Imperva prerequisite configuration

This driver was tested with Imperva SecureSphere, version 12.5, using the ExternalAPIClient.jarClosed The ExternalAPIClient.jar is a Java library that Imperva installs with their product. It is a client application that allows for remote administration of the Imperva application and Venafi's driver relies upon it to import private keys (from a PKCS#12 that was previously SFTP’d to the system) and bind them to service groups. The actual SSH CLI command the driver executes looks like this: java -jar /opt/SecureSphere/server/bin/ExternalAPIClient.jar -ip 192.168.6.1 -port 8083 -username admin -command ssl-keys-upload -csvfile /tmp/f46484ae-2264-44e0-8606-db7776d4d523.csv key tool.

IMPORTANT   Before implementing Venafi's Imperva driver, carefully review and complete the following prerequisite tasks.

To enable Trust Protection Platform to provision certificate keys to an Imperva SecureSphere Management Server

  1. Using the Imperva SecureSphere Management Server console, set up a Venafi or Trust Protection Platform user with permissions to import keys into the Site, Group and Service objects.
  2. Set up a CLI user with permissions to execute the ExternalAPIClient.jar command line key tool from an SSH session.

  3. In the SecureSphere console, verify the Site, Group and Service objects are defined that will be named in the Trust Protection Platform Imperva MX driver configuration.

    For more information, refer to your Imperva documentation.

    Imperva devices have the option to use a FIPS-140 integrated HSM (hardware security module). However, this Trust Protection Platform Imperva MX driver does not have FIPS options at this time. If desire to store private keys on your Imperva in an HSM, please contact Venafi customer support so that they can log an enhancement request for this feature.

  4. Before completing the final steps below in Trust Protection Platform, perform the following steps to disable Imperva's CSRF:

    1. From the MX CLI, navigate to /opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/webapps/SecureSphere/WEB-INF/.

    2. Open the bootstrap.properties file and add the following string:

      client.include.test.cpt=false

    3. Save your changes, and then reboot the MX.

      DID YOU KNOW?  Why do I need to temporarily disable CSRF?

      Imperva has implemented a cross-site request forgery (CSRF) protection mechanism that is incompatible with the ExternalAPIClient.jar that the Venafi Imperva driver relies upon to provision certificates to devices. Therefore, to enable our integration, the CSRF protection must be disabled.

      If you want to request that Imperva update this functionality so that it does not interfere with certificate lifecycle automation, you can submit a request to them directly by visiting https://www.imperva.com/sign_in.asp?retURL=/articles/Procedure/How-to-create-Feature-request.

  5. From the TLS Protect menu bar, click From the Platform menu bar, click Policy Tree.
  6. From the Credentials tree, do the following:
    1. Configure the CLI user credentials.
    2. Configure the SecureSphere application user credentials.
Related Topics Link IconSee Also