycle management. The primary benefit of this is to centrally manage the life cycle of an organization's SSL/TLS certificates.
Prerequisites
Before performing the steps in this integration guide, you must have or create the following:
- PowerShell 3.0 or higher
- Venafi Trust Protection Platform version 20.4 or higher
- Barracuda Web Application Firewall (WAF) firmware version 10.1.1 or higher
- Barracuda account credentials
- A policy folder for the Barracuda WAF device(s)
- A policy folder for the discovered Barracuda certificates
Barracuda WAF Integration with Venafi TPP
To enable Venafi TPP integration on the Barracuda WAF, do the following:
- Configure the Barracuda WAF with Access Credentials to Perform the API Operation
- Set Up the Barracuda WAF Connection Details and Credentials on the Venafi TPP
- Discover SSL/TLS Certificates on the Barracuda WAF
- Provision New SSL/TLS Certificates
Configure the Barracuda WAF with Access Credentials to Perform the API Operation
On the Barracuda Web Application Firewall web interface, create a custom administrator role and do the following configuration:
- Go to the ADVANCED > Admin Access Control page, Administrator Roles section, and click Add Administrator Role.
- On the Add Administrator Role window:
- Specify a role name.
- Under Services, select the services that need certificate management.
- Under API Privilege, set API Privilege to Yes.
- In the Web Interface Privileges section, select the BASIC (Primary Tab) and Certificates (Secondary Tab) Read and Write check boxes, and ensure that all other check boxes are cleared.
- Click Create Role.
- On the ADVANCED > Admin Access Control page, use the Administrator Accounts or External Authentication Services section to add a local administrator or an LDAP/RADIUS authentication service. Associate the custom role created in Step 2 with the local administrator or the authentication service that you create.
For more information on creating users, see the "Create Users" section in the Role-Based Administration (RBA) article.
Set Up Barracuda WAF Connections Details and Credentials on Venafi TPP
Perform the following steps to set up the Barracuda WAF on Venafi TPP:
- Log into the Venafi Trust Protection Platform (TPP).
- On the Venafi WebAdmin, open the Policy tree and add a new policy folder for the Barracuda Networks devices.
- On the newly added policy page:
- Select Applications and do the following configuration under Adaptable:
- Select the Application Credential path and provide the Port number under Application Information. Note: Port number should be 8443 for the cloud instance, 443 for the hardware. If there is any specific port number for the device, provide the port details.
- Under Adaptable Settings, select Barracuda-Waf as the adaptable driver from the PowerShell Script drop-down list.
- Specify values for other parameters as required and click Save.
- Select Settings > Certificates and do the following configuration:
- Set the Management Type as Provisioning and Managed By as Aperture.
- Specify values for other parameters as required and click Save.
- Select Applications and do the following configuration under Adaptable:
- Right-click on the policy you created and select Add > Credential > Username Credential.
- On the Add New : Username Credential page:
- Add the credentials (User Name and Password) of the administrator that you created in Step 3 under Configuring the Barracuda WAF with Access Credential to Perform the API Operation.
- Specify values for other parameters as required and click Save.
- Right-click on the policy you created and select Add > Devices > Device.
- On the Add New : Device page, add the device details, such as device name, IP address, credential, and click Save.
Usage
This section provides information on how to properly use the integration after the initial configuration is complete.
Discover SSL/TLS Certificates on the Barracuda WAF
- On the Venafi Aperture page, use the menu option and select Jobs.
- Click Create New Job.
- On the Create New Job page, select Onboard Discovery and click Start.
- On the New Onboard Discovery Job page, configure the following:
- Details
- Specify the job details and select Adaptable as the Installation Type.
- Select the Enable Debug Logging check box.
- Click Next.
- Targets
- Specify the device that needs be discovered/scanned, or select the folder to discover/scan all devices located in the folder. If you want to add a new device or add a new device and new credentials, select Create New Devices.
- Click Next.
- Placement Rules
- Select the location where you want to save the discovered certificates.
- Occurrence
- Set the Frequency to Manually.
- Click Create Job.
- Details
- Select the job you created and click Run Now.
After the successful discovery, all applications available on the Barracuda WAF along with the associated certificate objects will be visible on the Venafi TPP.
Provisioning New SSL/TLS Certificates
- On the Venafi TPP WebAdmin, open the Policy tree.
- Right-click on the policy that you created and select Add > Certificates > Server Certificate.
- On the Add New : Server Certificate page, specify the certificate details and click Save.
- After the certificate is added successfully, click Associations on the certificate page.
- Click Add and select the application(s) to which you want to associate the certificate.
- Click Push to push the certificate to the selected applications.
Automatic Renewal of SSL/TLS Certificates
- By default, the auto-renewal window for created and discovered certificates is set to 30 days prior to expiration.
- Choose the CA template that can be used while performing the renewal of the certificate.
- At the renewal time, Venafi TPP generates the new key and gets CSR signed from the specified CA.
- After the certificate is renewed, it is installed on devices and then associated with the applications.
Troubleshooting
Error Messages
When troubleshooting error messages, providing the entire message displayed by Trust Protection Platform can speed the diagnosis and resolution.
| Error Message | Description |
|---|---|
| User does not have privilege to perform task | A general error that resulted due to lack of permissions for that particular task. |
| Unable to connect | When an incorrect port is configured, or the device is not accessible from the Venafi TPP |
Known Issues
- Custom role with services access - With the "Custom" role, if new services are created, certificate-related operations on the new services will fail because the account will not have the required permissions. When a new service is added, the role should be edited, and the new service(s) should be selected for the role to function properly.
Alternatively, the default "Admin" role can be used to get full privileges. - On Venafi TPP, the certificate life cycle can be managed only for the RSA or ECDSA certificate(s) associated with the service(s).
- Only Created and Uploaded Server certificates associated with the service(s) are supported.
- Trusted (CA) Certificate(s) and Trusted Server Certificate(s) are not supported.
- SNI certificates associated with the services are not discovered on Venafi TPP.