Migrate the SSL configuration to the enhanced SSL profile
Note:
The terms “default” and “enhanced” are used interchangeably for the enhanced SSL profile.
A typical deployment has hundreds of virtual servers, services, and other SSL entities configured. Each entity might have its own SSL settings. Adding or changing a setting on all the entities can be a cumbersome process. To address this need and simplify the configuration process, you can use SSL profiles and attach them to different entities.
An SSL profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services (including internal services), and service groups. It offers ease of configuration and flexibility because you are not limited to configuring only one set of global parameters. There are two types of profiles:
- Front-end profile: Applies to the entities that receive requests from a client.
- Back-end profile: Applies to entities that send client requests to the back-end server.
Problem statement
When you enable the default profile, the inbuilt default SSL profiles are automatically bound to all the front-end and back-end SSL entities. The profile comes with some default settings and when you enable the default profile, your custom settings are lost. Manually fixing a large configuration can be tedious, time-consuming, and error prone. Therefore, customers are hesitant to migrate to the default profile.
Solution
From release 14.1 build 21.x, you can run a script from the NetScaler GUI that parses your configuration and creates custom profiles based on your existing settings. The script checks the configuration of your SSL entities and creates profiles for the same settings. Then, it sets the applicable profile for each SSL entity.
Perform the following steps to migrate the SSL configuration:
- Save the configuration.
- Run the script.
- Review the output file.
- Enable the default profile.
- Batch the file.
Important
Save the configuration before running the script. At the NetScaler CLI, type:
save config. Also, ensure that the default profile is enabled before you batch the file. For a large configuration, running the script can take up to 30 minutes.
To migrate the SSL configuration by using the NetScaler GUI
- Navigate to System > Diagnostics. Under Maintenance, click Save configuration.
- Navigate to Traffic Management > SSL > Tools > SSL Profile Converter.
- Click Run SSL Profile Conversion.
- Click View File to review the output file. Click Download File to download the output file and review offline.
- Go back to the SSL page. Under Settings, click Change advanced SSL settings.
- In the Change Advanced SSL settings page, select Enable Default Profile.
- Navigate to System > Diagnostics. Under Utilities, click Batch configuration.
- Provide the File Path and click Run.
Result
When you run this script, it scans the existing NetScaler configuration file.
Output file location when using admin partitions and running the script from CLI: /nsconfig/partitions/<partition_name>/sslprofile_cmds.txt.
Output file location when using the default partition and running the script from CLI or GUI: /nsconfig/sslprofile_cmds.txt.
This file contains all the enhanced SSL profile commands corresponding to the existing configuration. You need to review the file and then batch it.
The custom profiles are created with the required settings based on your configuration. The applicable profile is bound to the various front-end and back-end SSL entities.
Your SSL entities now have the same settings as before the default profile was enabled. The difference is that these settings are now part of the SSL default profile. To change the settings on multiple SSL entities, you only have to modify the associated profile. The settings are applied to all the SSL entities that the profile is attached to.
To migrate the SSL configuration by using the NetScaler CLI
You can also run the script from the CLI. At the command prompt, type:
save config
convert SSL defaultprofile
<!--NeedCopy-->
The output folders are specified in the Results section. You must review the file, enable the default profile, and then batch the file.