Steampunk Ansible Documentation - f5networks.f5_bigip.bigip_sslo_config_ssl (1.13.0) - module - Manage an SSL Orchestrator SSL configuration

Install collection

Install with ansible-galaxy collection install f5networks.f5_bigip:==1.13.0

Add to requirements.yml

  collections:
    - name: f5networks.f5_bigip
      version: 1.13.0

Description

Manage an SSL Orchestrator SSL configuration.

Usage examples

Scanned by Steampunk Spotter

- hosts: all
  collections:
    - f5networks.f5_bigip
  connection: httpapi

  vars:
    ansible_host: "lb.mydomain.com"
    ansible_user: "admin"
    ansible_httpapi_password: "secret"
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: yes

  tasks:
    - name: Create an SSLO SSL config with reverse proxy - output json only
      bigip_sslo_config_ssl:
        name: "reverse_foo"
        client_settings:
          proxy_type: "reverse"
          cert: "/Common/sslo_test.crt"
          key: "/Common/sslo_test.key"
        dump_json: yes

    - name: Create an SSLO SSL config with forward proxy
      bigip_sslo_config_ssl:
        name: "forward_foo"
        client_settings:
          proxy_type: "forward"
          cipher_type: "group"
          cipher_group: "/Common/f5-default"
          ca_cert: "/Common/default.crt"
          ca_key: "/Common/default.key"
          alpn: yes
        server_settings:
          cipher_type: "group"
          cipher_group: "/Common/f5-default"
        bypass_handshake_failure: yes
        timeout: 400

    - name: Modify an SSLO SSL config with forward proxy
      bigip_sslo_config_ssl:
        name: "forward_foo"
        client_settings:
          proxy_type: "forward"
          ca_cert: "/Common/sslo_test.crt"
          ca_key: "/Common/sslo_test.key"

    - name: Delete an SSLO SSL config
      bigip_sslo_config_ssl:
        name: "forward_foo"
        state: absent

Inputs

sni:
description:
- Specifies the SNI settings.
suboptions:
sni_default:
description:
- Specify whether it is the default SNI server.
type: bool
sni_server_name:
description:
- The SNI server name in FQDN format.
type: str
type: dict

name:
description:
- Specifies the name of the authentication object.
- The configuration auto-prepends C(ssloT_) to the object.
- Names should be less than 14 characters and not contain dashes C(-).
required: true
type: str

state:
choices:
- present
- absent
default: present
description:
- When C(state) is C(present), ensures the object is created or modified.
- When C(state) is C(absent), ensures the service is removed.
type: str

timeout:
default: 300
description:
- The amount of time to wait for the C(CREATE), C(MODIFY) or C(DELETE) task to complete,
in seconds.
- The accepted value range is between C(10) and C(1800) seconds.
type: int

dump_json:
default: false
description:
- Sets the module to output a JSON blob for further consumption.
- When C(yes), does not make any changes on the device and always returns C(changed=False).
- The output provided is idempotent in nature, meaning if there are no changes to
be made during C(MODIFY) on an existing service no JSON output is generated.
type: bool

client_settings:
description:
- Specifies the client-side SSL settings.
suboptions:
alpn:
description:
- Enables or disables ALPN HTTP/2 full proxy.
- This parameter can only be used when C(proxy_type) is C(forward).
- This parameter is only available in SSLO version 9.0 and later.
type: bool
ca_cert:
description:
- Defines the CA certificate applied in the client side settings.
- This parameter is required when C(proxy_type) is C(forward), otherwise this
setting is ignored.
- This parameter is required together with C(ca_key).
type: str
ca_chain:
description:
- Defines the CA certificate keychain in the client side settings.
- This parameter is required if C(proxy_type) is C(forward), otherwise this setting
is ignored.
type: str
ca_key:
description:
- Defines the CA private key applied in the client side settings.
- This parameter is required when C(proxy_type) is C(forward), otherwise this
setting is ignored.
- This parameter is required together with C(ca_key).
type: str
cert:
description:
- Defines the certificate applied in the client side settings.
- This parameter is required together with C(key).
type: str
chain:
description:
- Defines the certificate keychain in the client side settings.
type: str
cipher_group:
description:
- Defines the existing cipher group.
- This parameter is mutually exclusive with C(cipher_string).
- This parameter is required when C(cipher_type) is C(group).
type: str
cipher_string:
description:
- Defines the string used for cipher strings.
- This parameter is mutually exclusive with C(cipher_group).
- This parameter is required when C(cipher_type) is C(string).
type: str
cipher_type:
choices:
- string
- group
description:
- Defines the type of cipher used.
type: str
client_ssl_options:
description:
- The processing options using various TLS and SSL versions.
elements: str
type: list
version_added: 1.12.0
version_added_collection: f5networks.f5_bigip
key:
description:
- Defines the private key applied in the client side settings.
- This parameter is required together with C(cert).
type: str
log_publisher:
description:
- Defines a specific log publisher to use for client-side SSL-related events.
- This parameter is only available in SSLO version 9.0 and later.
type: str
proxy_type:
choices:
- forward
- reverse
description:
- Defines the type of proxy to configure.
- This parameter is immutable after the object has been created.
- This parameter is required when C(state) is C(present).
type: str
type: dict

server_settings:
description:
- Specifies the server-side SSL settings
suboptions:
block_expired:
choices:
- drop
- ignore
- mask
description:
- Defines the action to take if an expired remote server certificate is encountered.
- For reverse proxy, the default is to ignore expired certificates.
- For forward proxy, the default is to drop expired certificates.
type: str
block_untrusted:
choices:
- drop
- ignore
- mask
description:
- Defines the action to take if an untrusted remote server certificate is encountered,
based on the defined C(ca_bundle).
- For reverse proxy, the default is to ignore untrusted certificates.
- For forward proxy, the default is to drop untrusted certificates.
type: str
ca_bundle:
description:
- Defines the certificate authority bundle used to validate remote server certificates.
- This setting is most applicable in the forward proxy use case to validate remote
server certificates.
type: str
cipher_group:
description:
- Defines the existing cipher group.
- This parameter is mutually exclusive with C(cipher_string).
- This parameter is required when C(cipher_type) is C(group).
type: str
cipher_string:
description:
- Defines the string used for cipher strings.
- This parameter is mutually exclusive with C(cipher_group).
- This parameter is required when C(cipher_type) is C(string).
type: str
cipher_type:
choices:
- string
- group
description:
- Defines the type of cipher used.
type: str
crl:
description:
- Defines a CRL configuration to use to perform certificate revocation checking
against remote server certificates.
type: str
log_publisher:
description:
- Defines a specific log publisher to use for server-side SSL-related events.
- This parameter is only available in SSLO version 9.0 and above.
type: str
ocsp:
description:
- Defines an OCSP configuration to use to perform certificate revocation checking
against remote server certificates.
type: str
server_ssl_options:
description:
- The processing options using various TLS and SSL versions.
elements: str
type: list
version_added: 1.12.0
version_added_collection: f5networks.f5_bigip
type: dict

bypass_handshake_failure:
description:
- Defines the action to take if a server side TLS handshake failure is detected.
- A value of C(no) causes the connection to fail.
- A value of C(no) shuts down TLS decryption and allows the connection to proceed
un-decrypted.
type: bool

bypass_client_cert_failure:
description:
- Defines the action to take if a server side TLS handshake client certificate request
is detected.
- A value of C(no) causes the connection to fail.
- A value of C(yes) shuts down TLS decryption and allows the connection to proceed
un-decrypted.
type: bool

Outputs

bypass_client_cert_failure:
  description:
  - Defines the action to take if a server side TLS handshake client certificate request
    is detected.
  returned: changed
  sample: true
  type: bool
bypass_handshake_failure:
  description:
  - Defines the action to take if a server side TLS handshake failure is detected.
  returned: changed
  sample: true
  type: bool
client_settings:
  contains:
    alpn:
      description: Enables or disables ALPN HTTP/2 full proxy.
      sample: true
      type: bool
    ca_cert:
      description: The CA certificate applied in the client side settings.
      sample: /Common/default.crt
      type: str
    ca_chain:
      description: The CA certificate keychain in the client side settings.
      sample: /Common/local-ca-chain.crt
      type: str
    ca_key:
      description: The CA private key applied in the client side settings.
      sample: /Common/default.key
      type: str
    cert:
      description: The certificate applied in the client side settings.
      sample: /Common/default.crt
      type: str
    chain:
      description: The certificate keychain in the client side settings.
      sample: /Common/local-ca-chain.crt
      type: str
    cipher_group:
      description: The existing cipher group.
      sample: /Common/f5-default
      type: str
    cipher_string:
      description: The string used for cipher strings.
      sample: DEFAULT
      type: str
    cipher_type:
      description: The type of cipher used.
      sample: string
      type: str
    key:
      description: The private key applied in the client side settings.
      sample: /Common/default.key
      type: str
    log_publisher:
      description: The log publisher used for client-side SSL-related events.
      sample: /Common/sys-ssl-publisher
      type: str
    proxy_type:
      description: The type of proxy configured.
      sample: forward
      type: str
  description: Client-side SSL settings.
  returned: changed
  type: complex
server_settings:
  contains:
    block_expired:
      description: The action to take if an expired remote server certificate is encountered.
      sample: ignore
      type: str
    block_untrusted:
      description: The action to take if an untrusted remote server certificate is
        encountered.
      sample: ignore
      type: str
    ca_bundle:
      description: The certificate authority bundle used to validate remote server
        certificates
      sample: /Common/ca-bundle.crt
      type: str
    cipher_group:
      description: The existing cipher group
      sample: /Common/f5-default
      type: str
    cipher_string:
      description: The string used for cipher strings.
      sample: DEFAULT
      type: str
    cipher_type:
      description: The type of cipher used.
      sample: string
      type: str
    crl:
      description: The existing CRL configuration to validate revocation of remote
        server certificates.
      sample: /Common/my-crl
      type: str
    log_publisher:
      description: The log publisher used for server-side SSL-related events.
      sample: /Common/sys-ssl-publisher
      type: str
    ocsp:
      description: Then existing OCSP configuration to validate revocation of remote
        server certificates.
      sample: /Common/my-ocsp
      type: str
  description: Specifies the server-side SSL settings.
  returned: changed
  type: complex