Product Documentation

ssl serviceGroup

Sep 12, 2016

The following operations can be performed on "ssl serviceGroup":

set ssl serviceGroup

Sets the advanced SSL configuration for an SSL service group.

Synopsys

set ssl serviceGroup <serviceGroupName>@ [-sslProfile <string>] [-sessReuse ( ENABLED | DISABLED ) [-sessTimeout <positive_integer>]] [-ssl3 ( ENABLED | DISABLED )] [-tls1 ( ENABLED | DISABLED )] [-tls11 ( ENABLED | DISABLED )] [-tls12 ( ENABLED | DISABLED )] [-SNIEnable ( ENABLED | DISABLED )] [-serverAuth ( ENABLED | DISABLED )] [-commonName <string>] [-sendCloseNotify ( YES | NO )]

Arguments

serviceGroupName

Name of the SSL service group for which to set advanced configuration.

sslProfile

Name of the SSL profile that contains SSL settings for the Service Group.

sessReuse

State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Possible values: ENABLED, DISABLED

Default value: ENABLED

sessTimeout

Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session.

Default value: 300

Minimum value: 0

Maximum value: 4294967294

ssl3

State of SSLv3 protocol support for the SSL service group.

Possible values: ENABLED, DISABLED

Default value: ENABLED

tls1

State of TLSv1.0 protocol support for the SSL service group.

Possible values: ENABLED, DISABLED

Default value: ENABLED

tls11

State of TLSv1.1 protocol support for the SSL service group.

Possible values: ENABLED, DISABLED

Default value: ENABLED

tls12

State of TLSv1.2 protocol support for the SSL service group.

Possible values: ENABLED, DISABLED

Default value: ENABLED

SNIEnable

State of the Server Name Indication (SNI) feature on the service. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Possible values: ENABLED, DISABLED

Default value: DISABLED

serverAuth

State of server authentication support for the SSL service group.

Possible values: ENABLED, DISABLED

Default value: DISABLED

commonName

Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server

sendCloseNotify

Enable sending SSL Close-Notify at the end of a transaction

Possible values: YES, NO

Default value: YES

Example

1) set ssl servicegroup svcg1 -sessReuse DISABLED The above example disables session reuse for the service group 'svcg1'. 

unset ssl serviceGroup

Use this command to remove ssl serviceGroup settings.Refer to the set ssl serviceGroup command for meanings of the arguments.

Synopsys

unset ssl serviceGroup <serviceGroupName>@ [-sslProfile] [-sessReuse] [-sessTimeout] [-ssl3] [-tls1] [-tls11] [-tls12] [-SNIEnable] [-serverAuth] [-commonName] [-sendCloseNotify]

bind ssl serviceGroup

Bind a SSL certkey or a SSL policy to a SSL service.

Synopsys

bind ssl serviceGroup <serviceGroupName>@ ((-certkeyName <string> [(-CA [-crlCheck ( Mandatory | Optional ) | -ocspCheck ( Mandatory | Optional )]) | -SNICert] ) | -cipherName <string>) [-eccCurveName <eccCurveName>]

Arguments

serviceGroupName

The name of the SSL service to which the SSL policy needs to be bound.

certkeyName

The name of the CertKey

CA

CA certificate.

crlCheck

The rule for use of CRL corresponding to this CA certificate during client authentication. If crlCheck is set to Mandatory, the system will deny all SSL clients if the CRL is missing, expired - NextUpdate date is in the past, or is incomplete with remote CRL refresh enabled. If crlCheck is set to optional, the system will allow SSL clients in the above error cases.However, in any case if the client certificate is revoked in the CRL, the SSL client will be denied access.

Possible values: Mandatory, Optional

SNICert

The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.

ocspCheck

The state of the OCSP check parameter. (Mandatory/Optional)

Possible values: Mandatory, Optional

cipherName

A cipher-suite can consist of an individual cipher name, the system predefined cipher-alias name, or user defined cipher-group name.

eccCurveName

Named ECC curve bound to service group

Possible values: ALL, P_224, P_256, P_384, P_521

Example

bind ssl service ssl_svc -policyName certInsert_pol -priority 10

unbind ssl serviceGroup

Unbind a SSL policy from a SSL service.

Synopsys

unbind ssl serviceGroup <serviceGroupName>@ ((-certkeyName <string> [(-CA [-crlCheck ( Mandatory | Optional )]) | -SNICert] ) | -cipherName <string>) [-eccCurveName <eccCurveName>]

Arguments

serviceGroupName

The name of the SSL service from which the SSL policy needs to be unbound.

certkeyName

The name of the certificate bound to the SSL service group.

CA

CA certificate.

crlCheck

The rule for use of CRL corresponding to this CA certificate during client authentication. If crlCheck is set to Mandatory, the system will deny all SSL clients if the CRL is missing, expired - NextUpdate date is in the past, or is incomplete with remote CRL refresh enabled. If crlCheck is set to optional, the system will allow SSL clients in the above error cases.However, in any case if the client certificate is revoked in the CRL, the SSL client will be denied access.

Possible values: Mandatory, Optional

SNICert

The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.

cipherName

A cipher-suite can consist of an individual cipher name, the system predefined cipher-alias name, or user defined cipher-group name.

eccCurveName

Named ECC curve bound to service group

Possible values: ALL, P_224, P_256, P_384, P_521

Example

unbind ssl service ssl_svc -policyName certInsert_pol

show ssl serviceGroup

Displays information about SSL-specific configuration for all SSL service groups, or displays detailed information about the specified SSL service group.

Synopsys

show ssl serviceGroup [<serviceGroupName>]

Arguments

serviceGroupName

Name of the SSL service group for which to show detailed information.

Outputs

dh

The state of DH key exchange support for the SSL service group.

dhFile

The file name and path for the DH parameter.

dhCount

The refresh count for the re-generation of DH public-key and private-key from the DH parameter.

dhKeyExpSizeLimit

This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

eRSA

The state of Ephemeral RSA key exchange support for the SSL service group.Ephemeral RSA is used for export ciphers.

eRSACount

The refresh count for the re-generation of RSA public-key and private-key pair.

sessReuse

The state of session re-use support for the SSL service group.

sessTimeout

The Session timeout value in seconds.

cipherRedirect

The state of Cipher Redirect feature. Cipher Redirect feature can be used to provide more readable information to SSL clients about mismatch in ciphers between the client and the SSL vserver.

cipherURL

The redirect URL to be used with the Cipher Redirect feature.

sslv2Redirect

The state of SSLv2 Redirect feature.SSLv2 Redirect feature can be used to provide more readable information to SSL client about non-support of SSLv2 protocol on the SSL vserver.

sslv2URL

The redirect URL to be used with SSLv2 Redirect feature.

clientAuth

The state of Client-Authentication support for the SSL service group.

clientCert

The rule for client certificate requirement in client authentication.

sslRedirect

The state of HTTPS redirects for the SSL service group.

This is required for the proper functioning of the redirect messages from the server. The redirect message from the server provides the new location for the moved object. This is contained in the HTTP header field: Location, e.g. Location: http://www.moved.org/here.html

For the SSL session, if the client browser receives this message, the browser will try to connect to the new location. This will break the secure SSL session, as the object has moved from a secure site (https://) to an un-secure one (http://). Generally browsers flash a warning message on the screen and prompt the user, either to continue or disconnect.

The above feature, when enabled will automatically convert all such http:// redirect message to https://. This will not break the client SSL session.

Note: The set ssl service command can be used for configuring a front-end SSL service for service based SSL Off-Loading, or a backend SSL service for backend-encryption setup.

redirectPortRewrite

The state of port-rewrite feature.

nonFipsCiphers

The state of usage of non FIPS approved ciphers.

ssl2

The state of SSLv2 protocol support for the SSL service group.

ssl3

State of SSLv3 protocol support for the SSL service group.

tls1

State of TLSv1.0 protocol support for the SSL service group.

tls11

State of TLSv1.1 protocol support for the SSL service group.

tls12

State of TLSv1.2 protocol support for the SSL service group.

SNIEnable

The state of SNI extension. Server Name Indication (SNI) helps to enable SSL encryption on multiple subdomains if the domains are controlled by the same organization and share the same second-level domain name.

serverAuth

The state of the server authentication configuration for the SSL service group. For SSL deployments where data is encrypted end-to-end using SSL, you can authenticate the server.

commonName

Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server

cipherAliasName/cipherName/cipherGroupName

The name of the cipher group/alias/name configured for the SSL service group.

cipherName

The name of the cipher group/alias/name configured for the SSL service group.

ocspCheck

The state of the OCSP check parameter. (Mandatory/Optional)

crlCheck

The state of the CRL check parameter. (Mandatory/Optional)

description

The description of the cipher.

certkeyName

The name of the certificate bound to the SSL service group.

clearTextPort

The port on the back-end web-servers where the clear-text data is sent by system. Use this setting for the wildcard IP based SSL Acceleration configuration (*:443).

serviceName

The service name.

CA

CA certificate.

SNICert

The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.

stateflag

sendCloseNotify

Enable sending SSL Close-Notify at the end of a transaction

eccCurveName

Named ECC curve bound to servicegroup.

sslProfile

Name of the SSL profile that contains SSL settings for the Service Group.

devno

count

Example

An example of output of show ssl servicegroup command is as shown below show ssl servicegroup ssl_svcg          Advanced SSL configuration for Back-end SSL Service Group ssl_svcg:         Session Reuse: ENABLED          Timeout: 300 seconds         Server Auth: DISABLED         Non FIPS Ciphers: DISABLED         SSLv3: ENABLED  TLSv1: ENABLED  1)      Cipher Name: ALL         Description: Predefined Cipher Alias