Product Documentation

Configuring User-Defined Cipher Groups on the NetScaler Appliance

Sep 01, 2016
A cipher group is a set of cipher suites that you bind to an SSL virtual server, service, or service group on the NetScaler appliance. A cipher suite comprises a protocol, a key exchange (Kx) algorithm, an authentication (Au) algorithm, an encryption (Enc) algorithm, and a message authentication code (Mac) algorithm. Your appliance ships with a predefined set of cipher groups. When you create a SSL service or SSL service group, the ALL cipher group is automatically bound to it. However, when you create an SSL virtual server or a transparent SSL service, the DEFAULT cipher group is automatically bound to it. In addition, you can create a user-defined cipher group and bind it to an SSL virtual server, service, or service group.
Note: If your MPX appliance does not have any licenses, then only the EXPORT cipher is bound to your SSL virtual server, service, or service group.

To create a user-defined cipher group, first you create a cipher group and then you bind ciphers or cipher groups to this group. If you specify a cipher alias or a cipher group, all the ciphers in the cipher alias or group are added to the user-defined cipher group. You can also add individual ciphers (cipher suites) to a user-defined group. However, you cannot modify a predefined cipher group. Before removing a cipher group, unbind all the cipher suites in the group.

If you bind a cipher group to an SSL virtual server, service, or service group, the ciphers are appended to the existing ciphers that are bound to the entity. To bind a specific cipher group to the entity, you must first unbind the ciphers or cipher group that is bound to the entity and then bind the specific cipher group. For example, to bind only the AES cipher group to an SSL service, you perform the following steps:
  1. Unbind the default cipher group ALL that is bound by default to the service when the service is created.

    unbind ssl service <service name> -cipherName ALL

  2. Bind the AES cipher group to the service

    bind ssl service <Service name> -cipherName AE

If you want to bind the cipher group DES in addition to AES, at the command prompt, type:
  • bind ssl service <service name> -cipherName DES
Note: The free NetScaler virtual appliance supports only the DH cipher group.

To configure a user-defined cipher group by using the command line interface

At the command prompt, type the following commands to add a cipher group, or to add ciphers to a previously created group, and verify the settings:

  • add ssl cipher <cipherGroupName>
  • bind ssl cipher <cipherGroupName> -cipherName <string>
  • show ssl cipher <cipherGroupName>

Example

 > add ssl cipher test 
 Done 
> bind ssl cipher test -cipherName SSLv2 
 Done 
> show ssl cipher test 
1)      Cipher Name: SSL2-RC2-CBC-MD5 
Description: SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 
2)      Cipher Name: SSL2-RC4-MD5 
Description: SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
3)      Cipher Name: SSL2-DES-CBC3-MD5 
Description: SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
4)      Cipher Name: SSL2-DES-CBC-MD5 
Description: SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
5)      Cipher Name: SSL2-RC4-64-MD5	 
Description: SSLv2 Kx=RSA      Au=RSA  Enc=RC4(64)   Mac=MD5 
6)      Cipher Name: SSL2-EXP-RC4-MD5 
Description: SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  Export 
7)      Cipher Name: SSL2-EXP-RC2-CBC-MD5 
Description: SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  Export 
 Done

To unbind ciphers from a cipher group by using the command line interface

At the command prompt, type the following commands to unbind ciphers from a user-defined cipher group, and verify the settings:

  • show ssl cipher <cipherGroupName>
  • unbind ssl cipher <cipherGroupName> -cipherName <string>
  • show ssl cipher <cipherGroupName>

Example

 > show ssl cipher test 
 1) Cipher Name: SSL2-RC2-CBC-MD5 
 Description: SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 
 2) Cipher Name: SSL2-RC4-MD5 
 Description: SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 
 3) Cipher Name: SSL2-DES-CBC3-MD5 
 Description: SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 
 4) Cipher Name: SSL2-DES-CBC-MD5 
 Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 
 5) Cipher Name: SSL2-RC4-64-MD5 
 Description: SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 
 6) Cipher Name: SSL2-EXP-RC4-MD5 
 Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 Export 
 7) Cipher Name: SSL2-EXP-RC2-CBC-MD5 
 Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 Export 
 Done 
 
 > unbind ssl cipher test -cipherName SSL2-RC2-CBC-MD5  
 
 > show ssl cipher test 
 1) Cipher Name: SSL2-RC4-MD5 
 Description: SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 
 2) Cipher Name: SSL2-DES-CBC3-MD5 
 Description: SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 
 3) Cipher Name: SSL2-DES-CBC-MD5 
 Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 
 4) Cipher Name: SSL2-RC4-64-MD5 
 Description: SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 
 5) Cipher Name: SSL2-EXP-RC4-MD5 
 Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 Export 
 6) Cipher Name: SSL2-EXP-RC2-CBC-MD5 
 Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 Export 
 Done 

To remove a cipher group by using the command line interface

Note: You cannot remove a built-in cipher group. Before removing a user-defined cipher group, make sure that the cipher group is empty.

At the command prompt, type the following commands to remove a user-defined cipher group, and verify the configuration:

  • rm ssl cipher <userDefCipherGroupName> [<cipherName> ...]
  • show ssl cipher <cipherGroupName>

Example

 > rm ssl cipher test 
 Done 
 
 > sh ssl cipher test 
 ERROR: No such resource [cipherGroupName, test] 

To configure a user-defined cipher group by using the configuration utility

Navigate to Traffic Management > SSL > Cipher Groups, and configure a cipher group.

To bind a cipher group to an SSL virtual server, service, or service group by using the command line interface

At the command prompt, type one of the following:

  • bind ssl vserver <vServerName> -cipherName <string>
  • bind ssl service <serviceName> -cipherName <string>
  • bind ssl serviceGroup <serviceGroupName> -cipherName <string>

Examples

> bind ssl vserver ssl_vserver_test -cipherName test 
Done 
bind ssl service  nshttps -cipherName test 
Done 
> bind ssl servicegroup  ssl_svc  -cipherName test 
Done

To bind a cipher group to an SSL virtual server, service, or service group by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers or navigate to Traffic Management > Load Balancing > Services or navigate to Traffic Management > Load Balancing > Service Groups, and open the virtual server, service, or service group.
  2. In Advanced Settings, select SSL Ciphers, and bind a cipher group to the virtual server, service, or service group.