Product Documentation

SSL Profiles

Mar 24, 2016

注意

This feature is available in release 11 build 64.x and later.

The SSL infrastructure on the NetScaler appliance is continually updated to address the ever growing requirements for security and performance. Vulnerabilities in SSLv3 and RC4 implementation have emphasized the need to use the latest ciphers and protocols to negotiate the security settings for a network connection. Implementing any changes to the configuration, such as disabling SSLv3, across thousands of SSL end points is a cumbersome process. Therefore, settings that were part of the SSL end points configuration have been moved to the SSL profile, along with the default ciphers. To implement any change in the configuration, including cipher support, you only need to modify the profile. If the profile is enabled, the change is immediately reflected in all the end points that the profile is bound to.

Important

After the upgrade, if you enable the profile, you cannot reverse the changes. That is, the profile cannot be disabled.

The default SSL profiles contain all the default ciphers and ECC curves in addition to the settings that were part of the old profile. Sample outputs for the default profiles are provided later in this document. You can modify the default profile to suit your deployment. The default profile is bound to any new SSL entity. However, you can also create custom profiles and bind them to SSL entities.

By default, some SSL parameters, called global parameters, apply to all the SSL end points. If no SSL profile is bound to the configuration, the global parameters apply to all the SSL virtual servers, services, and service groups. If a profile is bound, the global parameters do not apply. The settings specified in the profile apply instead.

Differences between the Old SSL Profile and the New SSL Profile

The new SSL profile is different from previous versions in the following ways:

 

Old Profile

New Profile

Ciphers and ECC Curves included in the profile

No

Yes

Inserting a cipher or cipher group in the middle of an existing list

Unbind all the ciphers and bind again in the order of the required priority.

 

Add a cipher and assign it a priority. If a priority is not specified, the cipher is assigned the lowest priority in the list.

 

Unbinding all the ciphers

> unbind ssl vserver <name> ciphername –ALL

unbind ssl profile –cipherName –FlushAllCiphers

(From release 11.0 build 64.x, a new parameter FlushAllCiphers is added to unbind all the ciphers or cipher groups from a profile, because ALL is treated like a cipher group.)

SSLv3 is disabled in the profile

n/a

Yes.
Note: SSLv3 is enabled in the virtual server settings by default to handle legacy deployments. You must explicitly disable SSLv3 in the virtual server if your deployment does not require the SSLv3 protocol.

Points to note

1.       A profile can be bound to multiple virtual servers, but a virtual server can have only one profile bound to it.

2.       You cannot delete a profile that is bound to a virtual server without first unbinding the profile.

3.       A cipher or cipher group can be bound to multiple profiles at different priorities.

4.       A profile can have multiple ciphers and cipher groups bound at different priorities.

5.       Changes to a cipher group are immediately reflected in all the profiles and in all the virtual servers that one of the profiles is bound to.

6.       If a cipher suite is part of a cipher group, you cannot remove the cipher suite from the profile without first editing the cipher group to remove the specific cipher suite.

7.       If you do not assign a priority to a cipher suite or cipher group that you attach to a profile, it is assigned the lowest priority within the profile.

8.       You can create a custom cipher group (also called a user-defined cipher group) from existing cipher groups and cipher suites. If you create cipher group A and add existing cipher groups X and Y to it, in that order, cipher group Y is assigned at a lower priority than cipher group X. That is, the group that is added first has a higher priority.

9.       If a cipher suite is already part of a cipher group that is attached to a profile, and the same cipher suite is part of another cipher group that is also attached to the same profile, the cipher suite is not added again as part of the second cipher group. The cipher suite at the higher priority is in effect when traffic is processed.

10.   Cipher groups are not expanded in the profile. As a result, the number of lines in the configuration file (ns.conf) is greatly reduced. For example, if there are a thousand SSL virtual servers to which two cipher groups are bound, and each cipher group contains 15 ciphers, expansion would result in 30*1000 entries related to ciphers in the configuration file. With the new profile, it would have only two entries: one for each cipher group that is bound to a profile.

11.   Creating a user defined cipher group from existing ciphers and cipher groups is a copy-paste operation. Any changes in the original group are not reflected in the new group.

12.   A user-defined cipher group lists all the profiles that it is a part of.

13.   A profile lists all the SSL virtual server, services, and service groups that it is bound to.

14.   If the default SSL profile feature is enabled, you must use the profile to set or change any of the attributes of a virtual server, service, service group, or an internal service.

Upgrading to release 11 build 64.x or later

1. Run a script to capture the SSL-specific changes. In addition to other migration activities, the script analyzes the old ns.conf file and moves any special settings (settings other than the default) from an SSL end point configuration to a custom profile. You must enable the default profile after the upgrade for the configuration changes to apply.

注意

When running the migration script, you can choose to automatically generate the profile name, or you can prompt the user for the profile name interactively. The migration script checks the following and creates profiles accordingly.

  • End points with the default settings and similar ciphers and cipher group settings: The script creates one profile.
  • End points with the default settings and with different cipher groups or different priorities for the ciphers/cipher groups: In each case, the script creates a user-defined cipher group and binds it to a profile. Each profile is bound to the different end points.
  • End points with the default settings and default ciphers: The default profile is bound to the end point.

Download the binary and run the following command from the folder in which you store the binary.

To run the script, at the command prompt, type:

Code 複製

./default_profile_script /nsconfig/ns.conf -b > <output file name>

2. Upgrade the software.

3. Enable SSL profiles by using the NetScaler command line or configuration utility.

  • At the command line, type: set ssl parameter -defaultProfile ENABLED
  • If you prefer to use the configuration utility, navigate to Traffic Management > SSL > Change advanced SSL settings, scroll down, and select Enable Default Profile.

If a profile was not bound to an end point before the upgrade, the default profile is bound to the SSL end point. If a profile was bound to an end point before the upgrade, the same profile is bound after the upgrade, and default ciphers are added to the profile.

4. Apply the commands in the text file (output of running the migration script) to the configuration. After you apply the commands in the text file, custom profile(s) are created for end points for which default parameters and ciphers have been changed, and automatically bound to the end points.

5. Verify the configuration.

Sample Migration of the SSL Configuration after Upgrade

Sample settings on an SSL virtual server, service, and service group are shown below. On the virtual server, client authentication is ENABLED (default is DISABLED), and the AES cipher group is bound to the virtual server. On the service, server authentication is ENABLED (default is DISABLED), and the AES cipher group is bound to the service. The service group has the default settings.

Example 複製

sh ssl vserver v1

 

     Advanced SSL configuration for VServer v1:

     DH: DISABLED

     Ephemeral RSA: ENABLED          Refresh Count: 0

     Session Reuse: ENABLED          Timeout: 120 seconds

     Cipher Redirect: DISABLED

     SSLv2 Redirect: DISABLED

     ClearText Port: 0

     Client Auth: ENABLED Client Cert Required: Mandatory

     SSL Redirect: DISABLED

     Non FIPS Ciphers: DISABLED

     SNI: DISABLED

     SSLv2: DISABLED SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Push Encryption Trigger: Always

     Send Close-Notify: YES

 

     ECC Curve: P_256, P_384, P_224, P_521

 

1)   CertKey Name: mycertkey    Server Certificate

 

 

1)   Cipher Name: AES

     Description: Predefined Cipher Alias

 Done

 

> sh ssl service svc1

 

     Advanced SSL configuration for Back-end SSL Service svc1:

     DH: DISABLED

     Ephemeral RSA: DISABLED

     Session Reuse: ENABLED          Timeout: 300 seconds

     Cipher Redirect: DISABLED

     SSLv2 Redirect: DISABLED

     ClearText Port: 0

     Server Auth: ENABLED

     SSL Redirect: DISABLED

     Non FIPS Ciphers: DISABLED

     SNI: DISABLED

     SSLv2: DISABLED SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Send Close-Notify: YES

 

 

1)   Cipher Name: AES

     Description: Predefined Cipher Alias

 Done

 

> sh ssl serviceGroup

1) Service Group Name: sg1

     Session Reuse: ENABLED          Timeout: 300 seconds

     Server Auth: DISABLED

     Non FIPS Ciphers: DISABLED

     SSLv3: ENABLED  TLSv1.0: ENABLED

     Send Close-Notify: YES

 Done

The following procedure migrates the above configuration.

1. Save your configuration.

2. Run the migration script. You can redirect the output to a text file if you use the default names for the profiles. Type:

Code 複製

./default_profile_script /nsconfig/ns.conf -b > ssl_config.txt

Use an editor, such as vi, to view the changes.The output cannot be redirected if you provide the profile names interactively. The output is displayed on the console and you must copy-paste it into a text file to apply it to your configuration after the upgrade.

3. After the upgrade, enable the profile.

  • At the command line, type: set ssl parameter -defaultProfile ENABLED
  • In the configuration utility, navigate to Traffic Management > SSL > Change advanced SSL settings, scroll down and select Enable Default Profile.

The interim output for the three new profiles that are created for the virtual server, service, and service group respectively is shown below. The default profiles are bound to the end point until you apply the changes in the text file that was created after running the migration script.

Code 複製

> sh ssl vserver v1

Advanced SSL configuration for VServer v1:

Profile Name :ns_default_ssl_profile_frontend

1) CertKey Name: mycertkey Server Certificate

 Done

> sh ssl service svc1

 

Advanced SSL configuration for Back-end SSL Service svc1:

Profile Name :ns_default_ssl_profile_backend

 Done

> sh ssl serviceGroup sg1 

 

Advanced SSL configuration for Back-end SSL Service Group sg1:

Profile Name :ns_default_ssl_profile_backend

 Done

4. You must now apply the configuration in ssl_config.txt to the current configuration so that your non-default settings are applied after the upgrade.

Code 複製

batch -f /<path to the batch file>/ssl_config.txt

5. After applying the configuration, the output changes as follows:

Code 複製

> show ssl vserver v1

 

     Advanced SSL configuration for VServer v1:

     Profile Name :profile-002

 

 

1)   CertKey Name: mycertkey    Server Certificate

 Done

 

> show ssl service svc1

 

     Advanced SSL configuration for Back-end SSL Service svc1:

     Profile Name :profile-001

 Done

 

 

> show ssl serviceGroup sg1

 

     Advanced SSL configuration for Back-end SSL Service Group sg1:

     Profile Name :profile-003

 Done

 

> show ssl profile profile-002

1)   Name: profile-002    (Front-End)

     SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Client Auth: ENABLED Client Cert Required: Mandatory

     Use only bound CA certificates: DISABLED

     Strict CA checks:          NO

     Session Reuse: ENABLED          Timeout: 120 seconds

     DH: DISABLED

     Ephemeral RSA: ENABLED          Refresh Count: 0

     Deny SSL Renegotiation          ALL

     Non FIPS Ciphers: DISABLED

     Cipher Redirect: DISABLED

     SSL Redirect: DISABLED

     Send Close-Notify: YES

     Push Encryption Trigger: Always

     PUSH encryption trigger timeout:     1 ms

     SNI: DISABLED

     Strict Host Header check for SNI enabled SSL sessions:          NO

     Push flag: 0x0 (Auto)

     SSL quantum size:          8 kB

     Encryption trigger timeout 100 mS

     Encryption trigger packet count:     45

     Subject/Issuer Name Insertion Format: Unicode

 

 

     ECC Curve: P_256, P_384, P_224, P_521

 

1)   Cipher Name: AES     Priority :1

     Description: Predefined Cipher Alias

 

1)   Vserver Name: v1

 Done

 

 

> show ssl profile profile-001

1)   Name: profile-001    (Back-End)

     SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Server Auth: ENABLED

     Use only bound CA certificates: DISABLED

     Strict CA checks:          NO

     Session Reuse: ENABLED          Timeout: 120 seconds

     Deny SSL Renegotiation          ALL

     Non FIPS Ciphers: DISABLED

     Send Close-Notify: YES

     Push Encryption Trigger: Always

     PUSH encryption trigger timeout:     1 ms

     Push flag: 0x0 (Auto)

     SSL quantum size:          8 kB

     Encryption trigger timeout 100 mS

     Encryption trigger packet count:     45

 

 

     ECC Curve: P_256, P_384, P_224, P_521

 

1)   Cipher Name: AES     Priority :1

     Description: Predefined Cipher Alias

 

1)   Service Name: svc1

 Done

 

> show ssl profile profile-003

1)   Name: profile-003    (Back-End)

     SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Server Auth: DISABLED

     Use only bound CA certificates: DISABLED

     Strict CA checks:          NO

     Session Reuse: ENABLED          Timeout: 120 seconds

     Deny SSL Renegotiation          ALL

     Non FIPS Ciphers: DISABLED

     Send Close-Notify: YES

     Push Encryption Trigger: Always

     PUSH encryption trigger timeout:     1 ms

     Push flag: 0x0 (Auto)

     SSL quantum size:          8 kB

     Encryption trigger timeout 100 mS

     Encryption trigger packet count:     45

 

 

     ECC Curve: P_256, P_384, P_224, P_521

 

1)   Cipher Name: ALL     Priority :1

     Description: Predefined Cipher Alias

 

1)   Service Name: sg1

 Done

Default Front End and Backend SSL Profile Settings

A default front end profile has the following settings:

Code 複製

> sh ssl profile ns_default_ssl_profile_frontend

1)Name: ns_default_ssl_profile_frontend

     Configuration for Front-End SSL profile

     DH: DISABLED

     Ephemeral RSA: ENABLED          Refresh Count: 0

     Session Reuse: ENABLED          Timeout: 120 seconds

     Non FIPS Ciphers: DISABLED

     Cipher Redirect: ENABLED   Redirect URL: http://10.102.28.212/redirect.html

     Client Auth: DISABLED

     SSL Redirect: DISABLED

     SNI: DISABLED

     SSLv3: DISABLED TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED

     Push Encryption Trigger: Always

     PUSH encryption trigger timeout:     1 ms

     Send Close-Notify: YES

     Push flag: 0x0 (Auto)

     Deny SSL Renegotiation          NO

     SSL quantum size:          8 kB

     Strict CA checks:          NO

     Encryption trigger timeout 100 mS

     Encryption trigger packet count:     45

     Use only bound CA certificates: DISABLED

     Subject/Issuer Name Insertion Format: Unicode

     Strict Host Header check for SNI enabled SSL sessions:          NO

 

     ECC Curve: P_256, P_384, P_521

 

1)   Cipher Name: AES     Priority :2

     Description: Predefined Cipher Alias

 

1)   Vserver Name: v1  >>>>>>>>>>

2)   Vserver Name: nshttps-::1l-443 >>>>>>>>>>

3)   Vserver Name: nsrpcs-::1l-3008

4)   Vserver Name: nskrpcs-127.0.0.1-3009

5)   Vserver Name: nshttps-127.0.0.1-443

6)   Vserver Name: nsrpcs-127.0.0.1-3008

Done

A default backend profile has the following settings:

Code 複製

> sh ssl profile ns_default_ssl_profile_backend

1)Name: ns_default_ssl_profile_backend

     Configuration for Back-End SSL profile

     Session Reuse: ENABLED          Timeout: 300 seconds

     Non FIPS Ciphers: DISABLED

     Server Auth: DISABLED

     SSLv3: DISABLED TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

     Push Encryption Trigger: Always

     PUSH encryption trigger timeout:     1 ms

     Send Close-Notify: YES

     Push flag: 0x0 (Auto)

     Deny SSL Renegotiation          ALL

     SSL quantum size:          8 kB

     Strict CA checks:          NO

     Encryption trigger timeout 100 mS

     Encryption trigger packet count:     45

     Use only bound CA certificates: DISABLED

 

     ECC Curve: P_256, P_224, P_521

 

1)   Cipher Name: AES     Priority :1

     Description: Predefined Cipher Alias

 

2)   Cipher Name: RC4     Priority :2

     Description: Predefined Cipher Alias

 

1)   Service Name: s2 >>>>>>>>>>>>

2)   Service Name: s1 >>>>>>>>>>>>

Done

Limitations 

SSL profiles are not supported in a cluster setup, or with Admin Partitions.