ADC NITRO APIs

sslservicegroup

Configuration for SSL service group resource.

Properties

(click to see Operations )

Name Data Type Permissions Description
servicegroupname <String> Read-write Name of the SSL service group for which to set advanced configuration.

Minimum length = 1
sslprofile <String> Read-write Name of the SSL profile that contains SSL settings for the Service Group.

Minimum length = 1

Maximum length = 127
sessreuse <String> Read-write State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Default value: ENABLED

Possible values = ENABLED, DISABLED
sesstimeout <Double> Read-write Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session.

Default value: 300

Minimum value = 0

Maximum value = 4294967294
ssl3 <String> Read-write State of SSLv3 protocol support for the SSL service group.

Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Default value: ENABLED

Possible values = ENABLED, DISABLED
tls1 <String> Read-write State of TLSv1.0 protocol support for the SSL service group.

Default value: ENABLED

Possible values = ENABLED, DISABLED
tls11 <String> Read-write State of TLSv1.1 protocol support for the SSL service group.

Default value: ENABLED

Possible values = ENABLED, DISABLED
tls12 <String> Read-write State of TLSv1.2 protocol support for the SSL service group.

Default value: ENABLED

Possible values = ENABLED, DISABLED
tls13 <String> Read-write State of TLSv1.3 protocol support for the SSL service group.

Default value: DISABLED

Possible values = ENABLED, DISABLED
snienable <String> Read-write State of the Server Name Indication (SNI) feature on the service. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Default value: DISABLED

Possible values = ENABLED, DISABLED
ocspstapling <String> Read-write State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values:

ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake.

DISABLED: The appliance does not check the status of the server certificate.

Default value: DISABLED

Possible values = ENABLED, DISABLED
serverauth <String> Read-write State of server authentication support for the SSL service group.

Default value: DISABLED

Possible values = ENABLED, DISABLED
commonname <String> Read-write Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server.

Minimum length = 1
sendclosenotify <String> Read-write Enable sending SSL Close-Notify at the end of a transaction.

Default value: YES

Possible values = YES, NO
strictsigdigestcheck <String> Read-write Parameter indicating to check whether peer's certificate is signed with one of signature-hash combination supported by Citrix ADC.

Default value: DISABLED

Possible values = ENABLED, DISABLED
dh <String> Read-only The state of DH key exchange support for the SSL service group.

Possible values = ENABLED, DISABLED
dhfile <String> Read-only The file name and path for the DH parameter.
dhcount <Double> Read-only The refresh count for the re-generation of DH public-key and private-key from the DH parameter.

Minimum value = 0

Maximum value = 65534
dhkeyexpsizelimit <String> Read-only This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

Possible values = ENABLED, DISABLED
ersa <String> Read-only The state of Ephemeral RSA key exchange support for the SSL service group.Ephemeral RSA is used for export ciphers.

Possible values = ENABLED, DISABLED
ersacount <Double> Read-only The refresh count for the re-generation of RSA public-key and private-key pair.

Minimum value = 0

Maximum value = 65534
cipherredirect <String> Read-only The state of Cipher Redirect feature. Cipher Redirect feature can be used to provide more readable information to SSL clients about mismatch in ciphers between the client and the SSL vserver.

Possible values = ENABLED, DISABLED
cipherurl <String> Read-only The redirect URL to be used with the Cipher Redirect feature.
sslv2redirect <String> Read-only The state of SSLv2 Redirect feature.SSLv2 Redirect feature can be used to provide more readable information to SSL client about non-support of SSLv2 protocol on the SSL vserver.

Possible values = ENABLED, DISABLED
sslv2url <String> Read-only The redirect URL to be used with SSLv2 Redirect feature.
clientauth <String> Read-only The state of Client-Authentication support for the SSL service group.

Possible values = ENABLED, DISABLED
clientcert <String> Read-only The rule for client certificate requirement in client authentication.

Possible values = Mandatory, Optional
sslredirect <String> Read-only The state of HTTPS redirects for the SSL service group.





This is required for the proper functioning of the redirect messages from the server. The redirect message from the server provides the new location for the moved object. This is contained in the HTTP header field: Location, e.g. Location: http://www.moved.org/here.html



For the SSL session, if the client browser receives this message, the browser will try to connect to the new location. This will break the secure SSL session, as the object has moved from a secure site (https://) to an un-secure one (http://). Generally browsers flash a warning message on the screen and prompt the user, either to continue or disconnect.



The above feature, when enabled will automatically convert all such http:// redirect message to https://. This will not break the client SSL session.



Note: The set ssl service command can be used for configuring a front-end SSL service for service based SSL Off-Loading, or a backend SSL service for backend-encryption setup.

Possible values = ENABLED, DISABLED
redirectportrewrite <String> Read-only The state of port-rewrite feature.

Possible values = ENABLED, DISABLED
nonfipsciphers <String> Read-only The state of usage of non FIPS approved ciphers.

Default value: DISABLED

Possible values = ENABLED, DISABLED
ssl2 <String> Read-only The state of SSLv2 protocol support for the SSL service group.

Possible values = ENABLED, DISABLED
ocspcheck <String> Read-only The state of the OCSP check parameter. (Mandatory/Optional).

Possible values = Mandatory, Optional
crlcheck <String> Read-only The state of the CRL check parameter. (Mandatory/Optional).

Possible values = Mandatory, Optional
cleartextport <Integer> Read-only The port on the back-end web-servers where the clear-text data is sent by system. Use this setting for the wildcard IP based SSL Acceleration configuration (*:443).

Minimum value = 0

Maximum value = 65534

Range 1 - 65535

* in CLI is represented as 65535 in NITRO API
servicename <String> Read-only The service name.
ca <Boolean> Read-only CA certificate.
snicert <Boolean> Read-only The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.
__count <Double> Read-only count parameter

Operations

(click to see Properties )

  • UPDATE
  • UNSET
  • GET (ALL)
  • GET
  • COUNT

Some options that you can use for each operations:

  • Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the 'warning' query parameter as 'yes'. For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:

    http:// <netscaler-ip-address> /nitro/v1/config/login?warning=yes

    If any, the warnings are displayed in the response payload with the HTTP code '209 X-NITRO-WARNING'.

  • Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,

    To do this, you must specify the username and password in the request header of the NITRO request as follows:

    X-NITRO-USER: <username>

    X-NITRO-PASS: <password>

    Note: In such cases, make sure that the request header DOES not include the following:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

*Note: * Mandatory parameters are marked in red and placeholder content is marked in green

update

URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup HTTP Method: PUT

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload:

{"sslservicegroup":{
<b>"servicegroupname":<String_value>,
</b>"sslprofile":<String_value>,
"sessreuse":<String_value>,
"sesstimeout":<Double_value>,
"ssl3":<String_value>,
"tls1":<String_value>,
"tls11":<String_value>,
"tls12":<String_value>,
"tls13":<String_value>,
"snienable":<String_value>,
"ocspstapling":<String_value>,
"serverauth":<String_value>,
"commonname":<String_value>,
"sendclosenotify":<String_value>,
"strictsigdigestcheck":<String_value>
}}

<!--NeedCopy-->

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

unset

URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup? action=unset HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload:

{"sslservicegroup":{
<b>"servicegroupname":<String_value>,
</b>"sslprofile":true,
"sessreuse":true,
"sesstimeout":true,
"ssl3":true,
"tls1":true,
"tls11":true,
"tls12":true,
"tls13":true,
"snienable":true,
"ocspstapling":true,
"serverauth":true,
"commonname":true,
"sendclosenotify":true,
"strictsigdigestcheck":true
}}

<!--NeedCopy-->

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

get (all)

URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup Query-parameters: attrs http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup? attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

filter http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup? filter=property-name1:property-val1,property-name2:property-val2

Use this query-parameter to get the filtered set of sslservicegroup resources configured on NetScaler.Filtering can be done on any of the properties of the resource.

view http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup? view=summary

Use this query-parameter to get the summary output of sslservicegroup resources configured on NetScaler.

Note: By default, the retrieved results are displayed in detail view (?view=detail).

pagination http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup? pagesize=#no;pageno=#no

Use this query-parameter to get the sslservicegroup resources in chunks.

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Accept:application/json

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

Response Header:

Content-Type:application/json

Response Payload:

{ "sslservicegroup": [ {
"servicegroupname":<String_value>,
"dh":<String_value>,
"dhfile":<String_value>,
"dhcount":<Double_value>,
"dhkeyexpsizelimit":<String_value>,
"ersa":<String_value>,
"ersacount":<Double_value>,
"sessreuse":<String_value>,
"sesstimeout":<Double_value>,
"cipherredirect":<String_value>,
"cipherurl":<String_value>,
"sslv2redirect":<String_value>,
"sslv2url":<String_value>,
"clientauth":<String_value>,
"clientcert":<String_value>,
"sslredirect":<String_value>,
"redirectportrewrite":<String_value>,
"nonfipsciphers":<String_value>,
"ssl2":<String_value>,
"ssl3":<String_value>,
"tls1":<String_value>,
"tls11":<String_value>,
"tls12":<String_value>,
"tls13":<String_value>,
"snienable":<String_value>,
"ocspstapling":<String_value>,
"serverauth":<String_value>,
"commonname":<String_value>,
"ocspcheck":<String_value>,
"crlcheck":<String_value>,
"cleartextport":<Integer_value>,
"servicename":<String_value>,
"ca":<Boolean_value>,
"snicert":<Boolean_value>,
"sendclosenotify":<String_value>,
"sslprofile":<String_value>,
"strictsigdigestcheck":<String_value>
}]}

<!--NeedCopy-->

get

URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup/ servicegroupname_value<String> Query-parameters: attrs http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup/ servicegroupname_value<String> ? attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

view http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup/ servicegroupname_value<String> ? view=summary

Use this query-parameter to get the summary output of sslservicegroup resources configured on NetScaler.

Note: By default, the retrieved results are displayed in detail view (?view=detail).

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Accept:application/json

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

Response Header:

Content-Type:application/json

Response Payload:

{  "sslservicegroup": [ {
"servicegroupname":<String_value>,
"dh":<String_value>,
"dhfile":<String_value>,
"dhcount":<Double_value>,
"dhkeyexpsizelimit":<String_value>,
"ersa":<String_value>,
"ersacount":<Double_value>,
"sessreuse":<String_value>,
"sesstimeout":<Double_value>,
"cipherredirect":<String_value>,
"cipherurl":<String_value>,
"sslv2redirect":<String_value>,
"sslv2url":<String_value>,
"clientauth":<String_value>,
"clientcert":<String_value>,
"sslredirect":<String_value>,
"redirectportrewrite":<String_value>,
"nonfipsciphers":<String_value>,
"ssl2":<String_value>,
"ssl3":<String_value>,
"tls1":<String_value>,
"tls11":<String_value>,
"tls12":<String_value>,
"tls13":<String_value>,
"snienable":<String_value>,
"ocspstapling":<String_value>,
"serverauth":<String_value>,
"commonname":<String_value>,
"ocspcheck":<String_value>,
"crlcheck":<String_value>,
"cleartextport":<Integer_value>,
"servicename":<String_value>,
"ca":<Boolean_value>,
"snicert":<Boolean_value>,
"sendclosenotify":<String_value>,
"sslprofile":<String_value>,
"strictsigdigestcheck":<String_value>
}]}

<!--NeedCopy-->

count

URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservicegroup? count=yes HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Accept:application/json

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

Response Header:

Content-Type:application/json

Response Payload:

{ "sslservicegroup": [ { "__count": "#no"} ] }

<!--NeedCopy-->
sslservicegroup