Try SpotterManages server SSL profiles on a BIG-IP
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Tim Rupp (@caphrim007)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Manages server SSL profiles on a BIG-IP system.
- name: Create a new server SSL profile
bigip_profile_server_ssl:
name: foo
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Create server SSL profile with specific cipher group
bigip_profile_server_ssl:
state: present
name: foo_group
ciphers: "none"
cipher_group: "/Common/f5-secure"
provider:
server: lb.mydomain.com
user: admin
password: secret
delegate_to: localhost
key:
description:
- Specifies the file name of the SSL key.
type: str
name:
description:
- Specifies the name of the profile.
required: true
type: str
chain:
description:
- Specifies the certificates-key chain to associate with the SSL profile.
type: str
state:
choices:
- present
- absent
default: present
description:
- When C(present), ensures the profile exists.
- When C(absent), ensures the profile is removed.
type: str
parent:
default: /Common/serverssl
description:
- The parent template of this monitor template. Once this value has been set, it cannot
be changed.
type: str
ca_file:
description:
- Specifies a server CA the system trusts. The default is (None).
type: str
ciphers:
description:
- Specifies the list of ciphers the system supports. When creating a new profile,
the default cipher list is provided by the parent profile.
- When the C(cipher_group) parameter is in use, the C(ciphers) parameter needs to
be set to either C(none) or C('').
type: str
options:
choices:
- dont-insert-empty-fragments
- no-ssl
- no-dtls
- no-session-resumption-on-renegotiation
- no-tlsv1.1
- no-tlsv1.2
- no-tlsv1.3
- single-dh-use
- tls-rollback-bug
- no-sslv3
- no-tls
- no-tlsv1
- none
description:
- Options the system uses for SSL processing in the form of a list. When creating
a new profile, the list is provided by the parent profile.
- When C('') or C(none), all options for SSL processing are disabled.
elements: str
type: list
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP or the BIG-IQ.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host or the BIG-IQ host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 443
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- rest
default: rest
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
partition:
default: Common
description:
- Device partition to manage resources on.
type: str
passphrase:
description:
- Specifies a passphrase used to encrypt the key.
type: str
certificate:
description:
- Specifies the name of the certificate the system uses for server-side SSL processing.
type: str
server_name:
description:
- Specifies the fully qualified DNS hostname of the server used in Server Name Indication
communications. When creating a new profile, the setting is provided by the parent
profile.
type: str
sni_default:
description:
- Indicates the system uses this profile as the default SSL profile when there is
no match to the server name, or when the client provides no SNI extension support.
- When creating a new profile, the setting is provided by the parent profile.
- There can be only one SSL profile with this setting enabled.
type: bool
sni_require:
description:
- Requires the network peers also provide SNI support. This setting only takes effect
when C(sni_default) is C(true).
- When creating a new profile, the setting is provided by the parent profile.
type: bool
cipher_group:
description:
- Specifies the cipher group to assign to this profile.
- When the C(ciphers) parameter is in use, the C(cipher_group) must be set to either
C(none) or C('').
- When creating a new profile with C(cipher_group), if the parent profile has C(ciphers)
set by default, the C(cipher) parameter must be set to C(none) or C('') during creation.
- The parameter only works on TMOS version 13.x and later.
type: str
version_added: 1.12.0
version_added_collection: f5networks.f5_modules
ocsp_profile:
description:
- Specifies the name of the OCSP profile for purpose of validating the status of server
certificate.
type: str
renegotiation:
description:
- Enables or disables SSL renegotiation.
- When creating a new profile, the setting is provided by the parent profile.
type: bool
update_password:
choices:
- always
- on_create
default: always
description:
- C(always) allows users to update passwords if they choose to do so. C(on_create)
only sets the password for newly created profiles.
type: str
authenticate_name:
description:
- Specifies a Common Name (CN) that is embedded in a server certificate. The system
authenticates a server based on the specified CN.
type: str
server_certificate:
choices:
- ignore
- require
description:
- Specifies the way the system handles server certificates.
- When C(ignore), specifies the system ignores certificates from server systems.
- When C(require), specifies the system requires a server to present a valid certificate.
type: str
secure_renegotiation:
choices:
- require
- require-strict
- request
description:
- Specifies the method of secure renegotiations for SSL connections. When creating
a new profile, the setting is provided by the parent profile.
- When C(request) is set, the system requests secure renegotiation of SSL connections.
- C(require) is a default setting and when set, the system permits initial SSL handshakes
from clients but terminates renegotiations from unpatched clients.
- With the C(require-strict) setting, the system requires strict renegotiation of
SSL connections. In this mode the system refuses connections to insecure servers,
and terminates existing SSL connections to insecure servers.
type: str
cipher_group: description: The cipher group applied to the profile. returned: changed sample: /Common/f5-secure type: str ciphers: description: The ciphers applied to the profile. returned: changed sample: '!SSLv3:!SSLv2:ECDHE+AES-GCM+SHA256:ECDHE-RSA-AES128-CBC-SHA' type: str options: description: The list of options for SSL processing. returned: changed sample: - no-ssl - no-sslv3 type: list renegotiation: description: Renegotiation of SSL sessions. returned: changed sample: true type: bool secure_renegotiation: description: The method of secure SSL renegotiation. returned: changed sample: request type: str