Product Documentation

SSL Configuration

May 27, 2013

add ssl-profile

Syntax: add ssl-profile
-name “profile-name” 
[-state {enable, disable}] 
-proxy-type transparent 
[-virtual-hostname “hostname”] 
-private-key “private-key-name”

Adds an SSL profile for transparent proxy mode. This command has the same parameters as that on the Profile tab of the SSL Settings page on the Web UI.

Syntax: add ssl-profile
-name “profile-name” 
[-state {enable, disable}] 
-proxy-type split 
[-virtual-hostname “hostname”] 
-cert-key “cert-key-pair-name” 
[-build-cert-chain {enable, disable}] 
[-cert-chain-store {use-all-configured-CA-stores, “store-name”}] 
[-cert-verification {none, Signature/Expiration, Signature/Expiration/ 
Common-Name-White-List, Signature/Expiration/Common-Name-Black-List}] 
[-verification-store {use-all-configured-CA-stores, “store-name”}] 
[-server-side-protocol {SSL-version-2, SSL-version-3, 
SSL-version-2-3-OR-TLS-1.0, TLS-1.0}] 
[-server-side-ciphers “ciphers”] 
[-server-side-authentication {enable, disable}] 
[-server-side-cert-key “cert-key-pair-name”] 
[-server-side-build-cert-chain {enable, disable}] 
[-server-side-renegotiation {disable-old-style, enable-old-style, new-style, 
compatible}] 
[-client-side-protocol-version {SSL-version-2, SSL-version-3, 
SSL-version-2-3-OR-TLS-1.0, TLS-1.0}] 
[-client-side-ciphers “ciphers”] 
[-client-side-renegotiation {disable-old-style, enable-old-style, new-style, 
compatible}]

Adds an SSL profile for split proxy mode. This command has the same parameters as that on the Profile tab of the SSL Settings page on the Web UI.

set ssl-profile

Syntax: set ssl-profile
-name “profile-name” 
[-state {enable, disable}] 
[-proxy-type transparent] 
[-virtual-hostname “hostname”] 
[-private-key “private-key-name”]

Modifies an SSL profile created for transparent proxy mode.

Syntax: set ssl-profile
-name “profile-name” 
[-state {enable, disable}] 
[-proxy-type split] 
[-virtual-hostname “hostname”] 
[-cert-key “cert-key-pair-name”] 
[-build-cert-chain {enable, disable}] 
[-cert-chain-store {use-all-configured-CA-stores, “store-name”}] 
[-cert-verification {none, Signature/Expiration, Signature/Expiration/ 
Common-Name-White-List, Signature/Expiration/Common-Name-Black-List}] 
[-verification-store {use-all-configured-CA-stores, “store-name”}] 
[-server-side-protocol {SSL-version-2, SSL-version-3, 
SSL-version-2-3-OR-TLS-1.0, TLS-1.0}] 
[-server-side-ciphers “ciphers”] 
[-server-side-authentication {enable, disable}] 
[-server-side-cert-key “cert-key-pair-name”] 
[-server-side-build-cert-chain {enable, disable}] 
[-server-side-renegotiation {disable-old-style, enable-old-style, new-style, 
compatible}] 
[-client-side-protocol-version {SSL-version-2, SSL-version-3, 
SSL-version-2-3-OR-TLS-1.0, TLS-1.0}] 
[-client-side-ciphers “ciphers”] 
[-client-side-renegotiation {disable-old-style, enable-old-style, new-style, 
compatible}]

Modifies an SSL profile created for split proxy mode.

show ssl-profiles

Syntax: show ssl-profiles

Shows name, profile type, and state of all SSL profiles created.

show ssl-profile

Syntax: show ssl-profile
{-id “id”, -name “profile-name”}

Show profile detail by id or profile name.

remove ssl-profile

Syntax: remove ssl-profile
{-all, -id “id”, -name “profile-name”}

Removes SSL profile. -id and -name specifies which profile to remove. -all specifies that all profiles are to be removed.

rename ssl-profile

Syntax: rename ssl-profile
-old “old-profile-name” 
-new “new-profile-name”

Changes an SSL profile name.

show ssl-optimization

Syntax: show ssl-optimization

Shows SSL optimization status.

enable ssl-optimization

Syntax: enable ssl-optimization

Enables SSL optimization feature.

disable ssl-optimization

Syntax: disable ssl-optimization

Disables SSL optimization feature.

show ssl-secure-peer-connections

Syntax: show ssl-secure-peer-connections

Shows SSL peer configuration.

show ssl-ca-store

Syntax: show ssl-ca-store
-name “ca-store-name”

Shows detail information on the SSL CA certificate.

show ssl-ca-stores

Syntax: show ssl-ca-stores

Shows summary information (name, expiration date, certificate count) on all SSL Certificate Authority certificates.

show ssl-cert-key-pair

Syntax: show ssl-cert-key-pair
-name “cert-key-pair-name”

Shows detail information on the SSL certificate/key pair.

show ssl-cert-key-pairs

Syntax: show ssl-cert-key-pairs

Shows summary information (name, expiration date, certificate count, key type) on all configured SSL certificate/key pairs.

show ssl-disk-encryption

Syntax: show ssl-disk-encryption

Shows user data store encryption status

show ssl-keystore

Syntax: show ssl-keystore

Shows encryption key store status.

show ssl-peer-auto-discovery

Syntax: show ssl-peer-auto-discovery

Shows SSL peer auto-discovery configuration.

show ssl-peer-connect-to

Syntax: show ssl-peer-connect-to

Shows SSL peer connect to configuration.

show ssl-peer-listen-on

Syntax: show ssl-peer-listen-on

Shows SSL peer listen on configuration.

add ssl-ca-store

Syntax: add ssl-ca-store
[-name “name”] 
-file “ca-certificate-filename”

Adds an SSL CA certificate store.

remove ssl-ca-store

Syntax: remove ssl-ca-store
-name “name”

Removes an SSL CA certificate store.

add ssl-cert-key-pair

Syntax: add ssl-cert-key-pair
-name “certificate/key-pair-name” 
{(-type combined 
-file “certificate/key-pair-filename”), 
(-type separate 
-key-file “key-filename” 
-cert-file “cert-filename”)} 
[-key-password “password”] 
[-file-password “password”]

Adds an SSL certificate authority certificate store.

remove ssl-cert-key-pair

Syntax: remove ssl-cert-key-pair
-name “certificate/key-pair-name”

Removes an SSL certificate authority certificate store.

add ssl-peer-auto-discovery-publish-item

Syntax: add ssl-peer-auto-discovery-publish-item
-ip-port “ipaddr:port”

Publishes a NAT IP address/port entry.

remove ssl-peer-auto-discovery-publish-item

Syntax: remove ssl-peer-auto-discovery-publish-item
{-all, -ip-port “ipaddr:port”}

Removes one or all NAT IP address/port entries.

add ssl-peer-connect-to-item

Syntax: add ssl-peer-connect-to-item
-ip-port “ipaddr:port”

Adds an SSL peer IP address/port to be connected to.

remove ssl-peer-connect-to-item

Syntax: remove ssl-peer-connect-to-item
{-all, -ip-port “ipaddr:port”}

Removes one or all SSL peer IP address/port entries.

add ssl-peer-listen-on-item

Syntax: add ssl-peer-listen-on-item
-ip-port “ipaddr:port”

Adds an SSL peer listen on CloudBridge IP address/port.

remove ssl-peer-listen-on-item

Syntax: remove ssl-peer-listen-on-item
{-all, -ip-port “ipaddr:port”}

Removes one or all SSL peer listen on CloudBridge IP address/port entries.

add ssl-secure-peer-connections-item

Syntax: add ssl-secure-peer-connections-item
-cert-verification Signature/Expiration/Common-Name-Black-List 
-item “black-list-item”

Adds an additional SSL peer security black list item. The first black list item was configured with the ‘set ssl-secure-peer-connections’ command.

Syntax: add ssl-secure-peer-connections-item
-cert-verification Signature/Expiration/Common-Name-White-List 
-item “white-list-item”

Adds an additional SSL peer security white list item. The first white list item was configured with the ‘set ssl-secure-peer-connections’ command.

remove ssl-secure-peer-connections-item

Syntax: remove ssl-secure-peer-connections-item
{-all, -item “list-item”}

Removes one or all SSL peer security white list or black list entries.

set ssl-cert-key-pair

Syntax: set ssl-cert-key-pair
-name “certificate/key-pair-name” 
-action {add|replace} 
-cert-key {DSA|RSA} 
{(-type combined 
-file “certificate/key-pair-filename”), 
(-type separate 
-key-file “key-filename” 
-cert-file “cert-filename”)} 
[-key-password “password”] 
[-file-password “password”]

Adds or replaces a DSA/RSA certificate/key.

set ssl-keystore

Syntax: set ssl-keystore
-password “new-password” 
-old-password “old-password”

set ssl-secure-peer-connections

Syntax: set ssl-secure-peer-connections
-cert-key-name “cert-key-name” 
-ca-cert-store “ca-cert-store-name” 
-cert-verification {None,Signature} 
-cipher “ssl-cipher-specification”

Specifies the SSL peer configuration.

Syntax: set ssl-secure-peer-connections
-cert-key-name “cert-key-name” 
-ca-cert-store “ca-cert-store-name” 
-cert-verification Signature/Expiration/Common-Name-Black-List 
-item “black-list-item-1” 
-cipher “ssl-cipher-specification”

Specifies the SSL peer configuration, where peer security certificate verification is a black list. The first black list entry is specified here, additional entries may be added using the ‘add ssl-secure-peer-connections-item’ command.

Syntax: set ssl-secure-peer-connections
-cert-key-name “cert-key-name” 
-ca-cert-store “ca-cert-store-name” 
-cert-verification Signature/Expiration/Common-Name-White-List 
-item “white-list-item-1” 
-cipher “ssl-cipher-specification”

Specifies the SSL peer configuration, where peer security certificate verification is a white list. The first white list entry is specified here, additional entries may be added using the ‘add ssl-secure-peer-connections-item’ command.