Product Documentation

Appendix A: Sample Migration of the SSL Configuration after Upgrade

Sep 01, 2016

Sample settings on an SSL virtual server, service, and service group are shown below. On the virtual server, client authentication is ENABLED (default is DISABLED), and the AES cipher group is bound to the virtual server. On the service, server authentication is ENABLED (default is DISABLED), and the AES cipher group is bound to the service. The service group has the default settings.

sh ssl vserver v1

 

     Advanced SSL configuration for VServer v1:

     DH: DISABLED

     Ephemeral RSA: ENABLED          Refresh Count: 0

     Session Reuse: ENABLED          Timeout: 120 seconds

     Cipher Redirect: DISABLED

     SSLv2 Redirect: DISABLED

     ClearText Port: 0

     Client Auth: ENABLED Client Cert Required: Mandatory

     SSL Redirect: DISABLED

     Non FIPS Ciphers: DISABLED

     SNI: DISABLED

     SSLv2: DISABLED SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Push Encryption Trigger: Always

     Send Close-Notify: YES

 

     ECC Curve: P_256, P_384, P_224, P_521

 

1)   CertKey Name: mycertkey    Server Certificate

 

 

1)   Cipher Name: AES

     Description: Predefined Cipher Alias

 Done

 

> sh ssl service svc1

 

     Advanced SSL configuration for Back-end SSL Service svc1:

     DH: DISABLED

     Ephemeral RSA: DISABLED

     Session Reuse: ENABLED          Timeout: 300 seconds

     Cipher Redirect: DISABLED

     SSLv2 Redirect: DISABLED

     ClearText Port: 0

     Server Auth: ENABLED

     SSL Redirect: DISABLED

     Non FIPS Ciphers: DISABLED

     SNI: DISABLED

     SSLv2: DISABLED SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Send Close-Notify: YES

 

 

1)   Cipher Name: AES

     Description: Predefined Cipher Alias

 Done

 

> sh ssl serviceGroup

1) Service Group Name: sg1

     Session Reuse: ENABLED          Timeout: 300 seconds

     Server Auth: DISABLED

     Non FIPS Ciphers: DISABLED

     SSLv3: ENABLED  TLSv1.0: ENABLED

     Send Close-Notify: YES

 Done

The following procedure migrates the above configuration.

1. Save your configuration.

2. Run the migration script. You can redirect the output to a text file if you use the default names for the profiles. Type:

./default_profile_script /nsconfig/ns.conf -b > ssl_config.txt

Use an editor, such as vi, to view the changes. The output cannot be redirected if you provide the profile names interactively. The output is displayed on the console and you must copy and paste it into a text file to apply it to your configuration after the upgrade.

3. After the upgrade, enable the profile.

  • At the command line, type: set ssl parameter -defaultProfile ENABLED
  • In the GUI, navigate to Traffic Management > SSL > Change advanced SSL settings, scroll down and select Enable Default Profile.

The interim output for the three new profiles that are created for the virtual server, service, and service group, respectively, is shown below. The default profiles are bound to the end points until you apply the changes in the text file that was created after running the migration script.

> sh ssl vserver v1

Advanced SSL configuration for VServer v1:

Profile Name :ns_default_ssl_profile_frontend

1) CertKey Name: mycertkey Server Certificate

 Done

> sh ssl service svc1

 

Advanced SSL configuration for Back-end SSL Service svc1:

Profile Name :ns_default_ssl_profile_backend

 Done

> sh ssl serviceGroup sg1 

 

Advanced SSL configuration for Back-end SSL Service Group sg1:

Profile Name :ns_default_ssl_profile_backend

 Done

4. You must now apply the configuration in ssl_config.txt to the current configuration, so that your non-default settings are applied after the upgrade.

batch -f /<path to the batch file>/ssl_config.txt

5. After applying the configuration, the output changes as follows:

> show ssl vserver v1

 

     Advanced SSL configuration for VServer v1:

     Profile Name :profile-002

 

 

1)   CertKey Name: mycertkey    Server Certificate

 Done

 

> show ssl service svc1

 

     Advanced SSL configuration for Back-end SSL Service svc1:

     Profile Name :profile-001

 Done

 

 

> show ssl serviceGroup sg1

 

     Advanced SSL configuration for Back-end SSL Service Group sg1:

     Profile Name :profile-003

 Done

 

> show ssl profile profile-002

1)   Name: profile-002    (Front-End)

     SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Client Auth: ENABLED Client Cert Required: Mandatory

     Use only bound CA certificates: DISABLED

     Strict CA checks:          NO

     Session Reuse: ENABLED          Timeout: 120 seconds

     DH: DISABLED

     Ephemeral RSA: ENABLED          Refresh Count: 0

     Deny SSL Renegotiation          ALL

     Non FIPS Ciphers: DISABLED

     Cipher Redirect: DISABLED

     SSL Redirect: DISABLED

     Send Close-Notify: YES

     Push Encryption Trigger: Always

     PUSH encryption trigger timeout:     1 ms

     SNI: DISABLED

     Strict Host Header check for SNI enabled SSL sessions:          NO

     Push flag: 0x0 (Auto)

     SSL quantum size:          8 kB

     Encryption trigger timeout 100 mS

     Encryption trigger packet count:     45

     Subject/Issuer Name Insertion Format: Unicode

 

 

     ECC Curve: P_256, P_384, P_224, P_521

 

1)   Cipher Name: AES     Priority :1

     Description: Predefined Cipher Alias

 

1)   Vserver Name: v1

 Done

 

 

> show ssl profile profile-001

1)   Name: profile-001    (Back-End)

     SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Server Auth: ENABLED

     Use only bound CA certificates: DISABLED

     Strict CA checks:          NO

     Session Reuse: ENABLED          Timeout: 120 seconds

     Deny SSL Renegotiation          ALL

     Non FIPS Ciphers: DISABLED

     Send Close-Notify: YES

     Push Encryption Trigger: Always

     PUSH encryption trigger timeout:     1 ms

     Push flag: 0x0 (Auto)

     SSL quantum size:          8 kB

     Encryption trigger timeout 100 mS

     Encryption trigger packet count:     45

 

 

     ECC Curve: P_256, P_384, P_224, P_521

 

1)   Cipher Name: AES     Priority :1

     Description: Predefined Cipher Alias

 

1)   Service Name: svc1

 Done

 

> show ssl profile profile-003

1)   Name: profile-003    (Back-End)

     SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Server Auth: DISABLED

     Use only bound CA certificates: DISABLED

     Strict CA checks:          NO

     Session Reuse: ENABLED          Timeout: 120 seconds

     Deny SSL Renegotiation          ALL

     Non FIPS Ciphers: DISABLED

     Send Close-Notify: YES

     Push Encryption Trigger: Always

     PUSH encryption trigger timeout:     1 ms

     Push flag: 0x0 (Auto)

     SSL quantum size:          8 kB

     Encryption trigger timeout 100 mS

     Encryption trigger packet count:     45

 

 

     ECC Curve: P_256, P_384, P_224, P_521

 

1)   Cipher Name: ALL     Priority :1

     Description: Predefined Cipher Alias

 

1)   Service Name: sg1

 Done