Try SpotterManage SSL policy in Radware Alteon
| "added in version" 2.9 of radware.radware_modules"
Authors: Leon Meguira (@leonmeguira), Nati Fridman (@natifridman)
stableinterface | supported by certified
Install with ansible-galaxy collection install radware.radware_modules:==0.6.12
collections:
- name: radware.radware_modules
version: 0.6.12Manage SSL policy in Radware Alteon
- name: alteon configuration command
radware.radware_modules.alteon_config_ssl_policy:
provider:
server: 192.168.1.1
user: admin
password: admin
validate_certs: no
https_port: 443
ssh_port: 22
timeout: 5
state: present
parameters:
index: ssl_pol_test
description: test_policy
be_ssl_encryption: enabled
secure_renegotiation: 3
fe_cipher_suite: user_defined_expert
fe_user_defined_cipher: ALL:!DH:!NULL:!aNULL:!EXPORT:!RC4:!RC2:!3DES:!DES:!DSS:!SRP:!PSK:!IDEA:!SSLv2:!RSA:@STRENGTH
be_hw_offload_rsa: disabled
pass_ssl_info_add_front_end_https_header: enabled
fe_intermediate_ca_chain_type: group
state:
choices:
- present
- absent
- read
- overwrite
- append
default: null
description:
- When C(present), guarantees that the object exists with the provided attributes.
- When C(absent), when applicable removes the object.
- When C(read), when exists read object from configuration to parameter format.
- When C(overwrite), removes the object if exists then recreate it
- When C(append), append object configuration with the provided parameters
required: true
provider:
description:
- Radware Alteon connection details.
required: true
suboptions:
https_port:
default: null
description:
- Radware Alteon https port.
required: true
password:
default: null
description:
- Radware Alteon password.
required: true
server:
default: null
description:
- Radware Alteon IP address.
required: true
ssh_port:
default: null
description:
- Radware Alteon ssh port.
required: true
timeout:
default: null
description:
- Timeout for connection.
required: true
user:
default: null
description:
- Radware Alteon username.
required: true
validate_certs:
default: null
description:
- If C(no), SSL certificates will not be validated.
- This should only set to C(no) used on personally controlled sites using self-signed
certificates.
required: true
type: bool
parameters:
description:
- Parameters for SSL policy configuration.
suboptions:
be_auth_policy_name:
default: null
description:
- Specifies how server certificate authenticity should be checked, if at all.
Select an Authentication Policy of type Server.
required: false
type: str
be_cipher:
choices:
- low
- medium
- high
- user_defined
- user_defined_expert
- main
default: main
description:
- Specifies the cipher suites allowed in the back-end SSL policy.
required: false
be_client_cert_name:
default: null
description:
- Specifies the client certificate that should be used when the server requests
from the client (Alteon) certificate for authentication.
required: false
type: str
be_hw_offload_bulk_encryption:
choices:
- enabled
- disabled
default: null
description:
- Specifies enabling hardware offload for Bulk encryption algorithm on the back-end
SSL.
required: false
be_hw_offload_dh:
choices:
- enabled
- disabled
default: null
description:
- Specifies enabling hardware offload for DHE algorithm on the back-end SSL.
required: false
be_hw_offload_ec:
choices:
- enabled
- disabled
default: null
description:
- Specifies enabling hardware offload for ECDHE algorithm on the back-end SSL.
required: false
be_hw_offload_rsa:
choices:
- enabled
- disabled
default: null
description:
- Specifies enabling hardware offload for RSA algorithm on the back-end SSL.
required: false
be_hw_ssl_offload:
choices:
- enabled
- disabled
default: enabled
description:
- Specifies enabling hardware offload on the back-end SSL.
required: false
be_include_sni:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to enable or disable including back-end SNI.
required: false
be_ssl_encryption:
choices:
- enabled
- disabled
default: enabled
description:
- Specifies whether to establish an SSL connection towards the server and allow
decryption/encryption of client traffic.
required: false
be_ssl_tls1_0:
choices:
- enabled
- disabled
default: disabled
description:
- Enable/Disable TLS 1.0 during SSL/TLS handshake.
required: false
be_ssl_tls1_1:
choices:
- enabled
- disabled
default: enabled
description:
- Enable/Disable TLS 1.1 during SSL/TLS handshake.
required: false
be_ssl_tls1_2:
choices:
- enabled
- disabled
default: enabled
description:
- Enable/Disable TLS 1.2 during SSL/TLS handshake.
required: false
be_ssl_v3:
choices:
- enabled
- disabled
default: disabled
description:
- Enable/Disable SSLv3 during SSL/TLS handshake.
required: false
be_user_defined_cipher:
default: null
description:
- Specifies a user-defined cipher-suite using an exact cipher-string (requires
expert OpenSSL knowledge).
required: false
type: str
description:
default: null
description:
- A name or description for the SSL policy.
required: false
type: str
dh_key_size:
choices:
- keySize1024
- keySize2048
default: keySize2048
description:
- A specific method of securely exchanging cryptographic keys over a public channel.
required: false
fe_auth_policy_name:
default: null
description:
- Specifies how client certificate authenticity should be checked, if at all.
required: false
type: str
fe_cipher_suite:
choices:
- rsa
- all
- all_non_null_ciphers
- sslv3
- tlsv1
- tlsv1_2
- export
- low
- medium
- high
- rsa_rc4_128_md5
- rsa_rc4_128_sha1
- rsa_des_sha1
- rsa_3des_sha1
- rsa_aes_128_sha1
- rsa_aes_256_sha1
- pci_dss_compliance
- user_defined
- user_defined_expert
- main
- http2
default: main
description:
- Select the cipher suite to use during SSL handshake. By default, the RSA cipher
suite is selected.
- Radware recommends that you use the PCI-DSS predefined cipher suite for enhanced
SSL security.
required: false
fe_hw_offload_bulk_encryption:
choices:
- enabled
- disabled
default: null
description:
- Specifies enabling hardware offload for Bulk encryption algorithm on the front-end
SSL.
required: false
fe_hw_offload_dh:
choices:
- enabled
- disabled
default: null
description:
- Specifies enabling hardware offload for DHE algorithm on the front-end SSL.
required: false
fe_hw_offload_ec:
choices:
- enabled
- disabled
default: null
description:
- Specifies enabling hardware offload for ECDHE algorithm on the front-end SSL.
required: false
fe_hw_offload_rsa:
choices:
- enabled
- disabled
default: null
description:
- Specifies enabling hardware offload for RSA algorithm on the front-end SSL.
required: false
fe_hw_ssl_offload:
choices:
- enabled
- disabled
default: enabled
description:
- Specifies enabling hardware offload on the front-end SSL.
required: false
fe_intermediate_ca_chain_name:
default: null
description:
- Specifies the Intermediate CA certificate name or certificate chain (group)
to be sent to the client together with the server certificate to construct the
trust chain to the user's trusted CAs.
required: false
type: str
fe_intermediate_ca_chain_type:
choices:
- group
- cert
- none
default: null
description:
- Specifies the Intermediate CA certificate or certificate chain (group) to be
sent to the client together with the server certificate to construct the trust
chain to the user's trusted CAs.
required: false
fe_ssl_encryption:
choices:
- enabled
- disabled
- connect
default: enabled
description:
- Specifies whether to establish an SSL connection with the client and allow decryption/encryption
of client traffic.
- C(disabled) No decryption/encryption on the client-side connection.
- C(enabled) The SSL connection is established and traffic is decrypted/encrypted
on the client-side connection
- C(connect) he SSL connection is established after clear-text HTTP Connect request
is received and answered. This option is relevant only for outbound SSL Inspection
scenarios where Alteon is installed as the HTTPS proxy for the clients.
- For other (non-HTTP) traffic, the SSL connection is established a after clear-text
"starttls" request is received and answered.
required: false
fe_ssl_tls1_0:
choices:
- enabled
- disabled
default: disabled
description:
- Enable/Disable TLS 1.0 during SSL/TLS handshake.
required: false
fe_ssl_tls1_1:
choices:
- enabled
- disabled
default: enabled
description:
- Enable/Disable TLS 1.1 during SSL/TLS handshake.
required: false
fe_ssl_tls1_2:
choices:
- enabled
- disabled
default: enabled
description:
- Enable/Disable TLS 1.2 during SSL/TLS handshake.
required: false
fe_ssl_v3:
choices:
- enabled
- disabled
default: disabled
description:
- Enable/Disable SSLv3 during SSL/TLS handshake.
required: false
fe_user_defined_cipher:
default: null
description:
- The user-defined cipher-suite allowed for SSL, in OpenSSL format.
- Alteon supports all ciphers supported by the OpenSSL format.
required: false
type: str
http_redirection_conversion:
choices:
- enabled
- disabled
description:
- Enable/Disable HTTP redirection conversion
required: false
index:
default: null
description:
- The SSL policy name as an index.
required: true
type: str
pass_ssl_info_add_front_end_https_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to add the Front-End HTTPS header to communicate to the back-end
servers that the connection from the client is over HTTPS.
required: false
pass_ssl_info_cipher_bits_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass the key length for the symmetric cipher negotiated
(for example, 128 bits if AES128 was selected) to the back-end servers.
required: false
pass_ssl_info_cipher_bits_header_name:
default: Cipher-Bits
description:
- Specifies what header name to use when passing the key length for the symmetric
cipher negotiated (for example, 128 bits if AES128 was selected) to the back-end
servers.
required: false
type: str
pass_ssl_info_cipher_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass cipher-suite information to the back-end servers.
required: false
pass_ssl_info_cipher_header_name:
default: Cipher-Suite
description:
- Specifies what header name to use when passing cipher-suite information to the
back-end servers.
required: false
type: str
pass_ssl_info_compliant_x_ssl_header:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to enable the 2424SSL Headers Compliance Mode.
required: false
pass_ssl_info_ssl_ver:
choices:
- enabled
- disabled
default: disabled
description:
- Specifies whether to pass the SSL version to the back-end servers.
required: false
pass_ssl_info_ssl_ver_header_name:
default: SSL-Version
description:
- Specifies what header name to use when passing the SSL version to the back-end
servers to the back-end servers.
required: false
type: str
secure_renegotiation:
default: 5
description:
- Specifies the maximum number of allowed secure renegotiations.
- 0 (secure renegotiation is disabled on both front-end and back-end servers).
- 1 to 1024.
- unlimited (unlimited secure renegotiation is enabled).
required: false
type: int
state:
choices:
- enabled
- disabled
default: null
description:
- Enable/Disable the SSL policy.
required: false
revert_on_error:
default: false
description:
- If an error occurs, perform revert on alteon.
required: false
type: bool
write_on_change:
default: false
description:
- Executes Alteon write calls only when an actual change has been evaluated.
required: false
type: bool
obj: description: parameters object type returned: changed, read type: dictionary status: description: Message detailing run result returned: success sample: object deployed successfully type: str