httpsOptions

A list of TLS settings carrying TLS definitions for a given URL. These definitions only apply to HTTPS requests that App Shielding performs in the background, not requests made by the app itself.

The HTTPS client loads parameters from one of the child httpsServer elements, if the executed request URL begins with the URL field of the given httpsServer.

• Multiple allowed: No

• Required: No

The element httpsOptions has httpsServer as child.

httpsServer

A set of TLS parameters for connections starting with the specific URL.

• Multiple allowed: Yes

• Required: No

The httpsServer has the following children:

• allowedRootCACertificate

• allowedServerCertificate

• clientCertificatePKCS12

• clientCertificatePKCS12Password

• serverCertificateVerificationPolicy

• URL

allowedRootCACertificate

The root CA certificate for verifying the HTTPS server certificate. This option is only used if serverCertificateVerificationPolicy is verifyUsingRootCACertificate.

• Type: certificate

• Default value: N/A

• Multiple allowed: Yes

• Required: No

allowedServerCertificate

The allowed server certificate. The HTTPS server must present exactly the same certificate that is defined in this option. No chain verification or other checks, like certificate expiration, are done on the certificate. Hostname validation is still performed, however (i.e., the certificate must be issued for the server hostname). It is assumed that the author of the config file has already ensured that the certificate is good. This option is only used if serverCertificateVerificationPolicy is pinServerCertificate. If the certificate chain verification is needed - another serverCertificateVerificationPolicy should be used, for example verifyUsingRootCACertificate.

• Type: certificate

• Default value: N/A

• Multiple allowed: Yes

• Required: No

clientCertificatePKCS12

The client certificate and private key in PKCS12 format, Base64-encoded. The PKCS12 container may be encrypted, in which case the following encryption and digest algorithms are supported: AES-128, AES-192, AES-256, SHA-1, SHA-256.

• Type: string

• Default value:

• Multiple allowed: No

• Required: No

clientCertificatePKCS12Password

The password for the PKCS12 container defined in the clientCertificatePKCS12 option. Default is empty or no password.

• Type: string

• Default value:

• Multiple allowed: No

• Required: No

serverCertificateVerificationPolicy

The TLS verfication policy for the HTTPS server. The following policies are supported:

• pinServerCertificate: Check if the HTTPS server certificate is exactly the same as the certificate defined in an allowedServerCertificate option in this httpsServer block.

• verifyUsingRootCACertificate: Check if the HTTPS server certificate can be verified using the root CA certificate defined in an allowedRootCACertificate option in this httpsServer block.

• Type: string

• Default value: N/A

• Multiple allowed: No

• Required: Yes

URL

The definition of a URL prefix. App Shielding will only connect via HTTPS to URLs with defined prefixes and only if requirements of certificate pinning are satisfied.

• Type: URL

• Default value: N/A

• Multiple allowed: No

• Required: Yes