Try SpotterConfiguration for SSL profile resource.
| "added in version" 2.0.0 of netscaler.adc"
Authors: Sumanth Lingappa (@sumanth-lingappa)
preview | supported by community
Install with ansible-galaxy collection install netscaler.adc:==2.5.1
collections:
- name: netscaler.adc
version: 2.5.1Configuration for SSL profile resource.
dh:
choices:
- ENABLED
- DISABLED
description:
- State of Diffie-Hellman (DH) key exchange.
- This parameter is not applicable when configuring a backend profile.
type: str
ersa:
choices:
- ENABLED
- DISABLED
description:
- State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support
only export ciphers to communicate with the secure server even if the server certificate
does not support export clients. The ephemeral RSA key is automatically generated
when you bind an export cipher to an SSL or TCP-based SSL virtual server or service.
When you remove the export cipher, the eRSA key is not deleted. It is reused at
a later date when another export cipher is bound to an SSL or TCP-based SSL virtual
server or service. The eRSA key is deleted when the appliance restarts.
- This parameter is not applicable when configuring a backend profile.
type: str
hsts:
choices:
- ENABLED
- DISABLED
description:
- State of HSTS protocol support for the SSL profile. Using HSTS, a server can enforce
the use of an HTTPS connection for all communication with a client
type: str
name:
description:
- Name for the SSL profile. Must begin with an ASCII alphanumeric or underscore (_)
character, and must contain only ASCII alphanumeric, underscore, hash (#), period
(.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be
changed after the profile is created.
type: str
nsip:
description:
- The ip address of the NetScaler ADC appliance where the nitro API calls will be
made.
- The port can be specified with the colon (:). E.g. 192.168.1.1:555.
required: true
type: str
ssl3:
choices:
- ENABLED
- DISABLED
description:
- State of SSLv3 protocol support for the SSL profile.
- 'Note: On platforms with SSL acceleration chips, if the SSL chip does not support
SSLv3, this parameter cannot be set to C(ENABLED).'
type: str
tls1:
choices:
- ENABLED
- DISABLED
description:
- State of TLSv1.0 protocol support for the SSL profile.
type: str
state:
choices:
- present
- absent
- unset
default: present
description:
- The state of the resource being configured by the module on the NetScaler ADC node.
- When C(present), the resource will be added/updated configured according to the
module's parameters.
- When C(absent), the resource will be deleted from the NetScaler ADC node.
- When C(unset), the resource will be unset on the NetScaler ADC node.
type: str
tls11:
choices:
- ENABLED
- DISABLED
description:
- State of TLSv1.1 protocol support for the SSL profile.
type: str
tls12:
choices:
- ENABLED
- DISABLED
description:
- State of TLSv1.2 protocol support for the SSL profile.
type: str
tls13:
choices:
- ENABLED
- DISABLED
description:
- State of TLSv1.3 protocol support for the SSL profile.
type: str
dhfile:
description:
- The file name and path for the DH parameter.
type: str
maxage:
description:
- Set the maximum time, in seconds, in the strict transport security (STS) header
during which the client must send only HTTPS requests to the server
type: float
dhcount:
description:
- Number of interactions, between the client and the Citrix ADC, after which the DH
private-public pair is regenerated. A value of zero (0) specifies refresh every
time.
- This parameter is not applicable when configuring a backend profile. Allowed DH
count values are 0 and >= 500.
type: float
preload:
choices:
- 'YES'
- 'NO'
description:
- Flag indicates the consent of the site owner to have their domain preloaded.
type: str
api_path:
default: nitro/v1/config
description:
- Base NITRO API path.
- Define only in case of an ADM service proxy call
type: str
pushflag:
description:
- 'Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is
set to a value other than 0, the buffered records are forwarded on the basis of
the value of the PUSH flag. Available settings function as follows:'
- 0 - Auto (PUSH flag is not set.)
- 1 - Insert PUSH flag into every decrypted record.
- 2 -Insert PUSH flag into every encrypted record.
- 3 - Insert PUSH flag into every decrypted and encrypted record.
type: float
cipherurl:
description:
- The redirect URL to be used with the Cipher Redirect feature.
type: str
ersacount:
description:
- The refresh count for the re-generation of RSA public-key and private-key pair.
type: float
sessreuse:
choices:
- ENABLED
- DISABLED
description:
- State of session reuse. Establishing the initial handshake requires CPU-intensive
public key encryption operations. With the C(ENABLED) setting, session key exchange
is avoided for session resumption requests received from the client.
type: str
snienable:
choices:
- ENABLED
- DISABLED
description:
- State of the Server Name Indication (SNI) feature on the virtual server and service-based
offload. SNI helps to enable SSL encryption on multiple domains on a single virtual
server or service if the domains are controlled by the same organization and share
the same second-level domain name. For example, *.sports.net can be used to secure
domains such as login.sports.net and help.sports.net.
type: str
sslireneg:
choices:
- ENABLED
- DISABLED
description:
- Enable or disable triggering the client renegotiation when renegotiation request
is received from the origin server.
type: str
ciphername:
description:
- The cipher group/alias/individual cipher configuration
type: str
clientauth:
choices:
- ENABLED
- DISABLED
description:
- State of client authentication. In service-based SSL offload, the service terminates
the SSL handshake if the SSL client does not provide a valid certificate.
- This parameter is not applicable when configuring a backend profile.
type: str
clientcert:
choices:
- Mandatory
- Optional
description:
- The rule for client certificate requirement in client authentication.
type: str
commonname:
description:
- Name to be checked against the CommonName (CN) field in the server certificate bound
to the SSL server.
type: str
nitro_pass:
description:
- The password with which to authenticate to the NetScaler ADC node.
required: false
type: str
nitro_user:
description:
- The username with which to authenticate to the NetScaler ADC node.
required: false
type: str
serverauth:
choices:
- ENABLED
- DISABLED
description:
- State of server authentication support for the SSL Backend profile.
type: str
quantumsize:
choices:
- '4096'
- '8192'
- '16384'
description:
- Amount of data to collect before the data is pushed to the crypto hardware for encryption.
For large downloads, a larger quantum size better utilizes the crypto resources.
type: str
save_config:
default: false
description:
- If C(true) the module will save the configuration on the NetScaler ADC node if it
makes any changes.
- The module will not save the configuration on the NetScaler ADC node if it made
no changes.
type: bool
sesstimeout:
description:
- The Session timeout value in seconds.
type: float
sslredirect:
choices:
- ENABLED
- DISABLED
description:
- State of HTTPS redirects for the SSL service.
- For an SSL session, if the client browser receives a redirect message, the browser
tries to connect to the new location. However, the secure SSL session breaks if
the object has moved from a secure site (https://) to an unsecure site (http://).
Typically, a warning message appears on the screen, prompting the user to continue
or disconnect.
- If SSL Redirect is C(ENABLED), the redirect message is automatically converted from
http:// to https:// and the SSL session does not break.
- This parameter is not applicable when configuring a backend profile.
type: str
alpnprotocol:
choices:
- NONE
- HTTP1.1
- HTTP2
description:
- Application protocol supported by the server and used in negotiation of the protocol
with the client. Possible values are C(HTTP1.1), C(HTTP2) and C(NONE). Default value
is C(NONE) which implies application protocol is not enabled hence remain unknown
to the TLS layer. This parameter is relevant only if SSL connection is handled by
the virtual server of the type SSL_TCP.
type: str
denysslreneg:
choices:
- 'NO'
- FRONTEND_CLIENT
- FRONTEND_CLIENTSERVER
- ALL
- NONSECURE
description:
- 'Deny renegotiation in specified circumstances. Available settings function as follows:'
- '* C(NO) - Allow SSL renegotiation.'
- '* C(FRONTEND_CLIENT) - Deny secure and nonsecure SSL renegotiation initiated by
the client.'
- '* C(FRONTEND_CLIENTSERVER) - Deny secure and nonsecure SSL renegotiation initiated
by the client or the Citrix ADC during policy-based client authentication.'
- '* C(ALL) - Deny all secure and nonsecure SSL renegotiation.'
- '* C(NONSECURE) - Deny nonsecure SSL renegotiation. Allows only clients that support
RFC 5746.'
type: str
ocspstapling:
choices:
- ENABLED
- DISABLED
description:
- 'State of OCSP stapling support on the SSL virtual server. Supported only if the
protocol used is higher than SSLv3. Possible values:'
- 'C(ENABLED): The appliance sends a request to the OCSP responder to check the status
of the server certificate and caches the response for the specified time. If the
response is valid at the time of SSL handshake with the client, the OCSP-based server
certificate status is sent to the client during the handshake.'
- 'C(DISABLED): The appliance does not check the status of the server certificate.'
type: str
cleartextport:
description:
- Port on which clear-text data is sent by the appliance to the server. Do not specify
this parameter for SSL offloading with end-to-end encryption.
type: int
sessionticket:
choices:
- ENABLED
- DISABLED
description:
- This option enables the use of session tickets, as per the RFC 5077
type: str
ssliocspcheck:
choices:
- ENABLED
- DISABLED
description:
- Enable or disable OCSP check for origin server certificate.
type: str
ssllogprofile:
description:
- The name of the ssllogprofile.
type: str
cipherpriority:
description:
- cipher priority
type: float
cipherredirect:
choices:
- ENABLED
- DISABLED
description:
- State of Cipher Redirect. If this parameter is set to C(ENABLED), you can configure
an SSL virtual server or service to display meaningful error messages if the SSL
handshake fails because of a cipher mismatch between the virtual server or service
and the client.
- This parameter is not applicable when configuring a backend profile.
type: str
nitro_protocol:
choices:
- http
- https
default: https
description:
- Which protocol to use when accessing the nitro API objects.
type: str
pushenctrigger:
choices:
- Always
- Merge
- Ignore
- Timer
description:
- 'Trigger encryption on the basis of the PUSH flag value. Available settings function
as follows:'
- '* ALWAYS - Any PUSH packet triggers encryption.'
- '* IGNORE - C(Ignore) PUSH packet for triggering encryption.'
- '* MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers
encryption.'
- '* TIMER - PUSH packet triggering encryption is delayed by the time defined in the
set ssl parameter command or in the Change Advanced SSL Settings dialog box.'
type: str
sslprofiletype:
choices:
- BackEnd
- FrontEnd
- QUIC-FrontEnd
description:
- Type of profile. Front end profiles apply to the entity that receives requests from
a client. Backend profiles apply to the entity that sends client requests to a server.
type: str
strictcachecks:
choices:
- 'YES'
- 'NO'
description:
- Enable strict CA certificate checks on the appliance.
type: str
validate_certs:
default: true
description:
- If C(false), SSL certificates will not be validated. This should only be used on
personally controlled sites using self-signed certificates.
required: false
type: bool
allowunknownsni:
choices:
- ENABLED
- DISABLED
description:
- 'Controls how the handshake is handled when the server name extension does not match
any of the bound certificates. These checks are performed only if the session is
SNI enabled (i.e. when profile bound to vserver has SNIEnable and Client Hello arrived
with SNI extension). Available settings function as follows :'
- C(ENABLED) - handshakes with an unknown SNI are allowed to continue, if a default
cert is bound.
- DISLABED - handshakes with an unknown SNI are not allowed to continue.
type: str
sendclosenotify:
choices:
- 'YES'
- 'NO'
description:
- Enable sending SSL Close-Notify at the end of a transaction.
type: str
sslinterception:
choices:
- ENABLED
- DISABLED
description:
- Enable or disable transparent interception of SSL sessions.
type: str
nitro_auth_token:
description:
- The authentication token provided by a login operation.
type: str
version_added: 2.6.0
version_added_collection: netscaler.adc
snihttphostmatch:
choices:
- 'NO'
- CERT
- STRICT
description:
- Controls how the HTTP 'Host' header value is validated. These checks are performed
only if the session is SNI enabled (i.e when vserver or profile bound to vserver
has SNI enabled and 'Client Hello' arrived with SNI extension) and HTTP request
contains 'Host' header.
- 'Available settings function as follows:'
- C(CERT) - Request is forwarded if the 'Host' value is covered
- ' by the certificate used to establish this SSL session.'
- ' Note: ''C(CERT)'' matching mode cannot be applied in'
- ' TLS 1.3 connections established by resuming from a'
- ' previous TLS 1.3 session. On these connections, ''C(STRICT)'''
- ' matching mode will be used instead.'
- C(STRICT) - Request is forwarded only if value of 'Host' header
- ' in HTTP is identical to the ''Server name'' value passed'
- ' in ''Client Hello'' of the SSL connection.'
- C(NO) - No validation is performed on the HTTP 'Host'
- ' header value.'
type: str
zerorttearlydata:
choices:
- ENABLED
- DISABLED
description:
- State of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting
only has an effect if resumption is enabled, as early data cannot be sent along
with an initial handshake.
- Early application data has significantly different security properties - in particular
there is no guarantee that the data cannot be replayed.
type: str
dhkeyexpsizelimit:
choices:
- ENABLED
- DISABLED
description:
- This option enables the use of NIST recommended (NIST Special Publication 800-56A)
bit size for private-key size. For example, for DH params of size 2048bit, the private-key
size recommended is 224bits. This is rounded-up to 256bits.
type: str
includesubdomains:
choices:
- 'YES'
- 'NO'
description:
- Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests
for subdomains.
type: str
insertionencoding:
choices:
- Unicode
- UTF-8
description:
- Encoding method used to insert the subject or issuer's name in HTTP requests to
servers.
type: str
ssltriggertimeout:
description:
- Time, in milliseconds, after which encryption is triggered for transactions that
are not tracked on the Citrix ADC because their length is not known. There can be
a delay of up to 10ms from the specified timeout value before the packet is pushed
into the queue.
type: float
sessionkeylifetime:
description:
- This option sets the life time of symm key used to generate session tickets issued
by NS in secs
type: float
redirectportrewrite:
choices:
- ENABLED
- DISABLED
description:
- State of the port rewrite while performing HTTPS redirect. If this parameter is
set to C(ENABLED), and the URL from the server does not contain the standard port,
the port is rewritten to the standard.
type: str
sessionticketkeydata:
description:
- Session ticket enc/dec key , admin can set it
type: str
sslimaxsessperserver:
description:
- Maximum ssl session to be cached per dynamic origin server. A unique ssl session
is created for each SNI received from the client on ClientHello and the matching
session is used for server session reuse.
type: float
strictsigdigestcheck:
choices:
- ENABLED
- DISABLED
description:
- Parameter indicating to check whether peer entity certificate during TLS1.2 handshake
is signed with one of signature-hash combination supported by Citrix ADC.
type: str
dhekeyexchangewithpsk:
choices:
- 'YES'
- 'NO'
description:
- Whether or not the SSL Virtual Server will require a DHE key exchange to occur when
a PSK is accepted during a TLS 1.3 resumption handshake.
- A DHE key exchange ensures forward secrecy even in the event that ticket keys are
compromised, at the expense of an additional round trip and resources required to
carry out the DHE key exchange.
- If disabled, a DHE key exchange will be performed when a PSK is accepted but only
if requested by the client.
- If enabled, the server will require a DHE key exchange when a PSK is accepted regardless
of whether the client supports combined PSK-DHE key exchange. This setting only
has an effect when resumption is enabled.
type: str
pushenctriggertimeout:
description:
- PUSH encryption trigger timeout value. The timeout value is applied only if you
set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.
type: float
sessionticketlifetime:
description:
- This option sets the life time of session tickets issued by NS in secs
type: float
encrypttriggerpktcount:
description:
- Maximum number of queued packets after which encryption is triggered. Use this setting
for SSL transactions that send small packets from server to Citrix ADC.
type: float
prevsessionkeylifetime:
description:
- This option sets the life time of symm key used to generate session tickets issued
by NS in secs
type: float
dropreqwithnohostheader:
choices:
- 'YES'
- 'NO'
description:
- Host header check for SNI enabled sessions. If this check is enabled and the HTTP
request does not contain the host header for SNI enabled sessions(i.e vserver or
profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension),
the request is dropped.
type: str
sessionticketkeyrefresh:
choices:
- ENABLED
- DISABLED
description:
- This option enables the use of session tickets, as per the RFC 5077
type: str
allowextendedmastersecret:
choices:
- 'YES'
- 'NO'
description:
- When set to C(YES), attempt to use the TLS Extended Master Secret (EMS, as
- described in RFC 7627) when negotiating TLS 1.0, TLS 1.1 and TLS 1.2
- connection parameters. EMS must be supported by both the TLS client and server
- in order to be enabled during a handshake. This setting applies to both
- frontend and backend SSL profiles.
type: str
clientauthuseboundcachain:
choices:
- ENABLED
- DISABLED
description:
- Certficates bound on the VIP are used for validating the client cert. Certficates
came along with client cert are not used for validating the client cert
type: str
skipclientcertpolicycheck:
choices:
- ENABLED
- DISABLED
description:
- This flag controls the processing of X509 certificate policies. If this option is
Enabled, then the policy check in Client authentication will be skipped. This option
can be used only when Client Authentication is Enabled and ClientCert is set to
Mandatory
type: str
sslprofile_ecccurve_binding:
description: Bindings for sslprofile_ecccurve_binding resource
suboptions:
binding_members:
default: []
description: List of binding members
elements: dict
type: list
mode:
choices:
- desired
- bind
- unbind
default: desired
description:
- The mode in which to configure the bindings.
- If mode is set to C(desired), the bindings will be added or removed from the
target NetScaler ADCs as necessary to match the bindings specified in the state.
- If mode is set to C(bind), the specified bindings will be added to the resource.
The existing bindings in the target ADCs will not be modified.
- If mode is set to C(unbind), the specified bindings will be removed from the
resource. The existing bindings in the target ADCs will not be modified.
type: str
type: dict
sslprofile_sslcipher_binding:
description: Bindings for sslprofile_sslcipher_binding resource
suboptions:
binding_members:
default: []
description: List of binding members
elements: dict
type: list
mode:
choices:
- desired
- bind
- unbind
default: desired
description:
- The mode in which to configure the bindings.
- If mode is set to C(desired), the bindings will be added or removed from the
target NetScaler ADCs as necessary to match the bindings specified in the state.
- If mode is set to C(bind), the specified bindings will be added to the resource.
The existing bindings in the target ADCs will not be modified.
- If mode is set to C(unbind), the specified bindings will be removed from the
resource. The existing bindings in the target ADCs will not be modified.
type: str
type: dict
sslprofile_sslcertkey_binding:
description: Bindings for sslprofile_sslcertkey_binding resource
suboptions:
binding_members:
default: []
description: List of binding members
elements: dict
type: list
mode:
choices:
- desired
- bind
- unbind
default: desired
description:
- The mode in which to configure the bindings.
- If mode is set to C(desired), the bindings will be added or removed from the
target NetScaler ADCs as necessary to match the bindings specified in the state.
- If mode is set to C(bind), the specified bindings will be added to the resource.
The existing bindings in the target ADCs will not be modified.
- If mode is set to C(unbind), the specified bindings will be removed from the
resource. The existing bindings in the target ADCs will not be modified.
type: str
type: dict
sslprofile_sslciphersuite_binding:
description: Bindings for sslprofile_sslciphersuite_binding resource
suboptions:
binding_members:
default: []
description: List of binding members
elements: dict
type: list
mode:
choices:
- desired
- bind
- unbind
default: desired
description:
- The mode in which to configure the bindings.
- If mode is set to C(desired), the bindings will be added or removed from the
target NetScaler ADCs as necessary to match the bindings specified in the state.
- If mode is set to C(bind), the specified bindings will be added to the resource.
The existing bindings in the target ADCs will not be modified.
- If mode is set to C(unbind), the specified bindings will be removed from the
resource. The existing bindings in the target ADCs will not be modified.
type: str
type: dict
tls13sessionticketsperauthcontext:
description:
- Number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated,
ticket-based resumption is enabled, and either (1) a handshake completes or (2)
post-handhsake client auth completes.
- This value can be increased to enable clients to open multiple parallel connections
using a fresh ticket for each connection.
- No tickets are sent if resumption is disabled.
type: float
changed:
description: Indicates if any change is made by the module
returned: always
sample: true
type: bool
diff:
description: Dictionary of before and after changes
returned: always
sample:
after:
key2: pqr
before:
key1: xyz
prepared: changes done
type: dict
diff_list:
description: List of differences between the actual configured object and the configuration
specified in the module
returned: when changed
sample:
- 'Attribute `key1` differs. Desired: (<class ''str''>) XYZ. Existing: (<class ''str''>)
PQR'
type: list
failed:
description: Indicates if the module failed or not
returned: always
sample: false
type: bool
loglines:
description: list of logged messages by the module
returned: always
sample:
- message 1
- message 2
type: list