ADC

SSL policy labels

Policy labels are holders for policies. A policy label helps in managing a group of policies, called a policy bank, which can be invoked from another policy. SSL policy labels can be control labels or data labels, depending on the type of policies that are included in the policy label. You can add only data policies in a data policy label and only control policies in a control policy label. To create the policy bank, bind policies to the label and specify the order of evaluation of each policy relative to others in the bank of policies for the policy label. At the CLI, you enter two commands to create a policy label and bind policies to the policy label. In the configuration utility, you select options from a dialog box.

Note: Policy labels of type control are not supported with the TLS 1.3 protocol.

Create an SSL policy label and bind policies to the label by using the CLI

At the command prompt, type:

add ssl policylabel <labelName> -type ( CONTROL | DATA )

bind ssl policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>] [-invoke (<labelType> <labelName>) ]
<!--NeedCopy-->

Example:

add ssl policylabel cpl1 -type CONTROL
add ssl policylabel dpl1 -type DATA

add ssl action act1 -clientauth DOCLIENTAUTH
add ssl policy ctrlpol -rule HTTP.REQ.METHOD.EQ("GET") -action act1

add ssl action act2 -clientCert ENABLED -certHeader "X-Client-Cert"
add ssl policy datapol -rule CLIENT.SSL.CLIENT_CERT.EXISTS -action act2

bind ssl policylabel cpl1 ctrlpol 1
bind ssl policylabel dpl1 datapol 1

> sh ssl policylabel
Control policylabels
1)    Label Name: cpl1
    Type: CONTROL
    Number of bound policies: 1
    Number of times invoked: 0

Data policylabels
1)  Label Name: dpl1
    Type: DATA
    Number of bound policies: 1
    Number of times invoked: 0
Done
>
<!--NeedCopy-->

Configure an SSL policy label and bind policies to the label by using the GUI

Navigate to Traffic Management > SSL > Policy Labels, and configure an SSL policy label.

SSL policy labels