Skip to content
Was this article helpful?

ssl-action

The following operations can be performed on "ssl-action":

add| rm| show|

add ssl action

Creates a new SSL action. An SSL action defines SSL settings that you can apply to the selected requests. You associate an action with one or more policies. Data in client connection requests or responses is compared to a rule (expression) specified in the policy, and the action is applied to connections that match the rule.

Synopsis

add ssl action <name> ((-clientAuth ( DOCLIENTAUTH | NOCLIENTAUTH ) [-clientCertVerification ( Mandatory | Optional )] [-ssllogProfile <string>]) | -forward <string> | -caCertGrpName <string>) [-clientCert ( ENABLED | DISABLED ) -certHeader <string>] [-clientCertSerialNumber ( ENABLED | DISABLED ) -certSerialHeader <string>] [-clientCertSubject ( ENABLED | DISABLED ) -certSubjectHeader <string>] [-clientCertHash ( ENABLED | DISABLED ) -certHashHeader <string>] [-clientCertFingerprint ( ENABLED | DISABLED ) -certFingerprintHeader <string> -certFingerprintDigest <certFingerprintDigest>] [-clientCertIssuer ( ENABLED | DISABLED ) -certIssuerHeader <string>] [-sessionID ( ENABLED | DISABLED ) -sessionIDHeader <string>] [-cipher ( ENABLED | DISABLED ) -cipherHeader <string>] [-clientCertNotBefore ( ENABLED | DISABLED ) -certNotBeforeHeader <string>] [-clientCertNotAfter ( ENABLED | DISABLED ) -certNotAfterHeader <string>] [-OWASupport ( ENABLED | DISABLED )]

Arguments

name

Name for the SSL action. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the action is created.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my action" or 'my action').

clientAuth

Perform client certificate authentication.

Possible values: DOCLIENTAUTH, NOCLIENTAUTH

clientCertVerification

Client certificate verification is mandatory or optional.

Possible values: Mandatory, Optional Default value: Mandatory

ssllogProfile

The name of the ssllogprofile.

clientCert

Insert the entire client certificate into the HTTP header of the request being sent to the web server. The certificate is inserted in ASCII (PEM) format.

Possible values: ENABLED, DISABLED

certHeader

Name of the header into which to insert the client certificate.

clientCertSerialNumber

Insert the entire client serial number into the HTTP header of the request being sent to the web server.

Possible values: ENABLED, DISABLED

certSerialHeader

Name of the header into which to insert the client serial number.

clientCertSubject

Insert the client certificate subject, also known as the distinguished name (DN), into the HTTP header of the request being sent to the web server.

Possible values: ENABLED, DISABLED

certSubjectHeader

Name of the header into which to insert the client certificate subject.

clientCertHash

Insert the certificate's signature into the HTTP header of the request being sent to the web server. The signature is the value extracted directly from the X.509 certificate signature field. All X.509 certificates contain a signature field.

Possible values: ENABLED, DISABLED

certHashHeader

Name of the header into which to insert the client certificate signature (hash).

clientCertFingerprint

Insert the certificate's fingerprint into the HTTP header of the request being sent to the web server. The fingerprint is derived by computing the specified hash value (SHA256, for example) of the DER-encoding of the client certificate.

Possible values: ENABLED, DISABLED

certFingerprintHeader

Name of the header into which to insert the client certificate fingerprint.

certFingerprintDigest

Digest algorithm used to compute the fingerprint of the client certificate.

Possible values: SHA1, SHA224, SHA256, SHA384, SHA512

clientCertIssuer

Insert the certificate issuer details into the HTTP header of the request being sent to the web server.

Possible values: ENABLED, DISABLED

certIssuerHeader

Name of the header into which to insert the client certificate issuer details.

sessionID

Insert the SSL session ID into the HTTP header of the request being sent to the web server. Every SSL connection that the client and the Citrix ADC share has a unique ID that identifies the specific connection.

Possible values: ENABLED, DISABLED

sessionIDHeader

Name of the header into which to insert the Session ID.

cipher

Insert the cipher suite that the client and the Citrix ADC negotiated for the SSL session into the HTTP header of the request being sent to the web server. The appliance inserts the cipher-suite name, SSL protocol, export or non-export string, and cipher strength bit, depending on the type of browser connecting to the SSL virtual server or service (for example, Cipher-Suite: RC4- MD5 SSLv3 Non-Export 128-bit).

Possible values: ENABLED, DISABLED

cipherHeader

Name of the header into which to insert the name of the cipher suite.

clientCertNotBefore

Insert the date from which the certificate is valid into the HTTP header of the request being sent to the web server. Every certificate is configured with the date and time from which it is valid.

Possible values: ENABLED, DISABLED

certNotBeforeHeader

Name of the header into which to insert the date and time from which the certificate is valid.

clientCertNotAfter

Insert the date of expiry of the certificate into the HTTP header of the request being sent to the web server. Every certificate is configured with the date and time at which the certificate expires.

Possible values: ENABLED, DISABLED

certNotAfterHeader

Name of the header into which to insert the certificate's expiry date.

OWASupport

If the appliance is in front of an Outlook Web Access (OWA) server, insert a special header field, FRONT-END-HTTPS: ON, into the HTTP requests going to the OWA server. This header communicates to the server that the transaction is HTTPS and not HTTP.

Possible values: ENABLED, DISABLED

forward

This action takes an argument a vserver name, to this vserver one will be able to forward all the packets.

caCertGrpName

This action will allow to pick CA(s) from the specific CA group, to verify the client certificate.

Example

add ssl action certInsert_act -clientCert ENABLED -certHeader CERT

rm ssl action

Removes the specified SSL action.

Synopsis

rm ssl action <name>

Arguments

name

Name of the SSL action to remove.

Example

rm ssl action certInsert_act

show ssl action

Displays information about all the SSL actions configured on the appliance, or displays detailed information about the specified SSL action.

Synopsis

show ssl action [<name>]

Arguments

name

Name of the SSL action for which to show detailed information.

Output

stateflag

clientAuth

Perform client certificate authentication.

clientCertVerification

Client certificate verification is mandatory or optional.

clientCert

Insert the entire client certificate into the HTTP header of the request being sent to the web server. The certificate is inserted in ASCII (PEM) format.

certHeader

clientCertSerialNumber

Insert the entire client serial number into the HTTP header of the request being sent to the web server.

certSerialHeader

clientCertSubject

Insert the client certificate subject, also known as the distinguished name (DN), into the HTTP header of the request being sent to the web server.

certSubjectHeader

clientCertHash

Insert the certificate's signature into the HTTP header of the request being sent to the web server. The signature is the value extracted directly from the X.509 certificate signature field. All X.509 certificates contain a signature field.

certHashHeader

clientCertFingerprint

Insert the certificate's fingerprint into the HTTP header of the request being sent to the web server. The fingerprint is derived by computing the specified hash value (SHA256, for example) of the DER-encoding of the client certificate.

certFingerprintHeader

certFingerprintDigest

clientCertIssuer

Insert the certificate issuer details into the HTTP header of the request being sent to the web server.

certIssuerHeader

sessionID

Insert the SSL session ID into the HTTP header of the request being sent to the web server. Every SSL connection that the client and the Citrix ADC share has a unique ID that identifies the specific connection.

sessionIDHeader

cipher

Insert the cipher suite that the client and the Citrix ADC negotiated for the SSL session into the HTTP header of the request being sent to the web server. The appliance inserts the cipher-suite name, SSL protocol, export or non-export string, and cipher strength bit, depending on the type of browser connecting to the SSL virtual server or service (for example, Cipher-Suite: RC4- MD5 SSLv3 Non-Export 128-bit).

cipherHeader

OWASupport

If the appliance is in front of an Outlook Web Access (OWA) server, insert a special header field, FRONT-END-HTTPS: ON, into the HTTP requests going to the OWA server. This header communicates to the server that the transaction is HTTPS and not HTTP.

forward

This action takes an argument a vserver name, to this vserver one will be able to forward all the packets.

caCertGrpName

This action will allow to pick CA(s) from the specific CA group, to verify the client certificate.

clientCertNotBefore

Insert the date from which the certificate is valid into the HTTP header of the request being sent to the web server. Every certificate is configured with the date and time from which it is valid.

certNotBeforeHeader

clientCertNotAfter

Insert the date of expiry of the certificate into the HTTP header of the request being sent to the web server. Every certificate is configured with the date and time at which the certificate expires.

certNotAfterHeader

hits

The number of times the action has been taken.

undefHits

The number of times the action resulted in UNDEF.

referenceCount

The number of references to the action.

description

Description of the action

flags

ssllogProfile

The name of the ssllogprofile.

builtin

Flag to determine whether ssl action is built-in or not

feature

The feature to be checked while applying this config

devno

count

Example

show ssl action 1 Configured SSL action: 1) Name: certInsert_act Data Insertion Action: Cert Header: ENABLED Cert Tag: CERT

Was this article helpful?