sslvserver
Configuration for SSL virtual server resource.
Properties
(click to see Operations)
| Name | Data Type | Permissions | Description |
|---|---|---|---|
| vservername | <String> | Read-write | Name of the SSL virtual server for which to set advanced configuration.<br>Minimum length = 1 |
| cleartextport | <Integer> | Read-write | Port on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption.<br>Default value: 0 |
| dh | <String> | Read-write | State of Diffie-Hellman (DH) key exchange.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED |
| dhfile | <String> | Read-write | Name of and, optionally, path to the DH parameter file, in PEM format, to be installed. /nsconfig/ssl/ is the default path.<br>Minimum length = 1 |
| dhcount | <Double> | Read-write | Number of interactions, between the client and the NetScaler appliance, after which the DH private-public pair is regenerated. A value of zero (0) specifies infinite use (no refresh).<br>Minimum value = 0<br>Maximum value = 65534 |
| ersa | <String> | Read-write | State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED |
| ersacount | <Double> | Read-write | Refresh count for regeneration of the RSA public-key and private-key pair. Zero (0) specifies infinite usage (no refresh).<br>Minimum value = 0<br>Maximum value = 65534 |
| sessreuse | <String> | Read-write | State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED |
| sesstimeout | <Double> | Read-write | Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session.<br>Default value: 120<br>Minimum value = 0<br>Maximum value = 4294967294 |
| cipherredirect | <String> | Read-write | State of Cipher Redirect. If cipher redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED |
| cipherurl | <String> | Read-write | The redirect URL to be used with the Cipher Redirect feature. |
| sslv2redirect | <String> | Read-write | State of SSLv2 Redirect. If SSLv2 redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a protocol version mismatch between the virtual server or service and the client.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED |
| sslv2url | <String> | Read-write | URL of the page to which to redirect the client in case of a protocol version mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from. |
| clientauth | <String> | Read-write | State of client authentication. If client authentication is enabled, the virtual server terminates the SSL handshake if the SSL client does not provide a valid certificate.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED |
| clientcert | <String> | Read-write | Type of client authentication. If this parameter is set to MANDATORY, the appliance terminates the SSL handshake if the SSL client does not provide a valid certificate. With the OPTIONAL setting, the appliance requests a certificate from the SSL clients but proceeds with the SSL transaction even if the client presents an invalid certificate. Caution: Define proper access control policies before changing this setting to Optional.<br>Possible values = Mandatory, Optional |
| sslredirect | <String> | Read-write | State of HTTPS redirects for the SSL virtual server. For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect. If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED |
| redirectportrewrite | <String> | Read-write | State of the port rewrite while performing HTTPS redirect. If this parameter is ENABLED and the URL from the server does not contain the standard port, the port is rewritten to the standard.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED |
| nonfipsciphers | <String> | Read-write | State of usage of non-FIPS approved ciphers. Valid only for an SSL service bound with a FIPS key and certificate.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED |
| ssl2 | <String> | Read-write | State of SSLv2 protocol support for the SSL Virtual Server.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED |
| ssl3 | <String> | Read-write | State of SSLv3 protocol support for the SSL Virtual Server.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED |
| tls1 | <String> | Read-write | State of TLSv1.0 protocol support for the SSL Virtual Server.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED |
| tls11 | <String> | Read-write | State of TLSv1.1 protocol support for the SSL Virtual Server. TLSv1.1 protocol is supported only on the MPX appliance. Support is not available on a FIPS appliance or on a NetScaler VPX virtual appliance. On an SDX appliance, TLSv1.1 protocol is supported only if an SSL chip is assigned to the instance.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED |
| tls12 | <String> | Read-write | State of TLSv1.2 protocol support for the SSL Virtual Server. TLSv1.2 protocol is supported only on the MPX appliance. Support is not available on a FIPS appliance or on a NetScaler VPX virtual appliance. On an SDX appliance, TLSv1.2 protocol is supported only if an SSL chip is assigned to the instance.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED |
| snienable | <String> | Read-write | State of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED |
| pushenctrigger | <String> | Read-write | Trigger encryption on the basis of the PUSH flag value. Available settings function as follows: * ALWAYS - Any PUSH packet triggers encryption. * IGNORE - Ignore PUSH packet for triggering encryption. * MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption. * TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box.<br>Possible values = Always, Merge, Ignore, Timer |
| sendclosenotify | <String> | Read-write | Enable sending SSL Close-Notify at the end of a transaction.<br>Default value: YES<br>Possible values = YES, NO |
| dtlsprofilename | <String> | Read-write | Name of the DTLS profile whose settings are to be applied to the virtual server.<br>Minimum length = 1<br>Maximum length = 127 |
| sslprofile | <String> | Read-write | SSL profile associated to vserver.<br>Minimum length = 1<br>Maximum length = 127 |
| cipherdetails | <Boolean> | Read-write | Display details of the individual ciphers bound to the SSL virtual server. |
| crlcheck | <String> | Read-only | The state of the CRL check parameter. (Mandatory/Optional).<br>Possible values = Mandatory, Optional |
| service | <Double> | Read-only | Service. |
| servicename | <String> | Read-only | Service name. |
| ocspcheck | <String> | Read-only | The state of the OCSP check parameter. (Mandatory/Optional).<br>Possible values = Mandatory, Optional |
| ca | <Boolean> | Read-only | CA certificate. |
| snicert | <Boolean> | Read-only | The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing. |
| skipcaname | <Boolean> | Read-only | The flag is used to indicate whether this particular CA certificates CA_Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake. |
| dtlsflag | <Boolean> | Read-only | The flag is used to indicate whether DTLS is set or not. |
| __count | <Double> | Read-only | count parameter |
Operations
(click to see Properties)
UPDATE | UNSET | GET (ALL) | GET | COUNT
Some options that you can use for each operations:
Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the "warning" query parameter as "yes". For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:
http://<netscaler-ip-address>/nitro/v1/config/login?warning=yes
If any, the warnings are displayed in the response payload with the HTTP code "209 X-NITRO-WARNING".
Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,
To do this, you must specify the username and password in the request header of the NITRO request as follows:
X-NITRO-USER:<username>
X-NITRO-PASS:<password>
Note: In such cases, make sure that the request header DOES not include the following:
Cookie:NITRO_AUTH_TOKEN=<tokenvalue>
Note:
Mandatory parameters are marked in red and placeholder content is marked in <green>.
update
URL: http://<NSIP>/nitro/v1/config/
HTTP Method: PUT
Request Payload:
{
"params": {
"warning":<String_value>,
"onerror":<String_value>"
},
sessionid":"##sessionid",
"sslvserver":{
"vservername":<String_value>,
"cleartextport":<Integer_value>,
"dh":<String_value>,
"dhfile":<String_value>,
"dhcount":<Double_value>,
"ersa":<String_value>,
"ersacount":<Double_value>,
"sessreuse":<String_value>,
"sesstimeout":<Double_value>,
"cipherredirect":<String_value>,
"cipherurl":<String_value>,
"sslv2redirect":<String_value>,
"sslv2url":<String_value>,
"clientauth":<String_value>,
"clientcert":<String_value>,
"sslredirect":<String_value>,
"redirectportrewrite":<String_value>,
"nonfipsciphers":<String_value>,
"ssl2":<String_value>,
"ssl3":<String_value>,
"tls1":<String_value>,
"tls11":<String_value>,
"tls12":<String_value>,
"snienable":<String_value>,
"pushenctrigger":<String_value>,
"sendclosenotify":<String_value>,
"dtlsprofilename":<String_value>,
"sslprofile":<String_value>,
}}
Response Payload:
{ "errorcode": 0, "message": "Done", "severity":
unset
URL: http://<NSIP>/nitro/v1/config/
HTTP Method: POST
Request Payload:
object={
"params":{
"warning":<String_value>,
"onerror":<String_value>,
"action":"unset"
},
"sessionid":"##sessionid",
"sslvserver":{
"vservername":<String_value>,
"cleartextport":true,
"dh":true,
"dhfile":true,
"dhcount":true,
"ersa":true,
"ersacount":true,
"sessreuse":true,
"sesstimeout":true,
"cipherredirect":true,
"cipherurl":true,
"sslv2redirect":true,
"sslv2url":true,
"clientauth":true,
"clientcert":true,
"sslredirect":true,
"redirectportrewrite":true,
"nonfipsciphers":true,
"ssl2":true,
"ssl3":true,
"tls1":true,
"tls11":true,
"tls12":true,
"snienable":true,
"sendclosenotify":true,
"dtlsprofilename":true,
"sslprofile":true,
}}
Response Payload:
{ "errorcode": 0, "message": "Done", "severity":
get (all)
URL: http://<NSIP>/nitro/v1/config/sslvserver
Query-parameters:
args
http://<NSIP>/nitro/v1/config/sslvserver?args= "vservername":<String_value>, "cipherdetails":<Boolean_value>,
Use this query-parameter to get sslvserver resources based on additional properties.
filter
http://<NSIP>/nitro/v1/config/sslvserver?filter=property-name1:property-val1,property-name2:property-val2
Use this query-parameter to get the filtered set of sslvserver resources configured on NetScaler.Filtering can be done on any of the properties of the resource.
view
http://<NS_IP>/nitro/v1/config/sslvserver?view=summary
Use this query-parameter to get the summary output of sslvserver resources configured on NetScaler.
pagesize=#no;pageno=#no
http://<NS_IP>/nitro/v1/config/sslvserver?pagesize=#no;pageno=#no
Use this query-parameter to get the sslvserver resources in chunks.
warning
http://<NS_IP>/nitro/v1/config/sslvserver?warning=yes
Use this query parameter to get warnings in nitro response. If this field is set to YES, warning message will be sent in 'message' field and 'WARNING' value is set in severity field of the response in case there is a
HTTP Method: GET
Response Payload:
{ "errorcode": 0, "message": "Done", "severity": <String_value>, "sslvserver": [ {
"vservername":<String_value>,
"cipherdetails":<Boolean_value>,
"cleartextport":<Integer_value>,
"dh":<String_value>,
"dhfile":<String_value>,
"dhcount":<Double_value>,
"ersa":<String_value>,
"ersacount":<Double_value>,
"sessreuse":<String_value>,
"sesstimeout":<Double_value>,
"cipherredirect":<String_value>,
"crlcheck":<String_value>,
"cipherurl":<String_value>,
"sslv2redirect":<String_value>,
"sslv2url":<String_value>,
"clientauth":<String_value>,
"clientcert":<String_value>,
"sslredirect":<String_value>,
"redirectportrewrite":<String_value>,
"nonfipsciphers":<String_value>,
"ssl2":<String_value>,
"ssl3":<String_value>,
"tls1":<String_value>,
"tls11":<String_value>,
"tls12":<String_value>,
"snienable":<String_value>,
"service":<Double_value>,
"servicename":<String_value>,
"ocspcheck":<String_value>,
"pushenctrigger":<String_value>,
"ca":<Boolean_value>,
"snicert":<Boolean_value>,
"skipcaname":<Boolean_value>,
"sendclosenotify":<String_value>,
"dtlsprofilename":<String_value>,
"dtlsflag":<Boolean_value>,
"sslprofile":<String_value>
}]}
get
URL: http://<NS_IP>/nitro/v1/config/sslvserver/vservername_value<String>
HTTP Method: GET
Response Payload:
{ "errorcode": 0, "message": "Done", "sslvserver": [ {
"vservername":<String_value>,
"cipherdetails":<Boolean_value>,
"cleartextport":<Integer_value>,
"dh":<String_value>,
"dhfile":<String_value>,
"dhcount":<Double_value>,
"ersa":<String_value>,
"ersacount":<Double_value>,
"sessreuse":<String_value>,
"sesstimeout":<Double_value>,
"cipherredirect":<String_value>,
"crlcheck":<String_value>,
"cipherurl":<String_value>,
"sslv2redirect":<String_value>,
"sslv2url":<String_value>,
"clientauth":<String_value>,
"clientcert":<String_value>,
"sslredirect":<String_value>,
"redirectportrewrite":<String_value>,
"nonfipsciphers":<String_value>,
"ssl2":<String_value>,
"ssl3":<String_value>,
"tls1":<String_value>,
"tls11":<String_value>,
"tls12":<String_value>,
"snienable":<String_value>,
"service":<Double_value>,
"servicename":<String_value>,
"ocspcheck":<String_value>,
"pushenctrigger":<String_value>,
"ca":<Boolean_value>,
"snicert":<Boolean_value>,
"skipcaname":<Boolean_value>,
"sendclosenotify":<String_value>,
"dtlsprofilename":<String_value>,
"dtlsflag":<Boolean_value>,
"sslprofile":<String_value>
}]}
count
URL: http://<NS_IP>/nitro/v1/config/sslvserver?count=yes
HTTP Method: GET
Response Payload:
{ "errorcode": 0, "message": "Done",sslvserver: [ { "__count": "#no"} ] }