netscaler.adc.sslservice module – Configuration for SSL service resource.

Note

This module is part of the netscaler.adc collection (version 2.6.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install netscaler.adc.

To use it in a playbook, specify: netscaler.adc.sslservice.

New in netscaler.adc 2.0.0

Synopsis

• Configuration for SSL service resource.

Parameters

Parameter	Comments
api_path string	Base NITRO API path. Define only in case of an ADM service proxy call Default: "nitro/v1/config"
cipherredirect any	State of Cipher Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client. This parameter is not applicable when configuring a backend service. Choices: "ENABLED" "DISABLED"
cipherurl any	URL of the page to which to redirect the client in case of a cipher mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from. This parameter is not applicable when configuring a backend service.
clientauth any	State of client authentication. In service-based SSL offload, the service terminates the SSL handshake if the SSL client does not provide a valid certificate. This parameter is not applicable when configuring a backend service. Choices: "ENABLED" "DISABLED"
clientcert any	Type of client authentication. If this parameter is set to MANDATORY, the appliance terminates the SSL handshake if the SSL client does not provide a valid certificate. With the OPTIONAL setting, the appliance requests a certificate from the SSL clients but proceeds with the SSL transaction even if the client presents an invalid certificate. This parameter is not applicable when configuring a backend SSL service. Caution: Define proper access control policies before changing this setting to Optional. Choices: "Mandatory" "Optional"
commonname any	Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server
dh any	State of Diffie-Hellman (DH) key exchange. This parameter is not applicable when configuring a backend service. Choices: "ENABLED" "DISABLED"
dhcount any	Number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies refresh every time. This parameter is not applicable when configuring a backend service. Allowed DH count values are 0 and >= 500.
dhfile any	Name for and, optionally, path to the PEM-format DH parameter file to be installed. /nsconfig/ssl/ is the default path. This parameter is not applicable when configuring a backend service.
dhkeyexpsizelimit any	This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits. Choices: "ENABLED" "DISABLED"
dtls1 any	State of DTLSv1.0 protocol support for the SSL service. Choices: "ENABLED" "DISABLED"
dtls12 any	State of DTLSv1.2 protocol support for the SSL service. Choices: "ENABLED" "DISABLED"
dtlsprofilename any	Name of the DTLS profile that contains DTLS settings for the service.
ersa any	State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts. This parameter is not applicable when configuring a backend service. Choices: "ENABLED" "DISABLED"
ersacount any	Refresh count for regeneration of RSA public-key and private-key pair. Zero (0) specifies infinite usage (no refresh). This parameter is not applicable when configuring a backend service.
managed_netscaler_instance_id string added in netscaler.adc 2.6.0	The ID of the managed NetScaler instance to which NetScaler Console has to configure as a proxy server. Define only in case of an ADM service proxy call
managed_netscaler_instance_ip string added in netscaler.adc 2.6.0	The IP of the managed NetScaler instance to which NetScaler Console has to configure as a proxy server. Define only in case of an ADM service proxy call
managed_netscaler_instance_name string added in netscaler.adc 2.6.0	The name of the managed NetScaler instance to which NetScaler Console has to configure as a proxy server. Define only in case of an ADM service proxy call
managed_netscaler_instance_password string added in netscaler.adc 2.6.0	The password of the managed NetScaler instance. Define only in case of an ADM service proxy call In Settings > Administration > System Configurations > Basic Settings, if you select Prompt Credentials for Instance Login, ensure to configure username and password of a managed instance.
managed_netscaler_instance_username string added in netscaler.adc 2.6.0	The username of the managed NetScaler instance. Define only in case of an ADM service proxy call In Settings > Administration > System Configurations > Basic Settings, if you select Prompt Credentials for Instance Login, ensure to configure username and password of a managed instance.
netscaler_console_as_proxy_server boolean added in netscaler.adc 2.6.0	The IP address of the NetScaler ADC appliance acting as a proxy server. Define only in case of an ADM service proxy call Choices: false ← (default) true
nitro_auth_token string	The authentication token provided by a login operation.
nitro_pass string	The password with which to authenticate to the NetScaler ADC node.
nitro_protocol string	Which protocol to use when accessing the nitro API objects. Choices: "http" "https" ← (default)
nitro_user string	The username with which to authenticate to the NetScaler ADC node.
nsip string / required	The ip address of the NetScaler ADC appliance where the nitro API calls will be made. The port can be specified with the colon (:). E.g. 192.168.1.1:555.
ocspstapling any	State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate. Choices: "ENABLED" "DISABLED"
pushenctrigger string	Trigger encryption on the basis of the PUSH flag value. Available settings function as follows: * ALWAYS - Any PUSH packet triggers encryption. * IGNORE - Ignore PUSH packet for triggering encryption. * MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption. * TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box. Choices: "Always" "Merge" "Ignore" "Timer"
redirectportrewrite any	State of the port rewrite while performing HTTPS redirect. If this parameter is set to ENABLED, and the URL from the server does not contain the standard port, the port is rewritten to the standard. Choices: "ENABLED" "DISABLED"
save_config boolean	If true the module will save the configuration on the NetScaler ADC node if it makes any changes. The module will not save the configuration on the NetScaler ADC node if it made no changes. Choices: false ← (default) true
sendclosenotify any	Enable sending SSL Close-Notify at the end of a transaction Choices: "YES" "NO"
serverauth any	State of server authentication support for the SSL service. Choices: "ENABLED" "DISABLED"
servicename any	Name of the SSL service.
sessreuse any	State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client. Choices: "ENABLED" "DISABLED"
sesstimeout any	Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session.
snienable any	State of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net. Choices: "ENABLED" "DISABLED"
ssl2 any	State of SSLv2 protocol support for the SSL service. This parameter is not applicable when configuring a backend service. Choices: "ENABLED" "DISABLED"
ssl3 any	State of SSLv3 protocol support for the SSL service. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED. Choices: "ENABLED" "DISABLED"
sslprofile any	Name of the SSL profile that contains SSL settings for the service.
sslredirect any	State of HTTPS redirects for the SSL service. For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect. If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break. This parameter is not applicable when configuring a backend service. Choices: "ENABLED" "DISABLED"
sslservice_ecccurve_binding dictionary	Bindings for sslservice_ecccurve_binding resource
binding_members list / elements=dictionary	List of binding members Default: []
mode string	The mode in which to configure the bindings. If mode is set to desired, the bindings will be added or removed from the target NetScaler ADCs as necessary to match the bindings specified in the state. If mode is set to bind, the specified bindings will be added to the resource. The existing bindings in the target ADCs will not be modified. If mode is set to unbind, the specified bindings will be removed from the resource. The existing bindings in the target ADCs will not be modified. Choices: "desired" ← (default) "bind" "unbind"
sslservice_sslcertkey_binding dictionary	Bindings for sslservice_sslcertkey_binding resource
binding_members list / elements=dictionary	List of binding members Default: []
mode string	The mode in which to configure the bindings. If mode is set to desired, the bindings will be added or removed from the target NetScaler ADCs as necessary to match the bindings specified in the state. If mode is set to bind, the specified bindings will be added to the resource. The existing bindings in the target ADCs will not be modified. If mode is set to unbind, the specified bindings will be removed from the resource. The existing bindings in the target ADCs will not be modified. Choices: "desired" ← (default) "bind" "unbind"
sslservice_sslcipher_binding dictionary	Bindings for sslservice_sslcipher_binding resource
binding_members list / elements=dictionary	List of binding members Default: []
mode string	The mode in which to configure the bindings. If mode is set to desired, the bindings will be added or removed from the target NetScaler ADCs as necessary to match the bindings specified in the state. If mode is set to bind, the specified bindings will be added to the resource. The existing bindings in the target ADCs will not be modified. If mode is set to unbind, the specified bindings will be removed from the resource. The existing bindings in the target ADCs will not be modified. Choices: "desired" ← (default) "bind" "unbind"
sslservice_sslciphersuite_binding dictionary	Bindings for sslservice_sslciphersuite_binding resource
binding_members list / elements=dictionary	List of binding members Default: []
mode string	The mode in which to configure the bindings. If mode is set to desired, the bindings will be added or removed from the target NetScaler ADCs as necessary to match the bindings specified in the state. If mode is set to bind, the specified bindings will be added to the resource. The existing bindings in the target ADCs will not be modified. If mode is set to unbind, the specified bindings will be removed from the resource. The existing bindings in the target ADCs will not be modified. Choices: "desired" ← (default) "bind" "unbind"
sslservice_sslpolicy_binding dictionary	Bindings for sslservice_sslpolicy_binding resource
binding_members list / elements=dictionary	List of binding members Default: []
mode string	The mode in which to configure the bindings. If mode is set to desired, the bindings will be added or removed from the target NetScaler ADCs as necessary to match the bindings specified in the state. If mode is set to bind, the specified bindings will be added to the resource. The existing bindings in the target ADCs will not be modified. If mode is set to unbind, the specified bindings will be removed from the resource. The existing bindings in the target ADCs will not be modified. Choices: "desired" ← (default) "bind" "unbind"
sslservicegroup_ecccurve_binding dictionary	Bindings for sslservicegroup_ecccurve_binding resource
binding_members list / elements=dictionary	List of binding members Default: []
mode string	The mode in which to configure the bindings. If mode is set to desired, the bindings will be added or removed from the target NetScaler ADCs as necessary to match the bindings specified in the state. If mode is set to bind, the specified bindings will be added to the resource. The existing bindings in the target ADCs will not be modified. If mode is set to unbind, the specified bindings will be removed from the resource. The existing bindings in the target ADCs will not be modified. Choices: "desired" ← (default) "bind" "unbind"
sslservicegroup_sslcertkey_binding dictionary	Bindings for sslservicegroup_sslcertkey_binding resource
binding_members list / elements=dictionary	List of binding members Default: []
mode string	The mode in which to configure the bindings. If mode is set to desired, the bindings will be added or removed from the target NetScaler ADCs as necessary to match the bindings specified in the state. If mode is set to bind, the specified bindings will be added to the resource. The existing bindings in the target ADCs will not be modified. If mode is set to unbind, the specified bindings will be removed from the resource. The existing bindings in the target ADCs will not be modified. Choices: "desired" ← (default) "bind" "unbind"
sslservicegroup_sslcipher_binding dictionary	Bindings for sslservicegroup_sslcipher_binding resource
binding_members list / elements=dictionary	List of binding members Default: []
mode string	The mode in which to configure the bindings. If mode is set to desired, the bindings will be added or removed from the target NetScaler ADCs as necessary to match the bindings specified in the state. If mode is set to bind, the specified bindings will be added to the resource. The existing bindings in the target ADCs will not be modified. If mode is set to unbind, the specified bindings will be removed from the resource. The existing bindings in the target ADCs will not be modified. Choices: "desired" ← (default) "bind" "unbind"
sslservicegroup_sslciphersuite_binding dictionary	Bindings for sslservicegroup_sslciphersuite_binding resource
binding_members list / elements=dictionary	List of binding members Default: []
mode string	The mode in which to configure the bindings. If mode is set to desired, the bindings will be added or removed from the target NetScaler ADCs as necessary to match the bindings specified in the state. If mode is set to bind, the specified bindings will be added to the resource. The existing bindings in the target ADCs will not be modified. If mode is set to unbind, the specified bindings will be removed from the resource. The existing bindings in the target ADCs will not be modified. Choices: "desired" ← (default) "bind" "unbind"
sslv2redirect any	State of SSLv2 Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a protocol version mismatch between the virtual server or service and the client. This parameter is not applicable when configuring a backend service. Choices: "ENABLED" "DISABLED"
sslv2url any	URL of the page to which to redirect the client in case of a protocol version mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from. This parameter is not applicable when configuring a backend service.
state string	The state of the resource being configured by the module on the NetScaler ADC node. When present, the resource will be added/updated configured according to the module’s parameters. When unset, the resource will be unset on the NetScaler ADC node. Choices: "present" ← (default) "unset"
strictsigdigestcheck any	Parameter indicating to check whether peer’s certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC Choices: "ENABLED" "DISABLED"
tls1 any	State of TLSv1.0 protocol support for the SSL service. Choices: "ENABLED" "DISABLED"
tls11 any	State of TLSv1.1 protocol support for the SSL service. Choices: "ENABLED" "DISABLED"
tls12 any	State of TLSv1.2 protocol support for the SSL service. Choices: "ENABLED" "DISABLED"
tls13 any	State of TLSv1.3 protocol support for the SSL service. Choices: "ENABLED" "DISABLED"
validate_certs boolean	If false, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates. Choices: false true ← (default)

Notes

Note

• For more information on using Ansible to manage NetScaler ADC Network devices see https://www.ansible.com/integrations/networks/citrixadc.

Examples

---
- name: Sample Playbook
  hosts: localhost
  gather_facts: false
  tasks:
    - name: Sample Task | sslservice
      delegate_to: localhost
      netscaler.adc.sslservice:
        state: present
        servicename: nsrnatsip-127.0.0.1-5061
        ersa: ENABLED
        sessreuse: DISABLED
        ssl3: DISABLED
        tls1: DISABLED
        tls11: DISABLED
        dtls1: DISABLED

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
changed boolean	Indicates if any change is made by the module Returned: always Sample: true
diff dictionary	Dictionary of before and after changes Returned: always Sample: {"after": {"key2": "pqr"}, "before": {"key1": "xyz"}, "prepared": "changes done"}
diff_list list / elements=string	List of differences between the actual configured object and the configuration specified in the module Returned: when changed Sample: ["Attribute `key1` differs. Desired: (<class 'str'>) XYZ. Existing: (<class 'str'>) PQR"]
failed boolean	Indicates if the module failed or not Returned: always Sample: false
loglines list / elements=string	list of logged messages by the module Returned: always Sample: ["message 1", "message 2"]

Authors

• Sumanth Lingappa (@sumanth-lingappa)

Collection links

• Issue Tracker
• Repository (Sources)