netscaler / netscaler.adc / 2.5.1 / module / sslparameter Configuration for SSL parameter resource. | "added in version" 2.0.0 of netscaler.adc" Authors: Sumanth Lingappa (@sumanth-lingappa) preview | supported by communitynetscaler.adc.sslparameter (2.5.1) — module
Install with ansible-galaxy collection install netscaler.adc:==2.5.1
collections: - name: netscaler.adc version: 2.5.1
Configuration for SSL parameter resource.
nsip: description: - The ip address of the NetScaler ADC appliance where the nitro API calls will be made. - The port can be specified with the colon (:). E.g. 192.168.1.1:555. required: true type: str state: choices: - present - unset default: present description: - The state of the resource being configured by the module on the NetScaler ADC node. - When C(present), the resource will be added/updated configured according to the module's parameters. - When C(unset), the resource will be unset on the NetScaler ADC node. type: str api_path: default: nitro/v1/config description: - Base NITRO API path. - Define only in case of an ADM service proxy call type: str pushflag: description: - 'Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows:' - 0 - Auto (PUSH flag is not set.) - 1 - Insert PUSH flag into every decrypted record. - 2 -Insert PUSH flag into every encrypted record. - 3 - Insert PUSH flag into every decrypted and encrypted record. type: float nitro_pass: description: - The password with which to authenticate to the NetScaler ADC node. required: false type: str nitro_user: description: - The username with which to authenticate to the NetScaler ADC node. required: false type: str quantumsize: choices: - '4096' - '8192' - '16384' description: - Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources. type: str save_config: default: false description: - If C(true) the module will save the configuration on the NetScaler ADC node if it makes any changes. - The module will not save the configuration on the NetScaler ADC node if it made no changes. type: bool denysslreneg: choices: - 'NO' - FRONTEND_CLIENT - FRONTEND_CLIENTSERVER - ALL - NONSECURE description: - 'Deny renegotiation in specified circumstances. Available settings function as follows:' - '* C(NO) - Allow SSL renegotiation.' - '* C(FRONTEND_CLIENT) - Deny secure and nonsecure SSL renegotiation initiated by the client.' - '* C(FRONTEND_CLIENTSERVER) - Deny secure and nonsecure SSL renegotiation initiated by the client or the Citrix ADC during policy-based client authentication.' - '* C(ALL) - Deny all secure and nonsecure SSL renegotiation.' - '* C(NONSECURE) - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.' type: str ocspcachesize: description: - Size, per packet engine, in megabytes, of the OCSP cache. A maximum of 10% of the packet engine memory can be assigned. Because the maximum allowed packet engine memory is 4GB, the maximum value that can be assigned to the OCSP cache is approximately 410 MB. type: float sigdigesttype: choices: - ALL - RSA-MD5 - RSA-SHA1 - RSA-SHA224 - RSA-SHA256 - RSA-SHA384 - RSA-SHA512 - DSA-SHA1 - DSA-SHA224 - DSA-SHA256 - DSA-SHA384 - DSA-SHA512 - ECDSA-SHA1 - ECDSA-SHA224 - ECDSA-SHA256 - ECDSA-SHA384 - ECDSA-SHA512 description: - Signature Digest Algorithms that are supported by appliance. Default value is "C(ALL)" and it will enable the following algorithms depending on the platform. - 'On VPX: C(ECDSA-SHA1) C(ECDSA-SHA224) C(ECDSA-SHA256) C(ECDSA-SHA384) C(ECDSA-SHA512) C(RSA-SHA1) C(RSA-SHA224) C(RSA-SHA256) C(RSA-SHA384) C(RSA-SHA512) C(DSA-SHA1) C(DSA-SHA224) C(DSA-SHA256) C(DSA-SHA384) C(DSA-SHA512)' - 'On MPX with Nitrox-III and coleto cards: C(RSA-SHA1) C(RSA-SHA224) C(RSA-SHA256) C(RSA-SHA384) C(RSA-SHA512) C(ECDSA-SHA1) C(ECDSA-SHA224) C(ECDSA-SHA256) C(ECDSA-SHA384) C(ECDSA-SHA512)' - 'Others: C(RSA-SHA1) C(RSA-SHA224) C(RSA-SHA256) C(RSA-SHA384) C(RSA-SHA512).' - Note:C(ALL) doesnot include C(RSA-MD5) for any platform. elements: str type: list defaultprofile: choices: - ENABLED - DISABLED description: - Global parameter used to enable default profile feature. type: str hybridfipsmode: choices: - ENABLED - DISABLED description: - When this mode is enabled, system will use additional crypto hardware to accelerate symmetric crypto operations. type: str nitro_protocol: choices: - http - https default: https description: - Which protocol to use when accessing the nitro API objects. type: str sslierrorcache: choices: - ENABLED - DISABLED description: - Enable or disable dynamically learning and caching the learned information to make the subsequent interception or bypass decision. When enabled, NS does the lookup of this cached data to do early bypass. type: str strictcachecks: choices: - 'YES' - 'NO' description: - Enable strict CA certificate checks on the appliance. type: str validate_certs: default: true description: - If C(false), SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates. required: false type: bool crlmemorysizemb: description: - Maximum memory size to use for certificate revocation lists (CRLs). This parameter reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded on the appliance can consume. type: float insertcertspace: choices: - 'YES' - 'NO' description: - To insert space between lines in the certificate header of request type: str sendclosenotify: choices: - 'YES' - 'NO' description: - Send an SSL Close-Notify message to the client at the end of a transaction. type: str undefactiondata: description: - 'Name of the undefined built-in data action: NOOP, RESET or DROP.' type: str nitro_auth_token: description: - The authentication token provided by a login operation. type: str version_added: 2.6.0 version_added_collection: netscaler.adc snihttphostmatch: choices: - 'NO' - CERT - STRICT description: - Controls how the HTTP 'Host' header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension) and HTTP request contains 'Host' header. - 'Available settings function as follows:' - C(CERT) - Request is forwarded if the 'Host' value is covered - ' by the certificate used to establish this SSL session.' - ' Note: ''C(CERT)'' matching mode cannot be applied in' - ' TLS 1.3 connections established by resuming from a' - ' previous TLS 1.3 session. On these connections, ''C(STRICT)''' - ' matching mode will be used instead.' - C(STRICT) - Request is forwarded only if value of 'Host' header - ' in HTTP is identical to the ''Server name'' value passed' - ' in ''Client Hello'' of the SSL connection.' - C(NO) - No validation is performed on the HTTP 'Host' - ' header value.' type: str insertionencoding: choices: - Unicode - UTF-8 description: - Encoding method used to insert the subject or issuer's name in HTTP requests to servers. type: str ssltriggertimeout: description: - Time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the Citrix ADC because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue. type: float heterogeneoussslhw: choices: - ENABLED - DISABLED description: - To support both cavium and coleto based platforms in cluster environment, this mode has to be enabled. type: str undefactioncontrol: description: - 'Name of the undefined built-in control action: CLIENTAUTH, NOCLIENTAUTH, NOOP, RESET, or DROP.' type: str operationqueuelimit: description: - Limit in percentage of capacity of the crypto operations queue beyond which new SSL connections are not accepted until the queue is reduced. type: float sslimaxerrorcachemem: description: - Specify the maximum memory that can be used for caching the learned data. This memory is used as a LRU cache so that the old entries gets replaced with new entry once the set memory limit is fully utilised. A value of 0 decides the limit automatically. type: float cryptodevdisablelimit: description: - Limit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart. type: float pushenctriggertimeout: description: - PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings. type: float encrypttriggerpktcount: description: - Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC. type: float dropreqwithnohostheader: choices: - 'YES' - 'NO' description: - Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension), the request is dropped. type: str softwarecryptothreshold: description: - Citrix ADC CPU utilization threshold (in percentage) beyond which crypto operations are not done in software. - A value of zero implies that CPU is not utilized for doing crypto in software. type: float ndcppcompliancecertcheck: choices: - 'YES' - 'NO' description: - Applies when the Citrix ADC appliance acts as a client (back-end connection). - 'Settings apply as follows:' - C(YES) - During certificate verification, ignore the common name if SAN is present in the certificate. - C(NO) - Do not ignore common name. type: str
changed: description: Indicates if any change is made by the module returned: always sample: true type: bool diff: description: Dictionary of before and after changes returned: always sample: after: key2: pqr before: key1: xyz prepared: changes done type: dict diff_list: description: List of differences between the actual configured object and the configuration specified in the module returned: when changed sample: - 'Attribute `key1` differs. Desired: (<class ''str''>) XYZ. Existing: (<class ''str''>) PQR' type: list failed: description: Indicates if the module failed or not returned: always sample: false type: bool loglines: description: list of logged messages by the module returned: always sample: - message 1 - message 2 type: list