f5networks / f5networks.f5_modules / 1.28.0 / module / bigip_profile_server_ssl Manages server SSL profiles on a BIG-IP | "added in version" 1.0.0 of f5networks.f5_modules" Authors: Tim Rupp (@caphrim007)f5networks.f5_modules.bigip_profile_server_ssl (1.28.0) — module
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections: - name: f5networks.f5_modules version: 1.28.0
Manages server SSL profiles on a BIG-IP system.
- name: Create a new server SSL profile bigip_profile_server_ssl: name: foo provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
- name: Create server SSL profile with specific cipher group bigip_profile_server_ssl: state: present name: foo_group ciphers: "none" cipher_group: "/Common/f5-secure" provider: server: lb.mydomain.com user: admin password: secret delegate_to: localhost
key: description: - Specifies the file name of the SSL key. type: str name: description: - Specifies the name of the profile. required: true type: str chain: description: - Specifies the certificates-key chain to associate with the SSL profile. type: str state: choices: - present - absent default: present description: - When C(present), ensures the profile exists. - When C(absent), ensures the profile is removed. type: str parent: default: /Common/serverssl description: - The parent template of this monitor template. Once this value has been set, it cannot be changed. type: str ca_file: description: - Specifies a server CA the system trusts. The default is (None). type: str ciphers: description: - Specifies the list of ciphers the system supports. When creating a new profile, the default cipher list is provided by the parent profile. - When the C(cipher_group) parameter is in use, the C(ciphers) parameter needs to be set to either C(none) or C(''). type: str options: choices: - dont-insert-empty-fragments - no-ssl - no-dtls - no-session-resumption-on-renegotiation - no-tlsv1.1 - no-tlsv1.2 - no-tlsv1.3 - single-dh-use - tls-rollback-bug - no-sslv3 - no-tls - no-tlsv1 - none description: - Options the system uses for SSL processing in the form of a list. When creating a new profile, the list is provided by the parent profile. - When C('') or C(none), all options for SSL processing are disabled. elements: str type: list provider: description: - A dict object containing connection details. suboptions: auth_provider: description: - Configures the auth provider for to obtain authentication tokens from the remote device. - This option is really used when working with BIG-IQ devices. type: str no_f5_teem: default: false description: - If C(yes), TEEM telemetry data is not sent to F5. - You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF). - Previously used variable C(F5_TEEM) is deprecated as its name was confusing. type: bool password: aliases: - pass - pwd description: - The password for the user account used to connect to the BIG-IP or the BIG-IQ. - You may omit this option by setting the environment variable C(F5_PASSWORD). required: true type: str server: description: - The BIG-IP host or the BIG-IQ host. - You may omit this option by setting the environment variable C(F5_SERVER). required: true type: str server_port: default: 443 description: - The BIG-IP server port. - You may omit this option by setting the environment variable C(F5_SERVER_PORT). type: int timeout: description: - Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. type: int transport: choices: - rest default: rest description: - Configures the transport connection to use when connecting to the remote device. type: str user: description: - The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative privileges on the device. - You may omit this option by setting the environment variable C(F5_USER). required: true type: str validate_certs: default: true description: - If C(no), SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates. - You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS). type: bool type: dict version_added: 1.0.0 version_added_collection: f5networks.f5_modules partition: default: Common description: - Device partition to manage resources on. type: str passphrase: description: - Specifies a passphrase used to encrypt the key. type: str certificate: description: - Specifies the name of the certificate the system uses for server-side SSL processing. type: str server_name: description: - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile. type: str sni_default: description: - Indicates the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support. - When creating a new profile, the setting is provided by the parent profile. - There can be only one SSL profile with this setting enabled. type: bool sni_require: description: - Requires the network peers also provide SNI support. This setting only takes effect when C(sni_default) is C(true). - When creating a new profile, the setting is provided by the parent profile. type: bool cipher_group: description: - Specifies the cipher group to assign to this profile. - When the C(ciphers) parameter is in use, the C(cipher_group) must be set to either C(none) or C(''). - When creating a new profile with C(cipher_group), if the parent profile has C(ciphers) set by default, the C(cipher) parameter must be set to C(none) or C('') during creation. - The parameter only works on TMOS version 13.x and later. type: str version_added: 1.12.0 version_added_collection: f5networks.f5_modules ocsp_profile: description: - Specifies the name of the OCSP profile for purpose of validating the status of server certificate. type: str renegotiation: description: - Enables or disables SSL renegotiation. - When creating a new profile, the setting is provided by the parent profile. type: bool update_password: choices: - always - on_create default: always description: - C(always) allows users to update passwords if they choose to do so. C(on_create) only sets the password for newly created profiles. type: str authenticate_name: description: - Specifies a Common Name (CN) that is embedded in a server certificate. The system authenticates a server based on the specified CN. type: str server_certificate: choices: - ignore - require description: - Specifies the way the system handles server certificates. - When C(ignore), specifies the system ignores certificates from server systems. - When C(require), specifies the system requires a server to present a valid certificate. type: str secure_renegotiation: choices: - require - require-strict - request description: - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile. - When C(request) is set, the system requests secure renegotiation of SSL connections. - C(require) is a default setting and when set, the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. - With the C(require-strict) setting, the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers. type: str
cipher_group: description: The cipher group applied to the profile. returned: changed sample: /Common/f5-secure type: str ciphers: description: The ciphers applied to the profile. returned: changed sample: '!SSLv3:!SSLv2:ECDHE+AES-GCM+SHA256:ECDHE-RSA-AES128-CBC-SHA' type: str options: description: The list of options for SSL processing. returned: changed sample: - no-ssl - no-sslv3 type: list renegotiation: description: Renegotiation of SSL sessions. returned: changed sample: true type: bool secure_renegotiation: description: The method of secure SSL renegotiation. returned: changed sample: request type: str