Imperva Securesphere

Before You Begin

Prerequisites

Prerequisites for Managing Imperva Securesphere devices on AppViewX are:
  • IP Address/FQDN: IP Address/FQDN
  • User Privilege: Username and password, and API access
  • Credential List: AppViewX, CyberArk, HashiCorp, Thycotic, and BeyondTrust
  • Enable Password: Not required
  • License Check: Yes
  • Services and Ports for AppViewX Communication: A port is required to configure access to APIs.
    Note: Any port can be configured as needed.
  • Internet Access/Proxy if Required: Depends on the use case; not mandatory
  • Location from which Certificates are discovered if managed: Not applicable

Addding Imperva Securesphere Device

Prerequisites:

This prerequisite applies only to Imperva SaaS. To efficiently perform Certificate Lifecycle Management (CLM) operations, you must configure user account roles and permissions within Imperva SaaS. Administrator or Service account access to the Imperva SaaS portal to create a new User and role.

Define and manage roles to assign the appropriate permissions for Imperva SaaS configuration sync, endpoint enrollment, push, and binding from AppViewX to Imperva SaaS.

Access the Roles page to create and manage roles. This page is available to the account administrator or users with the 'Manage user roles' permission.

  1. On the sidebar, click User Management > Roles > New Role.
  2. Create a new role with the below permissions.

    Permissions:

    • View client CA certificates
    • Manage custom certificates
    • Manage account SSL settings
    • View account SSL settings
    • View TLS Configuration
    • View SSL Certificates
    • Manage SSL Certificates
    • Modify TLS Configuration
    • Manage account sub-accounts

API Key Management

To use the API, the client must be authenticated by Imperva.
  1. On the sidebar, click User Management > Users.
  2. Click Add New user to create a new user, and then enter the details as required.
  3. Click the Add User button.
    Note: When a new user is added to an account, a verification email is sent to their registered address. The user must click the link in the email to verify their address and set a login password.
  4. Once the User account is created, select 'Edit,' navigate to the 'API Keys' category, and generate an API ID and API Key.
  5. Click Create. It creates an API ID and API Key.
Note: Copy the API key now, as it will no longer be accessible once you close this window.
  1. Go to (Menu) > ADC+ > ASSET MANAGEMENT > Device Inventory.
    By default, the ADC tab opens.
  2. Click the WAF tab.
  3. Click the (Add) icon.
    The Device details page is displayed.
  4. Select Imperva Securesphere from the Vendors list.
  5. In the General Information section, select/enter the details as follows.
    Note:

    This field is displayed if General Information = AWS

    Fields Description
    Platform Select the platform from the dropdown field. The available platforms are:
    • AWS
    • SaaS
    *Device name Enter a unique name for the device to be onboarded.
    Communication This field is displayed if Platform = AWSSelect IP address or FQDN.
    *IP Address This field is displayed if Platform = AWS and Communication = IP Address.

    Enter the IP address of the device to be onboarded.
    *FQDN This field is displayed if Communication = FQDN.

    Enter the fully qualified domain name of the device to be onboarded.
    *Rest port Enter the rest port number.
    Data center Enter the data center name. It holds all the SSL related information that is to be retrieved from the server.
    Proxy Required Enable this field if the device communication needs to happen via a proxy.

    The proxy details configured in general settings will be used for communication.
    Cert Sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
    Note:

    This field is displayed if General Information = SaaS

    Limitation: Imperva SaaS does not offer an API for exporting certificate content and only provides certificate metadata. Consequently, certificates from Imperva SaaS cannot be directly discovered. However, if a certificate is already present in the AppViewX inventory, a connector will be created using the serial number from the metadata.

    Note: AppViewX supports certificate enrollment and deployment to the primary Imperva SaaS account and its associated sub-accounts.
    Fields Description
    Platform Select the platform from the dropdown field. The available platforms are,
    • AWS
    • SaaS
    Note: By default, AWS platform is selected.
    *Device name Enter a unique name for the device to be onborded.
    *FQDN This field is displayed if Communication = FQDN

    Enter the fully qualified domain name of the device to be onboarded.
    Data center Enter the data center name. It holds all the SSL related information that is to be retrieved from the server.
    Proxy Required Enable this field if the device communication needs to happen via a proxy.

    The proxy details configured in general settings will be used for communication.
    Cert Sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, select/enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the WAF device.
    Note:

    This field is displayed if General Information = AWS

    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default) - to directly add the credentials in the username and password text box.
    • Credential List - Appviewx - to use any credentials from the saved AppViewX Credential List.
    • Credential List - CyberArk - to use any credentials from the saved AppViewX CyberArk List.
    *Access type Select the method to access the Imperva SecureSphere. API is the default value.
    *Username This field will be visible if the Credential Type is selected as Manual entry.

    If the Credential Type is selected as Credential List - Appviewx, the username is entered by default and field is read only.

    If the Credential Type is selected as Credential List - Cyerark, this field is not displayed.

    Enter the designated username for Imperva Sourcesphere.
    *Password This field will be visible if the Credential Type is selected as Manual entry.

    If the Credential Type is selected as Credential List - Appviewx, the password is entered by default and field is read only.

    If the Credential Type is selected as Credential List - Cyerark, this field is not displayed.

    Enter the designated password to access Barracuda.
    *Credential list This field will be visible only if the Credential type is selected as Credential List - AppViewX or Credential List - CyberArk

    The dropdown contains a list of credentials stored in AppViewX.
    *: Mandatory fields
    Note:

    This field is displayed if General Information = SaaS

    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default) - to directly add the credentials in the username and password text box.
    *Access type Select the method to access the Imperva SecureSphere. API is the default value.
    *API ID Enter the valid API ID.
    *API Key Enter the valid API ID.
    *: Mandatory fields
  7. In the Secondary device information section, select/enter the details as follows.
    Note:

    This field is displayed if General Information = AWS

    Fields Description
    Secondary / Failover / Sync group Select either Ignore or Manual entry.
    *Device name Enter a unique name for the secondary device to be onborded.
    Communication Select from IP address and FQDN.
    *IP Address This field is displayed if Communication = IP Address

    Enter the IP address of the secondary device to be onboarded.
    *FQDN This field is displayed if Communication = FQDN

    Enter the fully qualified domain name of the secondary device to be onboarded.
    *Rest port Enter the rest port number of the secondary device.
    Data center Enter the data center name. It holds all the SSL related information that is to be retrieved from the server.
    *: Mandatory fields
    In the Secondary device credentials section (displayed only if Secondary / Alternate device = Manual entry select/enter the details as follows.
    Fields Description
    *Use same credentials The Enable checkbox is used to fix the credentials type to either Credential List - Appviewx or Credential List - CyberArk based on its selection.
    *Credential type Select the credential type from the dropdown.
    • Manual entry (default) - to directly add the credentials in the username and password text box.
    • Credential List - Appviewx - to use any credentials from the saved AppViewX Credential List.
    • Credential List - CyberArk - to use any credentials from the saved AppViewX CyberArk List.
    *Access type Select the method to access the secondary device. API is the default value.
    *Username This field will be visible if the Credential Type is selected as Manual entry.

    If the Credential Type is selected as Credential List - Appviewx, the username is entered by default and field is read only.

    If the Credential Type is selected as Credential List - Cyerark, this field is not displayed.

    Enter the designated username for the secondary device.
    *Password This field will be visible if the Credential Type is selected as Manual entry.

    If the Credential Type is selected as Credential List - Appviewx, the password is entered by default and field is read only.

    If the Credential Type is selected as Credential List - Cyerark, this field is not displayed.

    Enter the designated password to access the secondary device.
    *Credential list This field will be visible only if the Credential type is selected as Credential List - AppViewX or Credential List - CyberArk

    The dropdown contains a list of credentials stored in AppViewX.
    *: Mandatory fields
  8. (Optional step) Click Add. This button is displayed only if Secondary device information is Manual entry. More than one devices can be configured. (use the Update and Delete buttons to make changes or remove the devices added.)
  9. Click Save.
    The device is onboarded successfully.