NetScaler

SSL built-in actions and user-defined actions

September 21, 2020

Contributed by:

S S

Unless you need only the built-in actions in your policies, you must create the actions before creating the policies. Then, you can specify the actions when you create the policies. The built-in actions are of two types, control actions and data actions. You use control actions in control policies, and data actions in data policies.

The built-in control actions are:

CLIENTAUTH—Perform client certificate authentication.
NOCLIENTAUTH—Do not perform client certificate authentication.

The built-in data actions are:

RESET—Close the connection by sending an RST packet to the client.
DROP—Drop all packets from the client. The connection remains open until the client closes it.
NOOP—Forward the packet without performing any operation on it.

You can create user-defined data actions. For example, if you enable client authentication, you can create an SSL action to insert client-certificate data into the request header before forwarding the request to the web server.

If a policy evaluation results in an undefined state, an UNDEF action is performed. For either a data policy or a control policy, you can specify RESET, DROP, or NOOP as the UNDEF action. For a control policy, you also have the option of specifying CLIENTAUTH or NOCLIENTAUTH.

Examples of built-in actions in a policy

In the following example, if the client sends a cipher other than an EXPORT category cipher, the NetScaler appliance requests client authentication. The client has to provide a valid certificate for a successful transaction.

add ssl policy pol1 -rule CLIENT.SSL.CIPHER_EXPORTABLE.NOT -reqAction CLIENTAUTH
<!--NeedCopy-->

The following examples assume that client authentication is enabled.

If the version in the certificate provided by the user matches the version in the policy, no action is taken and the packet is forwarded:

add ssl policy pol1 -rule CLIENT.SSL.CLIENT_CERT.VERSION.EQ(2) -reqAction NOOP
<!--NeedCopy-->

If the version in the certificate provided by the user matches the version in the policy, the connection is dropped:

add ssl policy pol1 -rule CLIENT.SSL.CLIENT_CERT.VERSION.EQ(2) -reqAction DROP
<!--NeedCopy-->

If the version in the certificate provided by the user matches the version in the policy, the connection is reset:

add ssl policy pol1 -rule CLIENT.SSL.CLIENT_CERT.VERSION.EQ(2) -reqAction RESET
<!--NeedCopy-->

User-defined SSL actions

In addition to built-in actions, you can also configure other SSL actions depending on your deployment. These actions are called user-defined actions.

Configure a user-defined SSL action by using the CLI

At the command prompt, type the following commands to configure an action and verify the configuration:

add SSL action <name> -clientAuth(DOCLIENTAUTH | NOCLIENTAUTH) -clientCert (ENABLED | DISABLED) certHeader <string> -clientHeader <string> -clientCertSerialNumber (ENABLED | DISABLED) -certSerialHeader <string> -clientCertSubject (ENABLED | DISABLED) -certSubjectHeader <string> -clientCertHash (ENABLED | DISABLED) -certHashHeader <string> -clientCertIssuer (ENABLED | DISABLED) -certIssuerHeader <string> -sessionID (ENABLED | DISABLED) -sessionIDheader <string> -cipher (ENABLED | DISABLED) -cipherHeader <string> -clientCertNotBefore (ENABLED | DISABLED) -certNotBeforeHeader <string> -clientCertNotAfter (ENABLED | DISABLED) -certNotAfterHeader <string> -OWASupport (ENABLED | DISABLED)
<!--NeedCopy-->

show ssl action [<name>]
<!--NeedCopy-->

Example:

add ssl action Action-SSL-ClientCert -clientCert ENABLED -certHeader "X-Client-Cert"
<!--NeedCopy-->

show ssl action Action-SSL-ClientCert

1)      Name: Action-SSL-ClientCert

        Data Insertion Action:

        Cert Header: ENABLED            Cert Tag: X-Client-Cert

Done
<!--NeedCopy-->

Configure a user-defined SSL action by using the GUI

Navigate to Traffic Management > SSL > Policies and, on the Actions tab, click Add.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

SSL built-in actions and user-defined actions

September 21, 2020

Contributed by:

S S

September 21, 2020

Contributed by:

S S

SSL built-in actions and user-defined actions

Examples of built-in actions in a policy

User-defined SSL actions

Configure a user-defined SSL action by using the CLI

Configure a user-defined SSL action by using the GUI

In this article