Get an A+ security rating for your application in the Qualys SSL lab test

Using insecure ciphers and protocols for transactions can impact the privacy, data integrity, and security of the users accessing your applications. Your application might be compromised if the correct settings are not in place.

How does the Citrix App Delivery and Security service help in getting an A+ security rating by Qualys SSL Labs?

SSL keeps your connection secure and prevents anyone from reading or modifying information while it is transferred between the two systems. Qualys SSL Labs rates the applications based on the ciphers, protocols, and other SSL settings. If your application servers meet the required settings, they are given an A+ rating. For more information, see SSL Server Test.

As an application owner, you can choose to secure your application by selecting A+ Security. When you select this option, the service selects the required ciphers, certificates, key exchange algorithms, and protocols required to get an A+ rating on your back-end application servers. The service adds this setting using SSL policies.

Create an SSL policy with A+ security intent using the GUI

Start the Create Application workflow. After specifying the application details and creating services, add endpoints.

For more information about specifying application details, see Create an application. For more information about creating services, see Create services.

For more information about creating an endpoint, see Add endpoint.

  1. Navigate to Endpoints.
  2. Click Add Endpoint.
  3. Modify an existing endpoint or click Create Endpoint.
  4. Click Add SSL Policy.

    Edit endpoint

  5. Type a name for the policy and select A+ Security.

    Add SSL policy

  6. Click Create.

    Create SSL policy

An SSL policy is added with the A+ security intent to secure your application.

Create an SSL policy with A+ security intent using the API

Send the API to the following endpoint.

Method URL
POST /adcaas/nitro/v1/config/network_functions
Header Value
Content-Type application/json
Cookie SESSID=
ADS_SERVICE_TYPE INTENT

The following snippet is an example of the API payload.

{
    "network_functions": [
        {
            "name": "DemoSSLPolicy",
            "type": "ssl_frontend",
            "ssl_frontend_params": {
                "aplussecurity": true,
                "ciphers": [],
                "tls1": false,
                "tls11": false,
                "tls12": false,
                "tls13": false
            }
        }
    ]
}
<!--NeedCopy-->

Example response

{
    "network_functions": [
        {
            "created_at": "2021-12-10T10:35:50Z",
            "id": "680aaf2b8537abbc9b2ac0f11aa98382",
            "name": "DemoSSLPolicy",
            "ssl_frontend_params": {
                "aplussecurity": true,
                "ciphers": [],
                "tls1": false,
                "tls11": false,
                "tls12": false,
                "tls13": false
            },
            "type": "ssl_frontend",
            "updated_at": "2021-12-10T10:35:50Z"
        }
    ]
}
<!--NeedCopy-->

Use this policy while creating an application as required.

Create an application with SSL policy for A+ security intent using the API

The following API creates an application with the specified:

  • Environment
  • Services
  • Endpoints including a valid certificate
  • Load balancing configuration

Send the API to the following endpoint.

Method URL
POST /adcaas/nitro/v1/config/applications
Header Value
Content-Type application/json
Cookie SESSID=
ADS_SERVICE_TYPE INTENT

The following snippet is an example of the API payload.

{
    "applications":
        {
            "edition": "premium",
            "name": "DemoAppHTTPS",
            "type": "aws",
            "environment": {
                "id": "3b6ed423c509404915c57a06ee675e6b"
            },
            "endpoints": [
                {
                    "name": "DemoHTTPSEndpoint",
                    "endpoint_type": "External",
                    "fqdns": [],
                    "fqdn_auto_allocated": true,
                    "listeners": [
                        {
                            "port": 443,
                            "protocol": "HTTPS",
                            "certificates": [
                                "3bf39d58-7fcc-49b8-b050-a230681c97ac"
                            ],
                            "ssl_network_function": {
                                "name": "DemoSSLPolicy"
                            },
                            "is_https_redirect": true,
                            "redirect_port": 80
                        }
                    ]
                }
            ],
            "network_functions": [
                {
                    "name": "DemoLB",
                    "type": "lb",
                    "lb_params": {
                        "algorithm": "ROUND_ROBIN",
                        "stickinessType": "SOURCE_IP"
                    }
                },
                {
                    "name": "DemoSSLPolicy",
                    "type": "ssl_frontend",
                    "ssl_frontend_params": {
                        "aplussecurity": true,
                        "ciphers": [],
                        "tls1": false,
                        "tls11": false,
                        "tls12": false,
                        "tls13": false
                    }
                }
            ],
            "application_services": [
                {
                    "name": "DemoAppSvc",
                    "protocol": "HTTPS",
                    "port": 443,
                    "app_server_type": "servers",
                    "aws_autoscalegroup": "",
                    "aws_instances": [],
                    "servers": [
                        {
                            "type": "IPAddress",
                            "value": "2.2.2.2"
                        }
                    ],
                    "network_functions": [
                        {
                            "name": "DemoLB",
                            "type": "lb"
                        }
                    ]
                }
            ],
            "application_endpoints": [
                {
                    "endpoint_name": "DemoHTTPSEndpoint",
                    "default_route": "DemoAppSvc",
                    "routes": []
                }
            ]
        }
    ]
}
<!--NeedCopy-->

Example response

{
    "applications": [
        {
            "application_endpoints": [
                {
                    "default_route": "DemoAppSvc",
                    "endpoint_id": "fac30d4b980deccb291f97cdfd7d63f2",
                    "endpoint_name": "DemoHTTPSEndpoint",
                    "id": "968d6af0fc0d50a5b30cf99fe19ddf20",
                    "routes": []
                }
            ],
            "application_services": [
                {
                    "app_server_type": "servers",
                    "id": "0ad8677bf3dffe9bce95b20bd48818ed",
                    "name": "DemoAppSvc",
                    "network_functions": [
                        {
                            "name": "DemoLB",
                            "type": "lb"
                        }
                    ],
                    "port": 443,
                    "protocol": "HTTPS",
                    "servers": [
                        {
                            "type": "IPAddress",
                            "value": "192.0.2.2"
                        }
                    ],
                    "slow_server_settings": {
                        "action": "detect"
                    }
                }
            ],
            "created_at": "2021-12-10T11:09:42Z",
            "deployed_at": null,
            "edition": "premium",
            "environment": {
                "cloud": "aws",
                "id": "3b6ed423c509404915c57a06ee675e6b",
                "name": "DemoEnv"
            },
            "id": "501d0fa420bbcd6d079cbbda7faf6e12",
            "job_id": null,
            "name": "DemoAppHTTPS",
            "status": "INDRAFT",
            "type": "aws",
            "updated_at": "2021-12-10T11:09:42Z"
        }
    ]
}
<!--NeedCopy-->