Skip to content

sslparameter

Configuration for SSL parameter resource.

Properties

(click to see Operations)

Name Data Type PermissionsDescription
quantumsize<String>Read-writeAmount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.<br>Default value: 8192<br>Possible values = 4096, 8192, 16384
crlmemorysizemb<Double>Read-writeMaximum memory size to use for certificate revocation lists (CRLs). This parameter reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded on the appliance can consume.<br>Default value: 256<br>Minimum value = 10<br>Maximum value = 1024
strictcachecks<String>Read-writeEnable strict CA certificate checks on the appliance.<br>Default value: NO<br>Possible values = YES, NO
ssltriggertimeout<Double>Read-writeTime, in milliseconds, after which encryption is triggered for transactions that are not tracked on the NetScaler appliance because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue.<br>Default value: 100<br>Minimum value = 1<br>Maximum value = 200
sendclosenotify<String>Read-writeSend an SSL Close-Notify message to the client at the end of a transaction.<br>Default value: YES<br>Possible values = YES, NO
encrypttriggerpktcount<Double>Read-writeMaximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to NetScaler.<br>Default value: 45<br>Minimum value = 10<br>Maximum value = 50
denysslreneg<String>Read-writeDeny renegotiation in specified circumstances. Available settings function as follows:<br>* NO - Allow SSL renegotiation.<br>* FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.<br>* FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the NetScaler during policy-based client authentication. <br>* ALL - Deny all secure and nonsecure SSL renegotiation.<br>* NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.<br>Default value: ALL<br>Possible values = NO, FRONTEND_CLIENT, FRONTEND_CLIENTSERVER, ALL, NONSECURE
insertionencoding<String>Read-writeEncoding method used to insert the subject or issuers name in HTTP requests to servers.<br>Default value: Unicode<br>Possible values = Unicode, UTF-8
ocspcachesize<Double>Read-writeSize, per packet engine, in megabytes, of the OCSP cache. A maximum of 10% of the packet engine memory can be assigned. Because the maximum allowed packet engine memory is 4GB, the maximum value that can be assigned to the OCSP cache is approximately 410 MB.<br>Default value: 10<br>Minimum value = 0<br>Maximum value = 512
pushflag<Double>Read-writeInsert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows:<br>0 - Auto (PUSH flag is not set.)<br>1 - Insert PUSH flag into every decrypted record.<br>2 -Insert PUSH flag into every encrypted record.<br>3 - Insert PUSH flag into every decrypted and encrypted record.<br>Minimum value = 0<br>Maximum value = 3
dropreqwithnohostheader<String>Read-writeHost header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions, the request is dropped.<br>Default value: NO<br>Possible values = YES, NO
pushenctriggertimeout<Double>Read-writePUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.<br>Default value: 1<br>Minimum value = 1<br>Maximum value = 200
cryptodevdisablelimit<Double>Read-writeLimit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart.<br>Default value: 0
undefactioncontrol<String>Read-writeName of the undefined built-in control action: CLIENTAUTH, NOCLIENTAUTH, NOOP, RESET, or DROP.<br>Default value: "CLIENTAUTH"
undefactiondata<String>Read-writeName of the undefined built-in data action: NOOP, RESET or DROP.<br>Default value: "NOOP"
defaultprofile<String>Read-writeGlobal parameter used to enable default profile feature.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
svctls1112disable<String>Read-onlyDisable TLS 1.1 and 1.2 for dynamic and VPN created services.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
montls1112disable<String>Read-onlyDisable TLS 1.1 and 1.2 for secure (https) monitors bound to SSL_BRIDGE services.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED

Operations

(click to see Properties)

UPDATE | UNSET | GET (ALL)

Some options that you can use for each operations:

  • Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the "warning" query parameter as "yes". For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:

    http://<netscaler-ip-address>/nitro/v1/config/login?warning=yes

    If any, the warnings are displayed in the response payload with the HTTP code "209 X-NITRO-WARNING".

  • Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,

    To do this, you must specify the username and password in the request header of the NITRO request as follows:

    X-NITRO-USER:<username>

    X-NITRO-PASS:<password>

    Note: In such cases, make sure that the request header DOES not include the following:

    Cookie:NITRO_AUTH_TOKEN=<tokenvalue>

Note:

Mandatory parameters are marked in red and placeholder content is marked in <green>.

update

URL: http://<netscaler-ip-address>/nitro/v1/config/sslparameter

HTTP Method: PUT

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"sslparameter":{
      "quantumsize":<String_value>,
      "crlmemorysizemb":<Double_value>,
      "strictcachecks":<String_value>,
      "ssltriggertimeout":<Double_value>,
      "sendclosenotify":<String_value>,
      "encrypttriggerpktcount":<Double_value>,
      "denysslreneg":<String_value>,
      "insertionencoding":<String_value>,
      "ocspcachesize":<Double_value>,
      "pushflag":<Double_value>,
      "dropreqwithnohostheader":<String_value>,
      "pushenctriggertimeout":<Double_value>,
      "cryptodevdisablelimit":<Double_value>,
      "undefactioncontrol":<String_value>,
      "undefactiondata":<String_value>,
      "defaultprofile":<String_value>
}}

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

unset

URL: http://<netscaler-ip-address>/nitro/v1/config/sslparameter?action=unset

HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"sslparameter":{
      "quantumsize":true,
      "crlmemorysizemb":true,
      "strictcachecks":true,
      "ssltriggertimeout":true,
      "sendclosenotify":true,
      "encrypttriggerpktcount":true,
      "denysslreneg":true,
      "insertionencoding":true,
      "ocspcachesize":true,
      "pushflag":true,
      "dropreqwithnohostheader":true,
      "pushenctriggertimeout":true,
      "cryptodevdisablelimit":true,
      "undefactioncontrol":true,
      "undefactiondata":true,
      "defaultprofile":true
}}

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

get (all)

URL: http://<netscaler-ip-address>/nitro/v1/config/sslparameter

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "sslparameter": [ {
      "quantumsize":<String_value>,
      "crlmemorysizemb":<Double_value>,
      "strictcachecks":<String_value>,
      "ssltriggertimeout":<Double_value>,
      "sendclosenotify":<String_value>,
      "encrypttriggerpktcount":<Double_value>,
      "denysslreneg":<String_value>,
      "insertionencoding":<String_value>,
      "ocspcachesize":<Double_value>,
      "pushflag":<Double_value>,
      "dropreqwithnohostheader":<String_value>,
      "pushenctriggertimeout":<Double_value>,
      "cryptodevdisablelimit":<Double_value>,
      "undefactioncontrol":<String_value>,
      "undefactiondata":<String_value>,
      "defaultprofile":<String_value>,
      "svctls1112disable":<String_value>,
      "montls1112disable":<String_value>
}]}
Was this article helpful?