Try SpotterManage an SSL Orchestrator SSL configuration
| "added in version" 1.6.0 of f5networks.f5_bigip"
Authors: Wojciech Wypior (@wojtek0806), Kevin Stewart (@kevingstewart)
Install with ansible-galaxy collection install f5networks.f5_bigip:==3.4.0
collections:
- name: f5networks.f5_bigip
version: 3.4.0Manage an SSL Orchestrator SSL configuration.
- name: Create an SSLO SSL config with reverse proxy - output json only
bigip_sslo_config_ssl:
name: "reverse_foo"
client_settings:
proxy_type: "reverse"
cert: "/Common/sslo_test.crt"
key: "/Common/sslo_test.key"
dump_json: true
- name: Create an SSLO SSL config with forward proxy
bigip_sslo_config_ssl:
name: "forward_foo"
client_settings:
proxy_type: "forward"
cipher_type: "group"
cipher_group: "/Common/f5-default"
ca_cert: "/Common/default.crt"
ca_key: "/Common/default.key"
alpn: true
server_settings:
cipher_type: "group"
cipher_group: "/Common/f5-default"
bypass_handshake_failure: true
timeout: 400
- name: Modify an SSLO SSL config with forward proxy
bigip_sslo_config_ssl:
name: "forward_foo"
client_settings:
proxy_type: "forward"
ca_cert: "/Common/sslo_test.crt"
ca_key: "/Common/sslo_test.key"
- name: Delete an SSLO SSL config
bigip_sslo_config_ssl:
name: "forward_foo"
state: absent
sni:
description:
- Specifies the SNI settings.
suboptions:
sni_default:
description:
- Specify whether it is the default SNI server.
type: bool
sni_server_name:
description:
- The SNI server name in FQDN format.
type: str
type: dict
name:
description:
- Specifies the name of the authentication object.
- The configuration auto-prepends C(ssloT_) to the object.
- Names should be less than 14 characters and not contain dashes C(-).
required: true
type: str
state:
choices:
- present
- absent
default: present
description:
- When C(state) is C(present), ensures the object is created or modified.
- When C(state) is C(absent), ensures the service is removed.
type: str
timeout:
default: 300
description:
- The amount of time to wait for the C(CREATE), C(MODIFY) or C(DELETE) task to complete,
in seconds.
- The accepted value range is between C(10) and C(1800) seconds.
type: int
dump_json:
default: false
description:
- Sets the module to output a JSON blob for further consumption.
- When C(true), does not make any changes on the device and always returns C(changed=False).
- The output provided is idempotent in nature, meaning if there are no changes to
be made during C(MODIFY) on an existing service no JSON output is generated.
type: bool
client_settings:
description:
- Specifies the client-side SSL settings.
suboptions:
alpn:
description:
- Enables or disables ALPN HTTP/2 full proxy.
- This parameter can only be used when C(proxy_type) is C(forward).
- This parameter is only available in SSLO version 9.0 and later.
type: bool
ca_cert:
description:
- Defines the CA certificate applied in the client side settings.
- This parameter is required when C(proxy_type) is C(forward), otherwise this
setting is ignored.
- This parameter is required together with C(ca_key).
type: str
ca_chain:
description:
- Defines the CA certificate keychain in the client side settings.
- This parameter is required if C(proxy_type) is C(forward), otherwise this setting
is ignored.
type: str
ca_key:
description:
- Defines the CA private key applied in the client side settings.
- This parameter is required when C(proxy_type) is C(forward), otherwise this
setting is ignored.
- This parameter is required together with C(ca_key).
type: str
ca_key_passphrase:
description:
- Defines the passphrase for the CA private key in the client side settings.
type: str
version_added: 3.3.0
version_added_collection: f5networks.f5_bigip
cert:
description:
- Defines the certificate applied in the client side settings.
- This parameter is required together with C(key).
type: str
chain:
description:
- Defines the certificate keychain in the client side settings.
type: str
cipher_group:
description:
- Defines the existing cipher group.
- This parameter is mutually exclusive with C(cipher_string).
- This parameter is required when C(cipher_type) is C(group).
type: str
cipher_string:
description:
- Defines the string used for cipher strings.
- This parameter is mutually exclusive with C(cipher_group).
- This parameter is required when C(cipher_type) is C(string).
type: str
cipher_type:
choices:
- string
- group
description:
- Defines the type of cipher used.
type: str
client_ssl_options:
description:
- The processing options using various TLS and SSL versions.
elements: str
type: list
version_added: 1.12.0
version_added_collection: f5networks.f5_bigip
key:
description:
- Defines the private key applied in the client side settings.
- This parameter is required together with C(cert).
type: str
key_passphrase:
description:
- Defines the passphrase for the private key in the client side settings.
type: str
version_added: 3.3.0
version_added_collection: f5networks.f5_bigip
log_publisher:
description:
- Defines a specific log publisher to use for client-side SSL-related events.
- This parameter is only available in SSLO version 9.0 and later.
type: str
proxy_type:
choices:
- forward
- reverse
description:
- Defines the type of proxy to configure.
- This parameter is immutable after the object has been created.
- This parameter is required when C(state) is C(present).
type: str
update_ca_key_passphrase:
default: false
description:
- Defines whether to update the passphrase for the CA private key in the client
side settings.
- Default values is C(no).
- It must be set to C(yes) when wanting to update the passphrase or when trying
to add a passphrase to a CA private key that does not have one in an existing
ssl config.
type: bool
version_added: 3.3.0
version_added_collection: f5networks.f5_bigip
update_key_passphrase:
default: false
description:
- Defines whether to update the passphrase for the private key in the client side
settings.
- Default values is C(no).
- It must be set to C(yes) when wanting to update the passphrase or when trying
to add a passphrase to a private key that does not have one in an existing ssl
config.
type: bool
version_added: 3.3.0
version_added_collection: f5networks.f5_bigip
type: dict
server_settings:
description:
- Specifies the server-side SSL settings
suboptions:
block_expired:
choices:
- drop
- ignore
- mask
description:
- Defines the action to take if an expired remote server certificate is encountered.
- For reverse proxy, the default is to ignore expired certificates.
- For forward proxy, the default is to drop expired certificates.
type: str
block_untrusted:
choices:
- drop
- ignore
- mask
description:
- Defines the action to take if an untrusted remote server certificate is encountered,
based on the defined C(ca_bundle).
- For reverse proxy, the default is to ignore untrusted certificates.
- For forward proxy, the default is to drop untrusted certificates.
type: str
ca_bundle:
description:
- Defines the certificate authority bundle used to validate remote server certificates.
- This setting is most applicable in the forward proxy use case to validate remote
server certificates.
type: str
cipher_group:
description:
- Defines the existing cipher group.
- This parameter is mutually exclusive with C(cipher_string).
- This parameter is required when C(cipher_type) is C(group).
type: str
cipher_string:
description:
- Defines the string used for cipher strings.
- This parameter is mutually exclusive with C(cipher_group).
- This parameter is required when C(cipher_type) is C(string).
type: str
cipher_type:
choices:
- string
- group
description:
- Defines the type of cipher used.
type: str
crl:
description:
- Defines a CRL configuration to use to perform certificate revocation checking
against remote server certificates.
type: str
log_publisher:
description:
- Defines a specific log publisher to use for server-side SSL-related events.
- This parameter is only available in SSLO version 9.0 and above.
type: str
ocsp:
description:
- Defines an OCSP configuration to use to perform certificate revocation checking
against remote server certificates.
type: str
server_ssl_options:
description:
- The processing options using various TLS and SSL versions.
elements: str
type: list
version_added: 1.12.0
version_added_collection: f5networks.f5_bigip
type: dict
bypass_handshake_failure:
description:
- Defines the action to take if a server side TLS handshake failure is detected.
- A value of C(false) causes the connection to fail.
- A value of C(false) shuts down TLS decryption and allows the connection to proceed
un-decrypted.
type: bool
bypass_client_cert_failure:
description:
- Defines the action to take if a server side TLS handshake client certificate request
is detected.
- A value of C(false) causes the connection to fail.
- A value of C(true) shuts down TLS decryption and allows the connection to proceed
un-decrypted.
type: bool
bypass_client_cert_failure:
description:
- Defines the action to take if a server side TLS handshake client certificate request
is detected.
returned: changed
sample: true
type: bool
bypass_handshake_failure:
description:
- Defines the action to take if a server side TLS handshake failure is detected.
returned: changed
sample: true
type: bool
client_settings:
contains:
alpn:
description: Enables or disables ALPN HTTP/2 full proxy.
sample: true
type: bool
ca_cert:
description: The CA certificate applied in the client side settings.
sample: /Common/default.crt
type: str
ca_chain:
description: The CA certificate keychain in the client side settings.
sample: /Common/local-ca-chain.crt
type: str
ca_key:
description: The CA private key applied in the client side settings.
sample: /Common/default.key
type: str
cert:
description: The certificate applied in the client side settings.
sample: /Common/default.crt
type: str
chain:
description: The certificate keychain in the client side settings.
sample: /Common/local-ca-chain.crt
type: str
cipher_group:
description: The existing cipher group.
sample: /Common/f5-default
type: str
cipher_string:
description: The string used for cipher strings.
sample: DEFAULT
type: str
cipher_type:
description: The type of cipher used.
sample: string
type: str
key:
description: The private key applied in the client side settings.
sample: /Common/default.key
type: str
log_publisher:
description: The log publisher used for client-side SSL-related events.
sample: /Common/sys-ssl-publisher
type: str
proxy_type:
description: The type of proxy configured.
sample: forward
type: str
description: Client-side SSL settings.
returned: changed
type: complex
server_settings:
contains:
block_expired:
description: The action to take if an expired remote server certificate is encountered.
sample: ignore
type: str
block_untrusted:
description: The action to take if an untrusted remote server certificate is
encountered.
sample: ignore
type: str
ca_bundle:
description: The certificate authority bundle used to validate remote server
certificates
sample: /Common/ca-bundle.crt
type: str
cipher_group:
description: The existing cipher group
sample: /Common/f5-default
type: str
cipher_string:
description: The string used for cipher strings.
sample: DEFAULT
type: str
cipher_type:
description: The type of cipher used.
sample: string
type: str
crl:
description: The existing CRL configuration to validate revocation of remote
server certificates.
sample: /Common/my-crl
type: str
log_publisher:
description: The log publisher used for server-side SSL-related events.
sample: /Common/sys-ssl-publisher
type: str
ocsp:
description: Then existing OCSP configuration to validate revocation of remote
server certificates.
sample: /Common/my-ocsp
type: str
description: Specifies the server-side SSL settings.
returned: changed
type: complex