Skip to main content
Cequence Defender

Search

Configuring Defender

© 2024 Cequence Security. All Rights Reserved.

Configuring Defender

  • Updated on
  • ~ minute read
Download PDF

After Cequence Defender is installed, you can update how Cequence Defender behaves by modifying two configuration files.

Required configuration during installation

When you install Cequence Defender, you provide several items of critical information that Defender uses to function.

  • The URIs to the control pane elements of the Cequence Unified API Protection (UAP) platform that Defender communicates with.
  • A client ID and client Secret to authenticate to the Cequence UAP platform.
  • Routing information for your traffic sources and destinations.

The environment variables that control the URIs to the control pane, and the client ID/client Secret pair, are in the defender.yml file. The nginx installation handles routing information. Edit nginx.conf, which is typically in the /etc/nginx directory, to modify routing information.

Generating a client ID and client secret

Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.

  1. Log in to the UAP management portal UI.
    The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name.
  2. Select General Settings > User Management.
    The User Management pane appears.
  3. Click the Clients tab.
  4. Click Add New Client.
    The new client dialog box appears.
  5. Type the client name in the Client Name field.
    This name is the client ID. Note the client ID for later use.
  6. Enable the Traffic Management toggle.
  7. (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
  8. Click Save.
    A dialog box with the client secret appears.
  9. Click the blue Copy icon to copy the secret to the clipboard, then click Close.
    The client is now set up. Note the client name for future use.
    The client list appears.
  10. Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.

Adding a security certificate to Defender

By default, Cequence Defender uses a self-signed security certificate. To use another certificate and key, place the certificate and key in the /opt/cequence-host/config/.trust directory, then mount that directory in the Defender container in the /opt/nginx/certs path by passing the paths to Docker as in the following example.

/opt/cequence-host/config/.trust:/opt/nginx/certs

Enabling mTLS

Cequence Defender uses nginx for its reverse proxy. Enabling mutual TLS (mTLS) security requires editing the nginx.conf file. In mTLS, each end of the connection sends a security certificate. For communications from the downstream hosts to Defender, add the following lines in the server block of the nginx.conf file.

"ssl_certificate": "/opt/cequence/nginx/mtls/certs/platform/serverCert.pem",
"ssl_certificate_key": "/opt/cequence/nginx/mtls/certs/platform/serverKey.pem",
"ssl_stapling": "on",
"ssl_stapling_verify": "on",
"ssl_trusted_certificate": "/opt/cequence/nginx/mtls/certs/platform/trustedCAs.pem",
"ssl_verify_client": "on",
"ssl_verify_depth": "5",
"ssl_client_certificate": "/opt/cequence/nginx/mtls/certs/platform/trustedCAs.pem",
  • ssl_certificate specifies the certificate that the server presents to a downstream client, such as a browser or customer application.
  • ssl_certificate_key specifies the private key for the server certificate.
  • ssl_stapling enables OSCP response stapling, which improves the performance of certificate validation checks.
  • ssl_stapling_verify enables server verification of the OSCP responses.
  • ssl_trusted_certificate lists certificates that Cequence Defender trusts from the client. Any certificate used by the client must be signed by a certificate specified here.
  • ssl_verify_client enables client certificate verification.
  • ssl_verify_depth sets the verification depth of the client certificate chain.
  • ssl_client_certificate lists certificate authorities (CAs) that Cequence Defender sends to the client. This list specifies to the client that any certificate used must be signed by one of these CAs. Depending on your specific configuration, this may be optional.

When Defender is communicating upstream, enable mTLS by adding the following lines.

"proxy_ssl_certificate": "/opt/cequence/nginx/mtls/certs/platform/upstreamClientCert.pem",
"proxy_ssl_certificate_key": "/opt/cequence/nginx/mtls/certs/platform/upstreamClientKey.pem",
"proxy_http_version": "1.1",
  • proxy_ssl_certificate specifies the certificate that Cequence Defender presents to the upstream host.
  • proxy_ssl_certificate_key specifies the private key for the certificate.

Modifying the defender.yml file

When you update the information in the defender.yml file, stop Defender before the edits and start Defender once the changes are done.

Post-install configuration using the Helm chart

You can control several aspects of Cequence Defender's behavior by altering the values of environmental variables. A complete list and description of these variables is available.

Was this article helpful?