Product Documentation

Appendix A: Sample migration of the SSL configuration after upgrade

Sample settings on an SSL virtual server, service, and service group are shown below. On the virtual server, client authentication is ENABLED (default is DISABLED), and the AES cipher group is bound to the virtual server. On the service, server authentication is ENABLED (default is DISABLED), and the AES cipher group is bound to the service. The service group has the default settings.

sh ssl vserver v1

     Advanced SSL configuration for VServer v1:
     DH: DISABLED
     Ephemeral RSA: ENABLED          Refresh Count: 0
     Session Reuse: ENABLED          Timeout: 120 seconds
     Cipher Redirect: DISABLED
     SSLv2 Redirect: DISABLED
     ClearText Port: 0
     Client Auth: ENABLED Client Cert Required: Mandatory
     SSL Redirect: DISABLED
     Non FIPS Ciphers: DISABLED
     SNI: DISABLED
     SSLv2: DISABLED SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED
     Push Encryption Trigger: Always
     Send Close-Notify: YES
     ECC Curve: P_256, P_384, P_224, P_521
1)   CertKey Name: mycertkey    Server Certificate
1)   Cipher Name: AES
     Description: Predefined Cipher Alias
 Done
sh ssl service svc1

     Advanced SSL configuration for Back-end SSL Service svc1:
     DH: DISABLED
     Ephemeral RSA: DISABLED
     Session Reuse: ENABLED          Timeout: 300 seconds
     Cipher Redirect: DISABLED
     SSLv2 Redirect: DISABLED
     ClearText Port: 0
     Server Auth: ENABLED
     SSL Redirect: DISABLED
     Non FIPS Ciphers: DISABLED
     SNI: DISABLED
     SSLv2: DISABLED SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED
     Send Close-Notify: YES

1)   Cipher Name: AES
     Description: Predefined Cipher Alias
 Done
sh ssl serviceGroup

1) Service Group Name: sg1
     Session Reuse: ENABLED          Timeout: 300 seconds
     Server Auth: DISABLED
     Non FIPS Ciphers: DISABLED
     SSLv3: ENABLED  TLSv1.0: ENABLED
     Send Close-Notify: YES
 Done

The following procedure migrates the above configuration.

  1. Save your configuration.

  2. Run the migration script. You can redirect the output to a text file if you use the default names for the profiles. Type:

./default_profile_script /nsconfig/ns.conf -b > ssl_config.txt

Use an editor, such as vi, to view the changes. The output cannot be redirected if you provide the profile names interactively. The output is displayed on the console and you must copy and paste it into a text file to apply it to your configuration after the upgrade.

3. After the upgrade, enable the profile.

  • At the CLI, type: set ssl parameter -defaultProfile ENABLED
  • In the GUI, navigate to Traffic Management > SSL > Change advanced SSL settings, scroll down and select Enable Default Profile.

The interim output for the three new profiles that are created for the virtual server, service, and service group, respectively, is shown below. The default profiles are bound to the end points until you apply the changes in the text file that was created after running the migration script.

sh ssl vserver v1

Advanced SSL configuration for VServer v1:
Profile Name :ns_default_ssl_profile_frontend
1) CertKey Name: mycertkey Server Certificate
 Done
sh ssl service svc1

Advanced SSL configuration for Back-end SSL Service svc1:
Profile Name :ns_default_ssl_profile_backend
 Done
sh ssl serviceGroup sg1

Advanced SSL configuration for Back-end SSL Service Group sg1:
Profile Name :ns_default_ssl_profile_backend
 Done

4. You must now apply the configuration in ssl_config.txt to the current configuration, so that your non-default settings are applied after the upgrade.

batch -f /<path to the batch file>/ssl_config.txt

5. After applying the configuration, the output changes as follows:

show ssl vserver v1

     Advanced SSL configuration for VServer v1:
     Profile Name :profile-002

1)   CertKey Name: mycertkey    Server Certificate
 Done
show ssl service svc1

     Advanced SSL configuration for Back-end SSL Service svc1:
     Profile Name :profile-001
 Done
show ssl serviceGroup sg1

     Advanced SSL configuration for Back-end SSL Service Group sg1:
     Profile Name :profile-003
 Done
show ssl profile profile-002

1)   Name: profile-002    (Front-End)
     SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED
     Client Auth: ENABLED Client Cert Required: Mandatory
     Use only bound CA certificates: DISABLED
     Strict CA checks:          NO
     Session Reuse: ENABLED          Timeout: 120 seconds
     DH: DISABLED
     Ephemeral RSA: ENABLED          Refresh Count: 0
     Deny SSL Renegotiation          ALL
     Non FIPS Ciphers: DISABLED
     Cipher Redirect: DISABLED
     SSL Redirect: DISABLED
     Send Close-Notify: YES
     Push Encryption Trigger: Always
     PUSH encryption trigger timeout:     1 ms
     SNI: DISABLED
     Strict Host Header check for SNI enabled SSL sessions:          NO
     Push flag: 0x0 (Auto)
     SSL quantum size:          8 kB
     Encryption trigger timeout 100 mS
     Encryption trigger packet count:     45
     Subject/Issuer Name Insertion Format: Unicode
     ECC Curve: P_256, P_384, P_224, P_521

1)   Cipher Name: AES     Priority :1
     Description: Predefined Cipher Alias

1)   Vserver Name: v1
 Done
show ssl profile profile-001

1)   Name: profile-001    (Back-End)
     SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED
     Server Auth: ENABLED
     Use only bound CA certificates: DISABLED
     Strict CA checks:          NO
     Session Reuse: ENABLED          Timeout: 120 seconds
     Deny SSL Renegotiation          ALL
     Non FIPS Ciphers: DISABLED
     Send Close-Notify: YES
     Push Encryption Trigger: Always
     PUSH encryption trigger timeout:     1 ms
     Push flag: 0x0 (Auto)
     SSL quantum size:          8 kB
     Encryption trigger timeout 100 mS
     Encryption trigger packet count:     45

     ECC Curve: P_256, P_384, P_224, P_521

1)   Cipher Name: AES     Priority :1
     Description: Predefined Cipher Alias

1)   Service Name: svc1
 Done
show ssl profile profile-003

1)   Name: profile-003    (Back-End)
     SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED
     Server Auth: DISABLED
     Use only bound CA certificates: DISABLED
     Strict CA checks:          NO
     Session Reuse: ENABLED          Timeout: 120 seconds
     Deny SSL Renegotiation          ALL
     Non FIPS Ciphers: DISABLED
     Send Close-Notify: YES
     Push Encryption Trigger: Always
     PUSH encryption trigger timeout:     1 ms
     Push flag: 0x0 (Auto)
     SSL quantum size:          8 kB
     Encryption trigger timeout 100 mS
     Encryption trigger packet count:     45
     ECC Curve: P_256, P_384, P_224, P_521

1)   Cipher Name: ALL     Priority :1
     Description: Predefined Cipher Alias

1)   Service Name: sg1
 Done

Appendix A: Sample migration of the SSL configuration after upgrade

In this article