Product Documentation

Enabling the Default Profiles

Sep 01, 2016

Important

Save your configuration before you upgrade the software and enable the default profiles.

Upgrade the software to a build that supports the enhanced profile infrastructure, and then enable the default profiles. You can take one of two approaches depending on your specific deployment. If your deployment has a common SSL configuration across end points, see Use Case 1. If your deployment has a large SSL configuration and the SSL parameters and ciphers are not common among end points, see Use Case 2.

Upgrade the software to a build that supports the enhanced profile infrastructure, and then enable the default profiles. You can take one of two approaches depending on your specific deployment. If your deployment has a common SSL configuration across end points, see Use Case 1. If your deployment has a large SSL configuration and the SSL parameters and ciphers are not common among end points, see Use Case 2.

메모

A single operation (Enable Default Profile or set ssl parameter -defaultProfile ENABLED) enables (binds) both the default front-end profile and the default back-end profile.

To save the configuration by using the NetScaler command line

At the command prompt, type:

> save config

> shell

root@ns# cd /nsconfig

root@ns# cp ns.conf ns.conf.NS<currentreleasenumber><currentbuildnumber>

Example 복사

> save config

> shell

root@ns# cd /nsconfig

root@ns# cp ns.conf ns.conf.NS.11.0.jun.16

Use Case 1

After you enable the default profiles, they are bound to all the SSL end points. The default profiles are editable. If your deployment uses most of the default settings and changes only a few parameters, you can edit the default profiles. The changes are immediately reflected across all the end points.

The following flowchart explains the steps that you must perform:

localized image

1. For information about upgrading the software, see Upgrading the System Software.

2. Enable the default profiles by using the NetScaler command line or GUI.

  • At the command line, type: set ssl parameter -defaultProfile ENABLED
  • If you prefer to use the GUI, navigate to Traffic Management > SSL > Change advanced SSL settings, scroll down, and select Enable Default Profile.

If a profile was not bound to an end point before the upgrade, a default profile is bound to the SSL end point. If a profile was bound to an end point before the upgrade, the same profile is bound after the upgrade, and default ciphers are added to the profile.

3. (Optional) Manually change any settings in the default profile.

  • At the command line, type: set ssl profile <name> followed by the parameters to modify.
  • If you prefer to use the GUI, navigate to System > Profiles. In SSL Profiles, select a profile and click Edit.

Use Case 2

If your deployment uses specific settings for most of the SSL entities, you can run a script that automatically creates custom profiles for each end point and binds them to the end point. Use the procedure detailed in this section to retain the SSL settings for all the SSL end points in your deployment. After upgrading the software, download and run a migration script to capture the SSL-specific changes. The output of running this script is a batch file. Enable the default profiles and then apply the commands in the batch file. See the appendix for a sample migration of the SSL configuration after upgrade.

The following flowchart explains the steps that you must perform:

localized image

1. For information about upgrading the software, see Upgrading the System Software.

2. Download and run a script to capture the SSL-specific changes. In addition to other migration activities, the script analyzes the old ns.conf file and moves any special settings (settings other than the default) from an SSL end point configuration to a custom profile. You must enable the default profiles after the upgrade for the configuration changes to apply.

To download the script, log on to https://www.citrix.com/. On the Downloads tab, select NetScaler ADC, and then select the release (for example, Release 11.0). Within the release, in Firmware, select a build (for example, 64.34). The SSL Default Profile Script is available in Additional Components.

메모

When running the migration script, you can choose to automatically generate the profile names, or you can prompt the user for the profile names interactively. The migration script checks the following and creates profiles accordingly.

  • End points with the default settings and similar ciphers and cipher group settings: The script creates one profile.
  • End points with the default settings and with different cipher groups or different priorities for the ciphers/cipher groups: In each case, the script creates a user-defined cipher group, binds it to a profile, and binds each profile to the appropriate end points.
  • End points with the default settings and default ciphers: A default profile is bound to the end point.

To run the script, at the command prompt, type:

./default_profile_script /nsconfig/ns.conf -b > <output file name>

메모

You must run this command from the folder in which you store the script.

3. Enable the default profiles by using the NetScaler command line or GUI.

  • At the command line, type: set ssl parameter -defaultProfile ENABLED
  • If you prefer to use the GUI, navigate to Traffic Management > SSL > Change advanced SSL settings, scroll down, and select Enable Default Profile.

If a profile was not bound to an end point before the upgrade, a default profile is bound to the SSL end point. If a profile was bound to an end point before the upgrade, the same profile is bound after the upgrade, and default ciphers are added to the profile.

4. Apply the commands in the text file (output of running the migration script) to the configuration. After you apply the commands in the text file, custom profiles are created for end points for which default parameters and ciphers have been changed, and the custom profiles are automatically bound to the end points.