netscaler.adc.sslvserver module – Configuration for SSL virtual server resource.
Note
This module is part of the netscaler.adc collection (version 2.6.0).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install netscaler.adc.
To use it in a playbook, specify: netscaler.adc.sslvserver.
New in netscaler.adc 2.0.0
Synopsis
Configuration for SSL virtual server resource.
Parameters
Parameter |
Comments |
|---|---|
Base NITRO API path. Define only in case of an ADM service proxy call Default: |
|
State of Cipher Redirect. If cipher redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client. Choices:
|
|
The redirect URL to be used with the Cipher Redirect feature. |
|
Port on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption. |
|
State of client authentication. If client authentication is enabled, the virtual server terminates the SSL handshake if the SSL client does not provide a valid certificate. Choices:
|
|
Type of client authentication. If this parameter is set to MANDATORY, the appliance terminates the SSL handshake if the SSL client does not provide a valid certificate. With the OPTIONAL setting, the appliance requests a certificate from the SSL clients but proceeds with the SSL transaction even if the client presents an invalid certificate. Caution: Define proper access control policies before changing this setting to Choices:
|
|
State of Diffie-Hellman (DH) key exchange. Choices:
|
|
Number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies refresh every time. |
|
Whether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake. A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange. If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client. If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled. Choices:
|
|
Name of and, optionally, path to the DH parameter file, in PEM format, to be installed. /nsconfig/ssl/ is the default path. |
|
This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits. Choices:
|
|
State of DTLSv1.0 protocol support for the SSL Virtual Server. Choices:
|
|
State of DTLSv1.2 protocol support for the SSL Virtual Server. Choices:
|
|
Name of the DTLS profile whose settings are to be applied to the virtual server. |
|
State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts. Choices:
|
|
Refresh count for regeneration of the RSA public-key and private-key pair. Zero (0) specifies infinite usage (no refresh). |
|
State of HSTS protocol support for the SSL Virtual Server. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client Choices:
|
|
Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains. Choices:
|
|
The ID of the managed NetScaler instance to which NetScaler Console has to configure as a proxy server. Define only in case of an ADM service proxy call |
|
The IP of the managed NetScaler instance to which NetScaler Console has to configure as a proxy server. Define only in case of an ADM service proxy call |
|
The name of the managed NetScaler instance to which NetScaler Console has to configure as a proxy server. Define only in case of an ADM service proxy call |
|
The password of the managed NetScaler instance. Define only in case of an ADM service proxy call In Settings > Administration > System Configurations > Basic Settings, if you select Prompt Credentials for Instance Login, ensure to configure username and password of a managed instance. |
|
The username of the managed NetScaler instance. Define only in case of an ADM service proxy call In Settings > Administration > System Configurations > Basic Settings, if you select Prompt Credentials for Instance Login, ensure to configure username and password of a managed instance. |
|
Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server |
|
The IP address of the NetScaler ADC appliance acting as a proxy server. Define only in case of an ADM service proxy call Choices:
|
|
The authentication token provided by a login operation. |
|
The password with which to authenticate to the NetScaler ADC node. |
|
Which protocol to use when accessing the nitro API objects. Choices:
|
|
The username with which to authenticate to the NetScaler ADC node. |
|
The ip address of the NetScaler ADC appliance where the nitro API calls will be made. The port can be specified with the colon (:). E.g. 192.168.1.1:555. |
|
State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values:
Choices:
|
|
Flag indicates the consent of the site owner to have their domain preloaded. Choices:
|
|
Trigger encryption on the basis of the PUSH flag value. Available settings function as follows: * ALWAYS - Any PUSH packet triggers encryption. * IGNORE - * MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption. * TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box. Choices:
|
|
State of the port rewrite while performing HTTPS redirect. If this parameter is Choices:
|
|
If The module will not save the configuration on the NetScaler ADC node if it made no changes. Choices:
|
|
Enable sending SSL Close-Notify at the end of a transaction Choices:
|
|
State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the Choices:
|
|
Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session. |
|
State of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net. Choices:
|
|
State of SSLv2 protocol support for the SSL Virtual Server. Choices:
|
|
State of SSLv3 protocol support for the SSL Virtual Server. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to Choices:
|
|
Name of the SSL profile that contains SSL settings for the virtual server. |
|
State of HTTPS redirects for the SSL virtual server. For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect. If SSL Redirect is Choices:
|
|
State of SSLv2 Redirect. If SSLv2 redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a protocol version mismatch between the virtual server or service and the client. Choices:
|
|
URL of the page to which to redirect the client in case of a protocol version mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from. |
|
Bindings for sslvserver_appfwpolicy_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_auditnslogpolicy_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_auditsyslogpolicy_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_authorizationpolicy_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_cachepolicy_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_cmppolicy_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_ecccurve_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_responderpolicy_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_rewritepolicy_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_sslcertkey_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_sslcertkeybundle_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_sslcipher_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_sslciphersuite_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
Bindings for sslvserver_sslpolicy_binding resource |
|
List of binding members Default: |
|
The mode in which to configure the bindings. If mode is set to If mode is set to If mode is set to Choices:
|
|
The state of the resource being configured by the module on the NetScaler ADC node. When When Choices:
|
|
Parameter indicating to check whether peer entity certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC. Choices:
|
|
State of TLSv1.0 protocol support for the SSL Virtual Server. Choices:
|
|
State of TLSv1.1 protocol support for the SSL Virtual Server. Choices:
|
|
State of TLSv1.2 protocol support for the SSL Virtual Server. Choices:
|
|
State of TLSv1.3 protocol support for the SSL Virtual Server. Choices:
|
|
Number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes. This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection. No tickets are sent if resumption is disabled. |
|
If Choices:
|
|
Name of the SSL virtual server for which to set advanced configuration. |
|
State of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake. Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed. Choices:
|
Notes
Note
For more information on using Ansible to manage NetScaler ADC Network devices see https://www.ansible.com/integrations/networks/citrixadc.
Examples
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Indicates if any change is made by the module Returned: always Sample: |
|
Dictionary of before and after changes Returned: always Sample: |
|
List of differences between the actual configured object and the configuration specified in the module Returned: when changed Sample: |
|
Indicates if the module failed or not Returned: always Sample: |
|
list of logged messages by the module Returned: always Sample: |