netscaler.adc.sslparameter (2.5.1) — module

Install collection

Install with ansible-galaxy collection install netscaler.adc:==2.5.1

Add to requirements.yml

  collections:
    - name: netscaler.adc
      version: 2.5.1

Description

Configuration for SSL parameter resource.

Inputs

    
nsip:
    description:
    - The ip address of the NetScaler ADC appliance where the nitro API calls will be
      made.
    - The port can be specified with the colon (:). E.g. 192.168.1.1:555.
    required: true
    type: str

state:
    choices:
    - present
    - unset
    default: present
    description:
    - The state of the resource being configured by the module on the NetScaler ADC node.
    - When C(present), the resource will be added/updated configured according to the
      module's parameters.
    - When C(unset), the resource will be unset on the NetScaler ADC node.
    type: str

api_path:
    default: nitro/v1/config
    description:
    - Base NITRO API path.
    - Define only in case of an ADM service proxy call
    type: str

pushflag:
    description:
    - 'Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is
      set to a value other than 0, the buffered records are forwarded on the basis of
      the value of the PUSH flag. Available settings function as follows:'
    - 0 - Auto (PUSH flag is not set.)
    - 1 - Insert PUSH flag into every decrypted record.
    - 2 -Insert PUSH flag into every encrypted record.
    - 3 - Insert PUSH flag into every decrypted and encrypted record.
    type: float

nitro_pass:
    description:
    - The password with which to authenticate to the NetScaler ADC node.
    required: false
    type: str

nitro_user:
    description:
    - The username with which to authenticate to the NetScaler ADC node.
    required: false
    type: str

quantumsize:
    choices:
    - '4096'
    - '8192'
    - '16384'
    description:
    - Amount of data to collect before the data is pushed to the crypto hardware for encryption.
      For large downloads, a larger quantum size better utilizes the crypto resources.
    type: str

save_config:
    default: false
    description:
    - If C(true) the module will save the configuration on the NetScaler ADC node if it
      makes any changes.
    - The module will not save the configuration on the NetScaler ADC node if it made
      no changes.
    type: bool

denysslreneg:
    choices:
    - 'NO'
    - FRONTEND_CLIENT
    - FRONTEND_CLIENTSERVER
    - ALL
    - NONSECURE
    description:
    - 'Deny renegotiation in specified circumstances. Available settings function as follows:'
    - '* C(NO) - Allow SSL renegotiation.'
    - '* C(FRONTEND_CLIENT) - Deny secure and nonsecure SSL renegotiation initiated by
      the client.'
    - '* C(FRONTEND_CLIENTSERVER) - Deny secure and nonsecure SSL renegotiation initiated
      by the client or the Citrix ADC during policy-based client authentication.'
    - '* C(ALL) - Deny all secure and nonsecure SSL renegotiation.'
    - '* C(NONSECURE) - Deny nonsecure SSL renegotiation. Allows only clients that support
      RFC 5746.'
    type: str

ocspcachesize:
    description:
    - Size, per packet engine, in megabytes, of the OCSP cache. A maximum of 10% of the
      packet engine memory can be assigned. Because the maximum allowed packet engine
      memory is 4GB, the maximum value that can be assigned to the OCSP cache is approximately
      410 MB.
    type: float

sigdigesttype:
    choices:
    - ALL
    - RSA-MD5
    - RSA-SHA1
    - RSA-SHA224
    - RSA-SHA256
    - RSA-SHA384
    - RSA-SHA512
    - DSA-SHA1
    - DSA-SHA224
    - DSA-SHA256
    - DSA-SHA384
    - DSA-SHA512
    - ECDSA-SHA1
    - ECDSA-SHA224
    - ECDSA-SHA256
    - ECDSA-SHA384
    - ECDSA-SHA512
    description:
    - Signature Digest Algorithms that are supported by appliance. Default value is "C(ALL)"
      and it will enable the following algorithms depending on the platform.
    - 'On VPX: C(ECDSA-SHA1) C(ECDSA-SHA224) C(ECDSA-SHA256) C(ECDSA-SHA384) C(ECDSA-SHA512)
      C(RSA-SHA1) C(RSA-SHA224) C(RSA-SHA256) C(RSA-SHA384) C(RSA-SHA512) C(DSA-SHA1)
      C(DSA-SHA224) C(DSA-SHA256) C(DSA-SHA384) C(DSA-SHA512)'
    - 'On MPX with Nitrox-III and coleto cards: C(RSA-SHA1) C(RSA-SHA224) C(RSA-SHA256)
      C(RSA-SHA384) C(RSA-SHA512) C(ECDSA-SHA1) C(ECDSA-SHA224) C(ECDSA-SHA256) C(ECDSA-SHA384)
      C(ECDSA-SHA512)'
    - 'Others: C(RSA-SHA1) C(RSA-SHA224) C(RSA-SHA256) C(RSA-SHA384) C(RSA-SHA512).'
    - Note:C(ALL) doesnot include C(RSA-MD5) for any platform.
    elements: str
    type: list

defaultprofile:
    choices:
    - ENABLED
    - DISABLED
    description:
    - Global parameter used to enable default profile feature.
    type: str

hybridfipsmode:
    choices:
    - ENABLED
    - DISABLED
    description:
    - When this mode is enabled, system will use additional crypto hardware to accelerate
      symmetric crypto operations.
    type: str

nitro_protocol:
    choices:
    - http
    - https
    default: https
    description:
    - Which protocol to use when accessing the nitro API objects.
    type: str

sslierrorcache:
    choices:
    - ENABLED
    - DISABLED
    description:
    - Enable or disable dynamically learning and caching the learned information to make
      the subsequent interception or bypass decision. When enabled, NS does the lookup
      of this cached data to do early bypass.
    type: str

strictcachecks:
    choices:
    - 'YES'
    - 'NO'
    description:
    - Enable strict CA certificate checks on the appliance.
    type: str

validate_certs:
    default: true
    description:
    - If C(false), SSL certificates will not be validated. This should only be used on
      personally controlled sites using self-signed certificates.
    required: false
    type: bool

crlmemorysizemb:
    description:
    - Maximum memory size to use for certificate revocation lists (CRLs). This parameter
      reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded
      on the appliance can consume.
    type: float

insertcertspace:
    choices:
    - 'YES'
    - 'NO'
    description:
    - To insert space between lines in the certificate header of request
    type: str

sendclosenotify:
    choices:
    - 'YES'
    - 'NO'
    description:
    - Send an SSL Close-Notify message to the client at the end of a transaction.
    type: str

undefactiondata:
    description:
    - 'Name of the undefined built-in data action: NOOP, RESET or DROP.'
    type: str

nitro_auth_token:
    description:
    - The authentication token provided by a login operation.
    type: str
    version_added: 2.6.0
    version_added_collection: netscaler.adc

snihttphostmatch:
    choices:
    - 'NO'
    - CERT
    - STRICT
    description:
    - Controls how the HTTP 'Host' header value is validated. These checks are performed
      only if the session is SNI enabled (i.e when vserver or profile bound to vserver
      has SNI enabled and 'Client Hello' arrived with SNI extension) and HTTP request
      contains 'Host' header.
    - 'Available settings function as follows:'
    - C(CERT)   - Request is forwarded if the 'Host' value is covered
    - '         by the certificate used to establish this SSL session.'
    - '         Note: ''C(CERT)'' matching mode cannot be applied in'
    - '         TLS 1.3 connections established by resuming from a'
    - '         previous TLS 1.3 session. On these connections, ''C(STRICT)'''
    - '         matching mode will be used instead.'
    - C(STRICT) - Request is forwarded only if value of 'Host' header
    - '         in HTTP is identical to the ''Server name'' value passed'
    - '         in ''Client Hello'' of the SSL connection.'
    - C(NO)     - No validation is performed on the HTTP 'Host'
    - '         header value.'
    type: str

insertionencoding:
    choices:
    - Unicode
    - UTF-8
    description:
    - Encoding method used to insert the subject or issuer's name in HTTP requests to
      servers.
    type: str

ssltriggertimeout:
    description:
    - Time, in milliseconds, after which encryption is triggered for transactions that
      are not tracked on the Citrix ADC because their length is not known. There can be
      a delay of up to 10ms from the specified timeout value before the packet is pushed
      into the queue.
    type: float

heterogeneoussslhw:
    choices:
    - ENABLED
    - DISABLED
    description:
    - To support both cavium and coleto based platforms in cluster environment, this mode
      has to be enabled.
    type: str

undefactioncontrol:
    description:
    - 'Name of the undefined built-in control action: CLIENTAUTH, NOCLIENTAUTH, NOOP,
      RESET, or DROP.'
    type: str

operationqueuelimit:
    description:
    - Limit in percentage of capacity of the crypto operations queue beyond which new
      SSL connections are not accepted until the queue is reduced.
    type: float

sslimaxerrorcachemem:
    description:
    - Specify the maximum memory that can be used for caching the learned data. This memory
      is used as a LRU cache so that the old entries gets replaced with new entry once
      the set memory limit is fully utilised. A value of 0 decides the limit automatically.
    type: float

cryptodevdisablelimit:
    description:
    - Limit to the number of disabled SSL chips after which the ADC restarts. A value
      of zero implies that the ADC does not automatically restart.
    type: float

pushenctriggertimeout:
    description:
    - PUSH encryption trigger timeout value. The timeout value is applied only if you
      set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.
    type: float

encrypttriggerpktcount:
    description:
    - Maximum number of queued packets after which encryption is triggered. Use this setting
      for SSL transactions that send small packets from server to Citrix ADC.
    type: float

dropreqwithnohostheader:
    choices:
    - 'YES'
    - 'NO'
    description:
    - Host header check for SNI enabled sessions. If this check is enabled and the HTTP
      request does not contain the host header for SNI enabled sessions(i.e vserver or
      profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension),
      the request is dropped.
    type: str

softwarecryptothreshold:
    description:
    - Citrix ADC CPU utilization threshold (in percentage) beyond which crypto operations
      are not done in software.
    - A value of zero implies that CPU is not utilized for doing crypto in software.
    type: float

ndcppcompliancecertcheck:
    choices:
    - 'YES'
    - 'NO'
    description:
    - Applies when the Citrix ADC appliance acts as a client (back-end connection).
    - 'Settings apply as follows:'
    - C(YES) - During certificate verification, ignore the common name if SAN is present
      in the certificate.
    - C(NO) - Do not ignore common name.
    type: str

Outputs

changed:
  description: Indicates if any change is made by the module
  returned: always
  sample: true
  type: bool
diff:
  description: Dictionary of before and after changes
  returned: always
  sample:
    after:
      key2: pqr
    before:
      key1: xyz
    prepared: changes done
  type: dict
diff_list:
  description: List of differences between the actual configured object and the configuration
    specified in the module
  returned: when changed
  sample:
  - 'Attribute `key1` differs. Desired: (<class ''str''>) XYZ. Existing: (<class ''str''>)
    PQR'
  type: list
failed:
  description: Indicates if the module failed or not
  returned: always
  sample: false
  type: bool
loglines:
  description: list of logged messages by the module
  returned: always
  sample:
  - message 1
  - message 2
  type: list