Skip to content

sslprofile

Configuration for SSL profile resource.

Properties

(click to see Operations)

Name Data Type PermissionsDescription
name<String>Read-writeName for the SSL profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the profile is created.<br>Minimum length = 1<br>Maximum length = 127
sslprofiletype<String>Read-writeType of profile. Front end profiles apply to the entity that receives requests from a client. Backend profiles apply to the entity that sends client requests to a server.<br>Default value: FrontEnd<br>Possible values = BackEnd, FrontEnd
dhcount<Double>Read-writeNumber of interactions, between the client and the NetScaler appliance, after which the DH private-public pair is regenerated. A value of zero (0) specifies infinite use (no refresh).<br>This parameter is not applicable when configuring a backend profile.<br>Minimum value = 0<br>Maximum value = 65534
dh<String>Read-writeState of Diffie-Hellman (DH) key exchange.<br>This parameter is not applicable when configuring a backend profile.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
dhfile<String>Read-writeThe file name and path for the DH parameter.<br>Minimum length = 1
ersa<String>Read-writeState of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts.<br>This parameter is not applicable when configuring a backend profile.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED
ersacount<Double>Read-writeThe refresh count for the re-generation of RSA public-key and private-key pair.<br>Minimum value = 0<br>Maximum value = 65534
sessreuse<String>Read-writeState of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED
sesstimeout<Double>Read-writeThe Session timeout value in seconds.<br>Minimum value = 0<br>Maximum value = 4294967294
cipherredirect<String>Read-writeState of Cipher Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client.<br>This parameter is not applicable when configuring a backend profile.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
cipherurl<String>Read-writeThe redirect URL to be used with the Cipher Redirect feature.
clientauth<String>Read-writeState of client authentication. In service-based SSL offload, the service terminates the SSL handshake if the SSL client does not provide a valid certificate. <br>This parameter is not applicable when configuring a backend profile.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
clientcert<String>Read-writeThe rule for client certificate requirement in client authentication.<br>Possible values = Mandatory, Optional
dhkeyexpsizelimit<String>Read-writeThis option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
sslredirect<String>Read-writeState of HTTPS redirects for the SSL service. <br>For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect.<br>If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break.<br>This parameter is not applicable when configuring a backend profile.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
redirectportrewrite<String>Read-writeState of the port rewrite while performing HTTPS redirect. If this parameter is set to ENABLED, and the URL from the server does not contain the standard port, the port is rewritten to the standard.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
ssl3<String>Read-writeState of SSLv3 protocol support for the SSL profile.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
tls1<String>Read-writeState of TLSv1.0 protocol support for the SSL profile.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED
tls11<String>Read-writeState of TLSv1.1 protocol support for the SSL profile.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED
tls12<String>Read-writeState of TLSv1.2 protocol support for the SSL profile.<br>Default value: ENABLED<br>Possible values = ENABLED, DISABLED
snienable<String>Read-writeState of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
serverauth<String>Read-writeState of server authentication support for the SSL Backend profile.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
commonname<String>Read-writeName to be checked against the CommonName (CN) field in the server certificate bound to the SSL server.<br>Minimum length = 1
pushenctrigger<String>Read-writeTrigger encryption on the basis of the PUSH flag value. Available settings function as follows:<br>* ALWAYS - Any PUSH packet triggers encryption.<br>* IGNORE - Ignore PUSH packet for triggering encryption.<br>* MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.<br>* TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box.<br>Possible values = Always, Merge, Ignore, Timer
sendclosenotify<String>Read-writeEnable sending SSL Close-Notify at the end of a transaction.<br>Default value: YES<br>Possible values = YES, NO
cleartextport<Integer>Read-writePort on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption.<br>Range 1 - 65535<br>* in CLI is represented as 65535 in NITRO API
insertionencoding<String>Read-writeEncoding method used to insert the subject or issuers name in HTTP requests to servers.<br>Default value: Unicode<br>Possible values = Unicode, UTF-8
denysslreneg<String>Read-writeDeny renegotiation in specified circumstances. Available settings function as follows:<br>* NO - Allow SSL renegotiation.<br>* FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.<br>* FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the NetScaler during policy-based client authentication. <br>* ALL - Deny all secure and nonsecure SSL renegotiation.<br>* NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.<br>Default value: ALL<br>Possible values = NO, FRONTEND_CLIENT, FRONTEND_CLIENTSERVER, ALL, NONSECURE
quantumsize<String>Read-writeAmount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.<br>Default value: 8192<br>Possible values = 4096, 8192, 16384
strictcachecks<String>Read-writeEnable strict CA certificate checks on the appliance.<br>Default value: NO<br>Possible values = YES, NO
encrypttriggerpktcount<Double>Read-writeMaximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to NetScaler.<br>Default value: 45<br>Minimum value = 10<br>Maximum value = 50
pushflag<Double>Read-writeInsert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows:<br>0 - Auto (PUSH flag is not set.)<br>1 - Insert PUSH flag into every decrypted record.<br>2 -Insert PUSH flag into every encrypted record.<br>3 - Insert PUSH flag into every decrypted and encrypted record.<br>Minimum value = 0<br>Maximum value = 3
dropreqwithnohostheader<String>Read-writeHost header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions, the request is dropped.<br>Default value: NO<br>Possible values = YES, NO
pushenctriggertimeout<Double>Read-writePUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.<br>Default value: 1<br>Minimum value = 1<br>Maximum value = 200
ssltriggertimeout<Double>Read-writeTime, in milliseconds, after which encryption is triggered for transactions that are not tracked on the NetScaler appliance because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue.<br>Default value: 100<br>Minimum value = 1<br>Maximum value = 200
clientauthuseboundcachain<String>Read-writeCertficates bound on the VIP are used for validating the client cert. Certficates came along with client cert are not used for validating the client cert.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
ciphername<String>Read-writeThe cipher group/alias/individual cipher configuration.
cipherpriority<Double>Read-writecipher priority.<br>Minimum value = 1
nonfipsciphers<String>Read-onlyState of usage of ciphers that are not FIPS approved. Valid only for an SSL service bound with a FIPS key and certificate.<br>Default value: DISABLED<br>Possible values = ENABLED, DISABLED
crlcheck<String>Read-onlyThe state of the CRL check parameter. (Mandatory/Optional).<br>Possible values = Mandatory, Optional
ocspcheck<String>Read-onlyThe state of the OCSP check parameter. (Mandatory/Optional).<br>Possible values = Mandatory, Optional
snicert<Boolean>Read-onlyThe name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.
skipcaname<Boolean>Read-onlyThe flag is used to indicate whether this<br> particular CA certificates CA_Name needs to be sent to<br> the SSL client while requesting for client certificate<br> in a SSL handshake.
invoke<Boolean>Read-onlyInvoke flag. This attribute is relevant only for ADVANCED policies.
labeltype<String>Read-onlyType of policy label invocation.<br>Possible values = vserver, service, policylabel
service<Double>Read-onlyService.
builtin<String[]>Read-onlyFlag to determine whether ssl profile is built-in or not.<br>Possible values = MODIFIABLE, DELETABLE, IMMUTABLE, PARTITION_ALL
sslpfobjecttype<Double>Read-onlyInternal flag to indicate what type of object binds this profile: monitor or service.
__count<Double>Read-onlycount parameter

Operations

(click to see Properties)

ADD | DELETE | UPDATE | UNSET | GET (ALL) | GET | COUNT

Some options that you can use for each operations:

  • Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the "warning" query parameter as "yes". For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:

    http://<netscaler-ip-address>/nitro/v1/config/login?warning=yes

    If any, the warnings are displayed in the response payload with the HTTP code "209 X-NITRO-WARNING".

  • Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,

    To do this, you must specify the username and password in the request header of the NITRO request as follows:

    X-NITRO-USER:<username>

    X-NITRO-PASS:<password>

    Note: In such cases, make sure that the request header DOES not include the following:

    Cookie:NITRO_AUTH_TOKEN=<tokenvalue>

Note:

Mandatory parameters are marked in red and placeholder content is marked in <green>.

add

URL: http://<netscaler-ip-address>/nitro/v1/config/sslprofile

HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"sslprofile":{
      "name":<String_value>,
      "sslprofiletype":<String_value>,
      "dhcount":<Double_value>,
      "dh":<String_value>,
      "dhfile":<String_value>,
      "ersa":<String_value>,
      "ersacount":<Double_value>,
      "sessreuse":<String_value>,
      "sesstimeout":<Double_value>,
      "cipherredirect":<String_value>,
      "cipherurl":<String_value>,
      "clientauth":<String_value>,
      "clientcert":<String_value>,
      "dhkeyexpsizelimit":<String_value>,
      "sslredirect":<String_value>,
      "redirectportrewrite":<String_value>,
      "ssl3":<String_value>,
      "tls1":<String_value>,
      "tls11":<String_value>,
      "tls12":<String_value>,
      "snienable":<String_value>,
      "serverauth":<String_value>,
      "commonname":<String_value>,
      "pushenctrigger":<String_value>,
      "sendclosenotify":<String_value>,
      "cleartextport":<Integer_value>,
      "insertionencoding":<String_value>,
      "denysslreneg":<String_value>,
      "quantumsize":<String_value>,
      "strictcachecks":<String_value>,
      "encrypttriggerpktcount":<Double_value>,
      "pushflag":<Double_value>,
      "dropreqwithnohostheader":<String_value>,
      "pushenctriggertimeout":<Double_value>,
      "ssltriggertimeout":<Double_value>,
      "clientauthuseboundcachain":<String_value>
}}

Response:

HTTP Status Code on Success: 201 Created HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

delete

URL: http://<netscaler-ip-address>/nitro/v1/config/sslprofile/name_value<String>

HTTP Method: DELETE

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue>

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

update

URL: http://<netscaler-ip-address>/nitro/v1/config/sslprofile

HTTP Method: PUT

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"sslprofile":{
      "name":<String_value>,
      "dh":<String_value>,
      "dhfile":<String_value>,
      "dhcount":<Double_value>,
      "dhkeyexpsizelimit":<String_value>,
      "ersa":<String_value>,
      "ersacount":<Double_value>,
      "sessreuse":<String_value>,
      "sesstimeout":<Double_value>,
      "cipherredirect":<String_value>,
      "cipherurl":<String_value>,
      "clientauth":<String_value>,
      "clientcert":<String_value>,
      "sslredirect":<String_value>,
      "redirectportrewrite":<String_value>,
      "ssl3":<String_value>,
      "tls1":<String_value>,
      "tls11":<String_value>,
      "tls12":<String_value>,
      "snienable":<String_value>,
      "serverauth":<String_value>,
      "commonname":<String_value>,
      "pushenctrigger":<String_value>,
      "sendclosenotify":<String_value>,
      "cleartextport":<Integer_value>,
      "insertionencoding":<String_value>,
      "denysslreneg":<String_value>,
      "quantumsize":<String_value>,
      "strictcachecks":<String_value>,
      "encrypttriggerpktcount":<Double_value>,
      "pushflag":<Double_value>,
      "dropreqwithnohostheader":<String_value>,
      "pushenctriggertimeout":<Double_value>,
      "ssltriggertimeout":<Double_value>,
      "clientauthuseboundcachain":<String_value>,
      "ciphername":<String_value>,
      "cipherpriority":<Double_value>
}}

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

unset

URL: http://<netscaler-ip-address>/nitro/v1/config/sslprofile?action=unset

HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"sslprofile":{
      "name":<String_value>,
      "dh":true,
      "dhfile":true,
      "dhcount":true,
      "dhkeyexpsizelimit":true,
      "ersa":true,
      "ersacount":true,
      "sessreuse":true,
      "sesstimeout":true,
      "cipherredirect":true,
      "cipherurl":true,
      "clientauth":true,
      "clientcert":true,
      "sslredirect":true,
      "redirectportrewrite":true,
      "ssl3":true,
      "tls1":true,
      "tls11":true,
      "tls12":true,
      "snienable":true,
      "serverauth":true,
      "commonname":true,
      "pushenctrigger":true,
      "sendclosenotify":true,
      "cleartextport":true,
      "insertionencoding":true,
      "denysslreneg":true,
      "quantumsize":true,
      "strictcachecks":true,
      "encrypttriggerpktcount":true,
      "pushflag":true,
      "dropreqwithnohostheader":true,
      "pushenctriggertimeout":true,
      "ssltriggertimeout":true,
      "clientauthuseboundcachain":true,
      "ciphername":true,
      "cipherpriority":true
}}

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

get (all)

URL: http://<netscaler-ip-address>/nitro/v1/config/sslprofile

Query-parameters:

attrs

http://<netscaler-ip-address>/nitro/v1/config/sslprofile?attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

filter

http://<netscaler-ip-address>/nitro/v1/config/sslprofile?filter=property-name1:property-val1,property-name2:property-val2

Use this query-parameter to get the filtered set of sslprofile resources configured on NetScaler.Filtering can be done on any of the properties of the resource.

view

http://<netscaler-ip-address>/nitro/v1/config/sslprofile?view=summary

Note: By default, the retrieved results are displayed in detail view (?view=detail).

pagination

http://<netscaler-ip-address>/nitro/v1/config/sslprofile?pagesize=#no;pageno=#no

Use this query-parameter to get the sslprofile resources in chunks.

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "sslprofile": [ {
      "name":<String_value>,
      "dh":<String_value>,
      "dhfile":<String_value>,
      "dhcount":<Double_value>,
      "dhkeyexpsizelimit":<String_value>,
      "ersa":<String_value>,
      "ersacount":<Double_value>,
      "sessreuse":<String_value>,
      "sesstimeout":<Double_value>,
      "cipherredirect":<String_value>,
      "cipherurl":<String_value>,
      "clientauth":<String_value>,
      "clientcert":<String_value>,
      "sslredirect":<String_value>,
      "redirectportrewrite":<String_value>,
      "nonfipsciphers":<String_value>,
      "ssl3":<String_value>,
      "tls1":<String_value>,
      "tls11":<String_value>,
      "tls12":<String_value>,
      "snienable":<String_value>,
      "serverauth":<String_value>,
      "commonname":<String_value>,
      "pushenctrigger":<String_value>,
      "sendclosenotify":<String_value>,
      "cleartextport":<Integer_value>,
      "insertionencoding":<String_value>,
      "denysslreneg":<String_value>,
      "quantumsize":<String_value>,
      "strictcachecks":<String_value>,
      "encrypttriggerpktcount":<Double_value>,
      "pushflag":<Double_value>,
      "dropreqwithnohostheader":<String_value>,
      "pushenctriggertimeout":<Double_value>,
      "ssltriggertimeout":<Double_value>,
      "cipherpriority":<Double_value>,
      "ciphername":<String_value>,
      "crlcheck":<String_value>,
      "ocspcheck":<String_value>,
      "snicert":<Boolean_value>,
      "skipcaname":<Boolean_value>,
      "invoke":<Boolean_value>,
      "labeltype":<String_value>,
      "sslprofiletype":<String_value>,
      "clientauthuseboundcachain":<String_value>,
      "service":<Double_value>,
      "builtin":<String[]_value>,
      "sslpfobjecttype":<Double_value>
}]}

get

URL: http://<netscaler-ip-address>/nitro/v1/config/sslprofile/name_value<String>

Query-parameters:

attrs

http://<netscaler-ip-address>/nitro/v1/config/sslprofile/name_value<String>?attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

view

http://<netscaler-ip-address>/nitro/v1/config/sslprofile/name_value<String>?view=summary

Note: By default, the retrieved results are displayed in detail view (?view=detail).

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "sslprofile": [ {
      "name":<String_value>,
      "dh":<String_value>,
      "dhfile":<String_value>,
      "dhcount":<Double_value>,
      "dhkeyexpsizelimit":<String_value>,
      "ersa":<String_value>,
      "ersacount":<Double_value>,
      "sessreuse":<String_value>,
      "sesstimeout":<Double_value>,
      "cipherredirect":<String_value>,
      "cipherurl":<String_value>,
      "clientauth":<String_value>,
      "clientcert":<String_value>,
      "sslredirect":<String_value>,
      "redirectportrewrite":<String_value>,
      "nonfipsciphers":<String_value>,
      "ssl3":<String_value>,
      "tls1":<String_value>,
      "tls11":<String_value>,
      "tls12":<String_value>,
      "snienable":<String_value>,
      "serverauth":<String_value>,
      "commonname":<String_value>,
      "pushenctrigger":<String_value>,
      "sendclosenotify":<String_value>,
      "cleartextport":<Integer_value>,
      "insertionencoding":<String_value>,
      "denysslreneg":<String_value>,
      "quantumsize":<String_value>,
      "strictcachecks":<String_value>,
      "encrypttriggerpktcount":<Double_value>,
      "pushflag":<Double_value>,
      "dropreqwithnohostheader":<String_value>,
      "pushenctriggertimeout":<Double_value>,
      "ssltriggertimeout":<Double_value>,
      "cipherpriority":<Double_value>,
      "ciphername":<String_value>,
      "crlcheck":<String_value>,
      "ocspcheck":<String_value>,
      "snicert":<Boolean_value>,
      "skipcaname":<Boolean_value>,
      "invoke":<Boolean_value>,
      "labeltype":<String_value>,
      "sslprofiletype":<String_value>,
      "clientauthuseboundcachain":<String_value>,
      "service":<Double_value>,
      "builtin":<String[]_value>,
      "sslpfobjecttype":<Double_value>
}]}

count

URL: http://<netscaler-ip-address>/nitro/v1/config/sslprofile?count=yes

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "sslprofile": [ { "__count": "#no"} ] }

Was this article helpful?