netscaler.adc.sslparameter module – Configuration for SSL parameter resource.

Note

This module is part of the netscaler.adc collection (version 2.6.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install netscaler.adc.

To use it in a playbook, specify: netscaler.adc.sslparameter.

New in netscaler.adc 2.0.0

Synopsis

  • Configuration for SSL parameter resource.

Parameters

Parameter

Comments

api_path

string

Base NITRO API path.

Define only in case of an ADM service proxy call

Default: "nitro/v1/config"

crlmemorysizemb

any

Maximum memory size to use for certificate revocation lists (CRLs). This parameter reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded on the appliance can consume.

cryptodevdisablelimit

any

Limit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart.

defaultprofile

any

Global parameter used to enable default profile feature.

Choices:

  • "ENABLED"

  • "DISABLED"

denysslreneg

any

Deny renegotiation in specified circumstances. Available settings function as follows:

* NO - Allow SSL renegotiation.

* FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.

* FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the Citrix ADC during policy-based client authentication.

* ALL - Deny all secure and nonsecure SSL renegotiation.

* NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.

Choices:

  • "NO"

  • "FRONTEND_CLIENT"

  • "FRONTEND_CLIENTSERVER"

  • "ALL"

  • "NONSECURE"

dropreqwithnohostheader

any

Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension), the request is dropped.

Choices:

  • "YES"

  • "NO"

encrypttriggerpktcount

any

Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC.

heterogeneoussslhw

any

To support both cavium and coleto based platforms in cluster environment, this mode has to be enabled.

Choices:

  • "ENABLED"

  • "DISABLED"

hybridfipsmode

any

When this mode is enabled, system will use additional crypto hardware to accelerate symmetric crypto operations.

Choices:

  • "ENABLED"

  • "DISABLED"

insertcertspace

any

To insert space between lines in the certificate header of request

Choices:

  • "YES"

  • "NO"

insertionencoding

any

Encoding method used to insert the subject or issuer’s name in HTTP requests to servers.

Choices:

  • "Unicode"

  • "UTF-8"

managed_netscaler_instance_id

string

added in netscaler.adc 2.6.0

The ID of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_ip

string

added in netscaler.adc 2.6.0

The IP of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_name

string

added in netscaler.adc 2.6.0

The name of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_password

string

added in netscaler.adc 2.6.0

The password of the managed NetScaler instance.

Define only in case of an ADM service proxy call

In Settings > Administration > System Configurations > Basic Settings,

if you select Prompt Credentials for Instance Login,

ensure to configure username and password of a managed instance.

managed_netscaler_instance_username

string

added in netscaler.adc 2.6.0

The username of the managed NetScaler instance.

Define only in case of an ADM service proxy call

In Settings > Administration > System Configurations > Basic Settings,

if you select Prompt Credentials for Instance Login,

ensure to configure username and password of a managed instance.

ndcppcompliancecertcheck

any

Applies when the Citrix ADC appliance acts as a client (back-end connection).

Settings apply as follows:

YES - During certificate verification, ignore the common name if SAN is present in the certificate.

NO - Do not ignore common name.

Choices:

  • "YES"

  • "NO"

netscaler_console_as_proxy_server

boolean

added in netscaler.adc 2.6.0

The IP address of the NetScaler ADC appliance acting as a proxy server.

Define only in case of an ADM service proxy call

Choices:

  • false ← (default)

  • true

nitro_auth_token

string

The authentication token provided by a login operation.

nitro_pass

string

The password with which to authenticate to the NetScaler ADC node.

nitro_protocol

string

Which protocol to use when accessing the nitro API objects.

Choices:

  • "http"

  • "https" ← (default)

nitro_user

string

The username with which to authenticate to the NetScaler ADC node.

nsip

string / required

The ip address of the NetScaler ADC appliance where the nitro API calls will be made.

The port can be specified with the colon (:). E.g. 192.168.1.1:555.

ocspcachesize

any

Size, per packet engine, in megabytes, of the OCSP cache. A maximum of 10% of the packet engine memory can be assigned. Because the maximum allowed packet engine memory is 4GB, the maximum value that can be assigned to the OCSP cache is approximately 410 MB.

operationqueuelimit

any

Limit in percentage of capacity of the crypto operations queue beyond which new SSL connections are not accepted until the queue is reduced.

pushenctriggertimeout

any

PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.

pushflag

any

Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows:

0 - Auto (PUSH flag is not set.)

1 - Insert PUSH flag into every decrypted record.

2 -Insert PUSH flag into every encrypted record.

3 - Insert PUSH flag into every decrypted and encrypted record.

quantumsize

any

Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

Choices:

  • 4096

  • 8192

  • 16384

save_config

boolean

If true the module will save the configuration on the NetScaler ADC node if it makes any changes.

The module will not save the configuration on the NetScaler ADC node if it made no changes.

Choices:

  • false ← (default)

  • true

sendclosenotify

any

Send an SSL Close-Notify message to the client at the end of a transaction.

Choices:

  • "YES"

  • "NO"

sigdigesttype

any

Signature Digest Algorithms that are supported by appliance. Default value is “ALL“ and it will enable the following algorithms depending on the platform.

On VPX: ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512 RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 DSA-SHA1 DSA-SHA224 DSA-SHA256 DSA-SHA384 DSA-SHA512

On MPX with Nitrox-III and coleto cards: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512

Others: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512.

Note:ALL doesnot include RSA-MD5 for any platform.

Choices:

  • "ALL"

  • "RSA-MD5"

  • "RSA-SHA1"

  • "RSA-SHA224"

  • "RSA-SHA256"

  • "RSA-SHA384"

  • "RSA-SHA512"

  • "DSA-SHA1"

  • "DSA-SHA224"

  • "DSA-SHA256"

  • "DSA-SHA384"

  • "DSA-SHA512"

  • "ECDSA-SHA1"

  • "ECDSA-SHA224"

  • "ECDSA-SHA256"

  • "ECDSA-SHA384"

  • "ECDSA-SHA512"

snihttphostmatch

any

Controls how the HTTP ‘Host’ header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension) and HTTP request contains ‘Host’ header.

Available settings function as follows:

CERT - Request is forwarded if the ‘Host’ value is covered

by the certificate used to establish this SSL session.

Note: ‘CERT‘ matching mode cannot be applied in

TLS 1.3 connections established by resuming from a

previous TLS 1.3 session. On these connections, ‘STRICT

matching mode will be used instead.

STRICT - Request is forwarded only if value of ‘Host’ header

in HTTP is identical to the ‘Server name’ value passed

in ‘Client Hello’ of the SSL connection.

NO - No validation is performed on the HTTP ‘Host’

header value.

Choices:

  • "NO"

  • "CERT"

  • "STRICT"

softwarecryptothreshold

any

Citrix ADC CPU utilization threshold (in percentage) beyond which crypto operations are not done in software.

A value of zero implies that CPU is not utilized for doing crypto in software.

sslierrorcache

any

Enable or disable dynamically learning and caching the learned information to make the subsequent interception or bypass decision. When enabled, NS does the lookup of this cached data to do early bypass.

Choices:

  • "ENABLED"

  • "DISABLED"

sslimaxerrorcachemem

any

Specify the maximum memory that can be used for caching the learned data. This memory is used as a LRU cache so that the old entries gets replaced with new entry once the set memory limit is fully utilised. A value of 0 decides the limit automatically.

ssltriggertimeout

any

Time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the Citrix ADC because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue.

state

string

The state of the resource being configured by the module on the NetScaler ADC node.

When present, the resource will be added/updated configured according to the module’s parameters.

When unset, the resource will be unset on the NetScaler ADC node.

Choices:

  • "present" ← (default)

  • "unset"

strictcachecks

any

Enable strict CA certificate checks on the appliance.

Choices:

  • "YES"

  • "NO"

undefactioncontrol

any

Name of the undefined built-in control action: CLIENTAUTH, NOCLIENTAUTH, NOOP, RESET, or DROP.

undefactiondata

any

Name of the undefined built-in data action: NOOP, RESET or DROP.

validate_certs

boolean

If false, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates.

Choices:

  • false

  • true ← (default)

Notes

Note

Examples

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

changed

boolean

Indicates if any change is made by the module

Returned: always

Sample: true

diff

dictionary

Dictionary of before and after changes

Returned: always

Sample: {"after": {"key2": "pqr"}, "before": {"key1": "xyz"}, "prepared": "changes done"}

diff_list

list / elements=string

List of differences between the actual configured object and the configuration specified in the module

Returned: when changed

Sample: ["Attribute `key1` differs. Desired: (<class 'str'>) XYZ. Existing: (<class 'str'>) PQR"]

failed

boolean

Indicates if the module failed or not

Returned: always

Sample: false

loglines

list / elements=string

list of logged messages by the module

Returned: always

Sample: ["message 1", "message 2"]

Authors

  • Sumanth Lingappa (@sumanth-lingappa)