Try SpotterManage SSL Authentication Policy in Radware Alteon
| "added in version" 2.9 of radware.radware_modules"
Authors: Leon Meguira (@leonmeguira), Nati Fridman (@natifridman)
stableinterface | supported by certified
Install with ansible-galaxy collection install radware.radware_modules:==0.6.12
collections:
- name: radware.radware_modules
version: 0.6.12SSL client authentication enables a server to confirm a client's identity as part of the SSL handshake process. Similarly, SSL server authentication enables a client to confirm the identity of the server. Authentication of a client or server requires checking their certificate validity. If the certificate is valid, the handshake process is completed, otherwise the session is terminated.
The same Authentication Policy can be associated with multiple SSL Policies.
- name: alteon configuration command
radware.radware_modules.alteon_config_ssl_client_auth_policy:
provider:
server: 192.168.1.1
user: admin
password: admin
validate_certs: no
https_port: 443
ssh_port: 22
timeout: 5
state: present
parameters:
index: ssl_server_auth_pol
description: test_auth_policy
state: enabled
ca_verification: require
advertised_ca_chain_type: default
cert_validation_method: ocsp
ocsp_validation_static_uri: http://uri.ocsp.com
ocsp_response_secure: enabled
trusted_ca_chain_name: ca_group_1
trusted_ca_chain_type: group
pass_cert_info_version_header_name: CCRT-ver
pass_cert_info_version_header: enabled
state:
choices:
- present
- absent
- read
- overwrite
- append
default: null
description:
- When C(present), guarantees that the object exists with the provided attributes.
- When C(absent), when applicable removes the object.
- When C(read), when exists read object from configuration to parameter format.
- When C(overwrite), removes the object if exists then recreate it
- When C(append), append object configuration with the provided parameters
required: true
provider:
description:
- Radware Alteon connection details.
required: true
suboptions:
https_port:
default: null
description:
- Radware Alteon https port.
required: true
password:
default: null
description:
- Radware Alteon password.
required: true
server:
default: null
description:
- Radware Alteon IP address.
required: true
ssh_port:
default: null
description:
- Radware Alteon ssh port.
required: true
timeout:
default: null
description:
- Timeout for connection.
required: true
user:
default: null
description:
- Radware Alteon username.
required: true
validate_certs:
default: null
description:
- If C(no), SSL certificates will not be validated.
- This should only set to C(no) used on personally controlled sites using self-signed
certificates.
required: true
type: bool
parameters:
description:
- Parameters for SSL Authentication Policy configuration.
suboptions:
advertised_ca_chain_name:
default: null
description:
- Specifies the certificate authority name that should be included in the Certificate
Request message, providing greater control over the configuration information
shared with unknown clients.
required: false
type: str
advertised_ca_chain_type:
choices:
- group
- cert
- default
- none
default: null
description:
- Advertised CA type
required: false
ca_chain_lookup_depth:
default: 2
description:
- Specifies the maximum number of certificates to be traversed in a certificate
chain while attempting to validate the link between the certificate and the
configured trusted CA.
required: false
type: int
ca_verification:
choices:
- enabled
- disabled
default: null
description:
- Specifies whether to verify that a client certificate is trusted.
required: false
cert_validation_method:
choices:
- none
- ocsp
default: none
description:
- Specifies the method for validating whether a certificate, that was already
validated as issued by a trusted entity, has not been revoked.
required: false
description:
default: null
description:
- An optional descriptive name of the policy in addition to the policy ID.
required: false
type: str
failure_redirection_url:
default: null
description:
- Specifies the URL to which a client should be redirected when its authentication
fails.
required: false
type: str
index:
default: null
description:
- The authentication policy name (key id) as an index.
required: true
type: str
ocsp_cert_chain_validation:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to enable validation of every certificate in the certificate
chain, or only of the authenticated element (client/server) certificate.
required: false
ocsp_response_cache_time_second:
default: null
description:
- Specifies the length of time for which the OCSP response is cached, in seconds.
required: false
type: int
ocsp_response_deviation_time_second:
default: 75
description:
- Allows to overlook small deviations, in seconds, between Alteon and OCSP server
timestamps when performing OCSP signature verification.
required: false
type: int
ocsp_response_secure:
choices:
- enabled
- disabled
default: enabled
description:
- Specifies whether to verify that the certificate status information received
from the OCSP responder is up-to-date by sending a random nonce (a random sequence
of 20 bytes) in the OCSP request. The OCSP responder must use its secret key
to sign the response containing this nonce.
required: false
ocsp_uri_priority:
choices:
- clientcert
- staticuri
default: clientcert
description:
- The OCSP access point can be configured (static URI) or can be provided in the
certificate (in the Authority Information Access extension). The OCSP URI priority
defines whether to check first if the location is provided in the certificate
or not.
required: false
ocsp_validation_static_uri:
default: null
description:
- Specifies the static URI for OCSP validation requests.
required: false
type: str
pass_cert_info_2424ssl_compliance_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to enable 2424SSL Headers Compliance Mode.
required: false
pass_cert_info_cert_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate information information to the back-end
server.
required: false
pass_cert_info_cert_header_name:
default: CCRT-Certificate
description:
- Specifies the header name pass certificate information to the back-end server.
required: false
type: str
pass_cert_info_issuer_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate issuer information to the back-end server.
required: false
pass_cert_info_issuer_header_name:
default: CCRT-Issuer
description:
- Specifies the header name pass certificate issuer information to the back-end
server.
required: false
type: str
pass_cert_info_md5_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate MD5 hash information information to the
back-end server.
required: false
pass_cert_info_md5_header_name:
default: CCRT-MD5Hash
description:
- Specifies the header name pass certificate MD5 hash information to the back-end
server.
required: false
type: str
pass_cert_info_not_after_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate Not After Validity Date to the back-end
server.
required: false
pass_cert_info_not_after_header_name:
default: CCRT-NotAfter
description:
- Specifies the header name pass certificate Not After Validity Date to the back-end
server.
required: false
type: str
pass_cert_info_not_before_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate Not Before Validity Date to the back-end
server.
required: false
pass_cert_info_not_before_header_name:
default: CCRT-NotBefore
description:
- Specifies the header name pass certificate Not Before Validity Date to the back-end
server.
required: false
type: str
pass_cert_info_public_key_type_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate Public Key Type information to the back-end
server.
required: false
pass_cert_info_public_key_type_header_name:
default: CCRT-publicKeyType
description:
- Specifies the header name pass certificate Public Key Type information to the
back-end server.
required: false
type: str
pass_cert_info_serial_number_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate serial number to the back-end server.
required: false
pass_cert_info_serial_number_header_name:
default: CCRT-SN
description:
- Specifies the header name pass certificate serial number to the back-end server.
required: false
type: str
pass_cert_info_sign_algorithm_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate Signature Algorithm to the back-end server.
required: false
pass_cert_info_sign_algorithm_header_name:
default: CCRT-SignatureAlgo
description:
- Specifies the header name pass certificate Signature Algorithm to the back-end
server.
required: false
type: str
pass_cert_info_subject_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate subject information to the back-end server.
required: false
pass_cert_info_subject_header_name:
default: CCRT-Subject
description:
- Specifies the header name pass certificate subject information to the back-end
server.
required: false
type: str
pass_cert_info_version_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass certificate version information to the back-end server.
required: false
pass_cert_info_version_header_name:
default: CCRT-Version
description:
- Specifies the header name pass certificate version information to the back-end
server.
required: false
type: str
state:
choices:
- enabled
- disabled
default: null
description:
- Specifies whether to enable/disable the authentication policy.
required: false
trusted_ca_chain_name:
default: null
description:
- Trusted CA certificate name.
required: false
type: str
trusted_ca_chain_type:
choices:
- group
- cert
default: null
description:
- Specifies one or more (group) Certificate Authority (CA) certificates that are
trusted as issuers of regular (client/server) certificates.
required: false
revert_on_error:
default: false
description:
- If an error occurs, perform revert on alteon.
required: false
type: bool
write_on_change:
default: false
description:
- Executes Alteon write calls only when an actual change has been evaluated.
required: false
type: bool
obj: description: parameters object type returned: changed, read type: dictionary status: description: Message detailing run result returned: success sample: object deployed successfully type: str