f5bigip.ltm.ProfileServerSsl
Explore with Pulumi AI
f5bigip.ltm.ProfileServerSsl
Manages server SSL profiles on a BIG-IP
Resources should be named with their “full path”. The full path is the combination of the partition + name (example: /Common/my-pool ) or partition + directory + name of the resource (example: /Common/test/my-pool )
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as f5bigip from "@pulumi/f5bigip";
const test_ServerSsl = new f5bigip.ltm.ProfileServerSsl("test-ServerSsl", {
name: "/Common/test-ServerSsl",
defaultsFrom: "/Common/serverssl",
authenticate: "always",
ciphers: "DEFAULT",
});
import pulumi
import pulumi_f5bigip as f5bigip
test__server_ssl = f5bigip.ltm.ProfileServerSsl("test-ServerSsl",
name="/Common/test-ServerSsl",
defaults_from="/Common/serverssl",
authenticate="always",
ciphers="DEFAULT")
package main
import (
"github.com/pulumi/pulumi-f5bigip/sdk/v3/go/f5bigip/ltm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ltm.NewProfileServerSsl(ctx, "test-ServerSsl", <m.ProfileServerSslArgs{
Name: pulumi.String("/Common/test-ServerSsl"),
DefaultsFrom: pulumi.String("/Common/serverssl"),
Authenticate: pulumi.String("always"),
Ciphers: pulumi.String("DEFAULT"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using F5BigIP = Pulumi.F5BigIP;
return await Deployment.RunAsync(() =>
{
var test_ServerSsl = new F5BigIP.Ltm.ProfileServerSsl("test-ServerSsl", new()
{
Name = "/Common/test-ServerSsl",
DefaultsFrom = "/Common/serverssl",
Authenticate = "always",
Ciphers = "DEFAULT",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.f5bigip.ltm.ProfileServerSsl;
import com.pulumi.f5bigip.ltm.ProfileServerSslArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test_ServerSsl = new ProfileServerSsl("test-ServerSsl", ProfileServerSslArgs.builder()
.name("/Common/test-ServerSsl")
.defaultsFrom("/Common/serverssl")
.authenticate("always")
.ciphers("DEFAULT")
.build());
}
}
resources:
test-ServerSsl:
type: f5bigip:ltm:ProfileServerSsl
properties:
name: /Common/test-ServerSsl
defaultsFrom: /Common/serverssl
authenticate: always
ciphers: DEFAULT
Create ProfileServerSsl Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ProfileServerSsl(name: string, args: ProfileServerSslArgs, opts?: CustomResourceOptions);
@overload
def ProfileServerSsl(resource_name: str,
args: ProfileServerSslArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ProfileServerSsl(resource_name: str,
opts: Optional[ResourceOptions] = None,
name: Optional[str] = None,
alert_timeout: Optional[str] = None,
authenticate: Optional[str] = None,
authenticate_depth: Optional[int] = None,
c3d_ca_cert: Optional[str] = None,
c3d_ca_key: Optional[str] = None,
c3d_ca_passphrase: Optional[str] = None,
c3d_cert_extension_custom_oids: Optional[Sequence[str]] = None,
c3d_cert_extension_includes: Optional[Sequence[str]] = None,
c3d_cert_lifespan: Optional[int] = None,
c3d_certificate_extensions: Optional[str] = None,
ca_file: Optional[str] = None,
cache_size: Optional[int] = None,
cache_timeout: Optional[int] = None,
cert: Optional[str] = None,
chain: Optional[str] = None,
cipher_group: Optional[str] = None,
ciphers: Optional[str] = None,
defaults_from: Optional[str] = None,
expire_cert_response_control: Optional[str] = None,
full_path: Optional[str] = None,
generation: Optional[int] = None,
generic_alert: Optional[str] = None,
handshake_timeout: Optional[str] = None,
key: Optional[str] = None,
mod_ssl_methods: Optional[str] = None,
mode: Optional[str] = None,
partition: Optional[str] = None,
passphrase: Optional[str] = None,
peer_cert_mode: Optional[str] = None,
proxy_ca_cert: Optional[str] = None,
proxy_ca_key: Optional[str] = None,
proxy_ssl: Optional[str] = None,
renegotiate_period: Optional[str] = None,
renegotiate_size: Optional[str] = None,
renegotiation: Optional[str] = None,
retain_certificate: Optional[str] = None,
secure_renegotiation: Optional[str] = None,
server_name: Optional[str] = None,
session_mirroring: Optional[str] = None,
session_ticket: Optional[str] = None,
sni_default: Optional[str] = None,
sni_require: Optional[str] = None,
ssl_c3d: Optional[str] = None,
ssl_forward_proxy: Optional[str] = None,
ssl_forward_proxy_bypass: Optional[str] = None,
ssl_sign_hash: Optional[str] = None,
strict_resume: Optional[str] = None,
tm_options: Optional[Sequence[str]] = None,
unclean_shutdown: Optional[str] = None,
untrusted_cert_response_control: Optional[str] = None)
func NewProfileServerSsl(ctx *Context, name string, args ProfileServerSslArgs, opts ...ResourceOption) (*ProfileServerSsl, error)
public ProfileServerSsl(string name, ProfileServerSslArgs args, CustomResourceOptions? opts = null)
public ProfileServerSsl(String name, ProfileServerSslArgs args)
public ProfileServerSsl(String name, ProfileServerSslArgs args, CustomResourceOptions options)
type: f5bigip:ltm:ProfileServerSsl
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ProfileServerSslArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ProfileServerSslArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ProfileServerSslArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ProfileServerSslArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ProfileServerSslArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var profileServerSslResource = new F5BigIP.Ltm.ProfileServerSsl("profileServerSslResource", new()
{
Name = "string",
AlertTimeout = "string",
Authenticate = "string",
AuthenticateDepth = 0,
C3dCaCert = "string",
C3dCaKey = "string",
C3dCaPassphrase = "string",
C3dCertExtensionCustomOids = new[]
{
"string",
},
C3dCertExtensionIncludes = new[]
{
"string",
},
C3dCertLifespan = 0,
C3dCertificateExtensions = "string",
CaFile = "string",
CacheSize = 0,
CacheTimeout = 0,
Cert = "string",
Chain = "string",
CipherGroup = "string",
Ciphers = "string",
DefaultsFrom = "string",
ExpireCertResponseControl = "string",
FullPath = "string",
Generation = 0,
GenericAlert = "string",
HandshakeTimeout = "string",
Key = "string",
ModSslMethods = "string",
Mode = "string",
Partition = "string",
Passphrase = "string",
PeerCertMode = "string",
ProxyCaCert = "string",
ProxyCaKey = "string",
ProxySsl = "string",
RenegotiatePeriod = "string",
RenegotiateSize = "string",
Renegotiation = "string",
RetainCertificate = "string",
SecureRenegotiation = "string",
ServerName = "string",
SessionMirroring = "string",
SessionTicket = "string",
SniDefault = "string",
SniRequire = "string",
SslC3d = "string",
SslForwardProxy = "string",
SslForwardProxyBypass = "string",
SslSignHash = "string",
StrictResume = "string",
TmOptions = new[]
{
"string",
},
UncleanShutdown = "string",
UntrustedCertResponseControl = "string",
});
example, err := ltm.NewProfileServerSsl(ctx, "profileServerSslResource", <m.ProfileServerSslArgs{
Name: pulumi.String("string"),
AlertTimeout: pulumi.String("string"),
Authenticate: pulumi.String("string"),
AuthenticateDepth: pulumi.Int(0),
C3dCaCert: pulumi.String("string"),
C3dCaKey: pulumi.String("string"),
C3dCaPassphrase: pulumi.String("string"),
C3dCertExtensionCustomOids: pulumi.StringArray{
pulumi.String("string"),
},
C3dCertExtensionIncludes: pulumi.StringArray{
pulumi.String("string"),
},
C3dCertLifespan: pulumi.Int(0),
C3dCertificateExtensions: pulumi.String("string"),
CaFile: pulumi.String("string"),
CacheSize: pulumi.Int(0),
CacheTimeout: pulumi.Int(0),
Cert: pulumi.String("string"),
Chain: pulumi.String("string"),
CipherGroup: pulumi.String("string"),
Ciphers: pulumi.String("string"),
DefaultsFrom: pulumi.String("string"),
ExpireCertResponseControl: pulumi.String("string"),
FullPath: pulumi.String("string"),
Generation: pulumi.Int(0),
GenericAlert: pulumi.String("string"),
HandshakeTimeout: pulumi.String("string"),
Key: pulumi.String("string"),
ModSslMethods: pulumi.String("string"),
Mode: pulumi.String("string"),
Partition: pulumi.String("string"),
Passphrase: pulumi.String("string"),
PeerCertMode: pulumi.String("string"),
ProxyCaCert: pulumi.String("string"),
ProxyCaKey: pulumi.String("string"),
ProxySsl: pulumi.String("string"),
RenegotiatePeriod: pulumi.String("string"),
RenegotiateSize: pulumi.String("string"),
Renegotiation: pulumi.String("string"),
RetainCertificate: pulumi.String("string"),
SecureRenegotiation: pulumi.String("string"),
ServerName: pulumi.String("string"),
SessionMirroring: pulumi.String("string"),
SessionTicket: pulumi.String("string"),
SniDefault: pulumi.String("string"),
SniRequire: pulumi.String("string"),
SslC3d: pulumi.String("string"),
SslForwardProxy: pulumi.String("string"),
SslForwardProxyBypass: pulumi.String("string"),
SslSignHash: pulumi.String("string"),
StrictResume: pulumi.String("string"),
TmOptions: pulumi.StringArray{
pulumi.String("string"),
},
UncleanShutdown: pulumi.String("string"),
UntrustedCertResponseControl: pulumi.String("string"),
})
var profileServerSslResource = new ProfileServerSsl("profileServerSslResource", ProfileServerSslArgs.builder()
.name("string")
.alertTimeout("string")
.authenticate("string")
.authenticateDepth(0)
.c3dCaCert("string")
.c3dCaKey("string")
.c3dCaPassphrase("string")
.c3dCertExtensionCustomOids("string")
.c3dCertExtensionIncludes("string")
.c3dCertLifespan(0)
.c3dCertificateExtensions("string")
.caFile("string")
.cacheSize(0)
.cacheTimeout(0)
.cert("string")
.chain("string")
.cipherGroup("string")
.ciphers("string")
.defaultsFrom("string")
.expireCertResponseControl("string")
.fullPath("string")
.generation(0)
.genericAlert("string")
.handshakeTimeout("string")
.key("string")
.modSslMethods("string")
.mode("string")
.partition("string")
.passphrase("string")
.peerCertMode("string")
.proxyCaCert("string")
.proxyCaKey("string")
.proxySsl("string")
.renegotiatePeriod("string")
.renegotiateSize("string")
.renegotiation("string")
.retainCertificate("string")
.secureRenegotiation("string")
.serverName("string")
.sessionMirroring("string")
.sessionTicket("string")
.sniDefault("string")
.sniRequire("string")
.sslC3d("string")
.sslForwardProxy("string")
.sslForwardProxyBypass("string")
.sslSignHash("string")
.strictResume("string")
.tmOptions("string")
.uncleanShutdown("string")
.untrustedCertResponseControl("string")
.build());
profile_server_ssl_resource = f5bigip.ltm.ProfileServerSsl("profileServerSslResource",
name="string",
alert_timeout="string",
authenticate="string",
authenticate_depth=0,
c3d_ca_cert="string",
c3d_ca_key="string",
c3d_ca_passphrase="string",
c3d_cert_extension_custom_oids=["string"],
c3d_cert_extension_includes=["string"],
c3d_cert_lifespan=0,
c3d_certificate_extensions="string",
ca_file="string",
cache_size=0,
cache_timeout=0,
cert="string",
chain="string",
cipher_group="string",
ciphers="string",
defaults_from="string",
expire_cert_response_control="string",
full_path="string",
generation=0,
generic_alert="string",
handshake_timeout="string",
key="string",
mod_ssl_methods="string",
mode="string",
partition="string",
passphrase="string",
peer_cert_mode="string",
proxy_ca_cert="string",
proxy_ca_key="string",
proxy_ssl="string",
renegotiate_period="string",
renegotiate_size="string",
renegotiation="string",
retain_certificate="string",
secure_renegotiation="string",
server_name="string",
session_mirroring="string",
session_ticket="string",
sni_default="string",
sni_require="string",
ssl_c3d="string",
ssl_forward_proxy="string",
ssl_forward_proxy_bypass="string",
ssl_sign_hash="string",
strict_resume="string",
tm_options=["string"],
unclean_shutdown="string",
untrusted_cert_response_control="string")
const profileServerSslResource = new f5bigip.ltm.ProfileServerSsl("profileServerSslResource", {
name: "string",
alertTimeout: "string",
authenticate: "string",
authenticateDepth: 0,
c3dCaCert: "string",
c3dCaKey: "string",
c3dCaPassphrase: "string",
c3dCertExtensionCustomOids: ["string"],
c3dCertExtensionIncludes: ["string"],
c3dCertLifespan: 0,
c3dCertificateExtensions: "string",
caFile: "string",
cacheSize: 0,
cacheTimeout: 0,
cert: "string",
chain: "string",
cipherGroup: "string",
ciphers: "string",
defaultsFrom: "string",
expireCertResponseControl: "string",
fullPath: "string",
generation: 0,
genericAlert: "string",
handshakeTimeout: "string",
key: "string",
modSslMethods: "string",
mode: "string",
partition: "string",
passphrase: "string",
peerCertMode: "string",
proxyCaCert: "string",
proxyCaKey: "string",
proxySsl: "string",
renegotiatePeriod: "string",
renegotiateSize: "string",
renegotiation: "string",
retainCertificate: "string",
secureRenegotiation: "string",
serverName: "string",
sessionMirroring: "string",
sessionTicket: "string",
sniDefault: "string",
sniRequire: "string",
sslC3d: "string",
sslForwardProxy: "string",
sslForwardProxyBypass: "string",
sslSignHash: "string",
strictResume: "string",
tmOptions: ["string"],
uncleanShutdown: "string",
untrustedCertResponseControl: "string",
});
type: f5bigip:ltm:ProfileServerSsl
properties:
alertTimeout: string
authenticate: string
authenticateDepth: 0
c3dCaCert: string
c3dCaKey: string
c3dCaPassphrase: string
c3dCertExtensionCustomOids:
- string
c3dCertExtensionIncludes:
- string
c3dCertLifespan: 0
c3dCertificateExtensions: string
caFile: string
cacheSize: 0
cacheTimeout: 0
cert: string
chain: string
cipherGroup: string
ciphers: string
defaultsFrom: string
expireCertResponseControl: string
fullPath: string
generation: 0
genericAlert: string
handshakeTimeout: string
key: string
modSslMethods: string
mode: string
name: string
partition: string
passphrase: string
peerCertMode: string
proxyCaCert: string
proxyCaKey: string
proxySsl: string
renegotiatePeriod: string
renegotiateSize: string
renegotiation: string
retainCertificate: string
secureRenegotiation: string
serverName: string
sessionMirroring: string
sessionTicket: string
sniDefault: string
sniRequire: string
sslC3d: string
sslForwardProxy: string
sslForwardProxyBypass: string
sslSignHash: string
strictResume: string
tmOptions:
- string
uncleanShutdown: string
untrustedCertResponseControl: string
ProfileServerSsl Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ProfileServerSsl resource accepts the following input properties:
- Name string
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - Alert
Timeout string - Alert time out
- Authenticate string
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - Authenticate
Depth int - Client certificate chain traversal depth. Default 9.
- C3d
Ca stringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- C3d
Ca stringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- C3d
Ca stringPassphrase - CA Passphrase. Default
- C3d
Cert List<string>Extension Custom Oids - Certificate Extensions List. Default
- C3d
Cert List<string>Extension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- C3d
Cert intLifespan - Certificate Lifespan. Default
- C3d
Certificate stringExtensions - CA Passphrase. Default enabled
- Ca
File string - Client certificate file path. Default None.
- Cache
Size int - Cache size (sessions).
- Cache
Timeout int - Cache time out
- Cert string
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- Chain string
- Specifies the certificates-key chain to associate with the SSL profile
- Cipher
Group string - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - Ciphers string
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- Defaults
From string - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - Expire
Cert stringResponse Control - Response if the cert is expired (drop / ignore).
- Full
Path string - full path of the profile
- Generation int
- generation
- Generic
Alert string - Generic alerts enabled / disabled.
- Handshake
Timeout string - Handshake time out (seconds)
- Key string
- Specifies the file name of the SSL key.
- Mod
Ssl stringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- Mode string
- ModSSL Methods enabled / disabled. Default is disabled.
- Partition string
- name of partition
- Passphrase string
- Client Certificate Constrained Delegation CA passphrase
- Peer
Cert stringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- Proxy
Ca stringCert - Proxy CA Cert
- Proxy
Ca stringKey - Proxy CA Key
- Proxy
Ssl string - Proxy SSL enabled / disabled. Default is disabled.
- Renegotiate
Period string - Renogotiate Period (seconds)
- Renegotiate
Size string - Renogotiate Size
- Renegotiation string
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- Retain
Certificate string - When
true
, client certificate is retained in SSL session. - Secure
Renegotiation string - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - Server
Name string - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - Session
Mirroring string - Session Mirroring (enabled / disabled)
- Session
Ticket string - Session Ticket (enabled / disabled)
- Sni
Default string - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- Sni
Require string - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - Ssl
C3d string - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- Ssl
Forward stringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- Ssl
Forward stringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- Ssl
Sign stringHash - SSL sign hash (any, sha1, sha256, sha384)
- Strict
Resume string - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- Tm
Options List<string> - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - Unclean
Shutdown string - Unclean Shutdown (enabled / disabled)
- Untrusted
Cert stringResponse Control - Unclean Shutdown (drop / ignore)
- Name string
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - Alert
Timeout string - Alert time out
- Authenticate string
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - Authenticate
Depth int - Client certificate chain traversal depth. Default 9.
- C3d
Ca stringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- C3d
Ca stringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- C3d
Ca stringPassphrase - CA Passphrase. Default
- C3d
Cert []stringExtension Custom Oids - Certificate Extensions List. Default
- C3d
Cert []stringExtension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- C3d
Cert intLifespan - Certificate Lifespan. Default
- C3d
Certificate stringExtensions - CA Passphrase. Default enabled
- Ca
File string - Client certificate file path. Default None.
- Cache
Size int - Cache size (sessions).
- Cache
Timeout int - Cache time out
- Cert string
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- Chain string
- Specifies the certificates-key chain to associate with the SSL profile
- Cipher
Group string - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - Ciphers string
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- Defaults
From string - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - Expire
Cert stringResponse Control - Response if the cert is expired (drop / ignore).
- Full
Path string - full path of the profile
- Generation int
- generation
- Generic
Alert string - Generic alerts enabled / disabled.
- Handshake
Timeout string - Handshake time out (seconds)
- Key string
- Specifies the file name of the SSL key.
- Mod
Ssl stringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- Mode string
- ModSSL Methods enabled / disabled. Default is disabled.
- Partition string
- name of partition
- Passphrase string
- Client Certificate Constrained Delegation CA passphrase
- Peer
Cert stringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- Proxy
Ca stringCert - Proxy CA Cert
- Proxy
Ca stringKey - Proxy CA Key
- Proxy
Ssl string - Proxy SSL enabled / disabled. Default is disabled.
- Renegotiate
Period string - Renogotiate Period (seconds)
- Renegotiate
Size string - Renogotiate Size
- Renegotiation string
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- Retain
Certificate string - When
true
, client certificate is retained in SSL session. - Secure
Renegotiation string - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - Server
Name string - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - Session
Mirroring string - Session Mirroring (enabled / disabled)
- Session
Ticket string - Session Ticket (enabled / disabled)
- Sni
Default string - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- Sni
Require string - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - Ssl
C3d string - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- Ssl
Forward stringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- Ssl
Forward stringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- Ssl
Sign stringHash - SSL sign hash (any, sha1, sha256, sha384)
- Strict
Resume string - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- Tm
Options []string - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - Unclean
Shutdown string - Unclean Shutdown (enabled / disabled)
- Untrusted
Cert stringResponse Control - Unclean Shutdown (drop / ignore)
- name String
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - alert
Timeout String - Alert time out
- authenticate String
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - authenticate
Depth Integer - Client certificate chain traversal depth. Default 9.
- c3d
Ca StringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- c3d
Ca StringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- c3d
Ca StringPassphrase - CA Passphrase. Default
- c3d
Cert List<String>Extension Custom Oids - Certificate Extensions List. Default
- c3d
Cert List<String>Extension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- c3d
Cert IntegerLifespan - Certificate Lifespan. Default
- c3d
Certificate StringExtensions - CA Passphrase. Default enabled
- ca
File String - Client certificate file path. Default None.
- cache
Size Integer - Cache size (sessions).
- cache
Timeout Integer - Cache time out
- cert String
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- chain String
- Specifies the certificates-key chain to associate with the SSL profile
- cipher
Group String - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - ciphers String
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- defaults
From String - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - expire
Cert StringResponse Control - Response if the cert is expired (drop / ignore).
- full
Path String - full path of the profile
- generation Integer
- generation
- generic
Alert String - Generic alerts enabled / disabled.
- handshake
Timeout String - Handshake time out (seconds)
- key String
- Specifies the file name of the SSL key.
- mod
Ssl StringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- mode String
- ModSSL Methods enabled / disabled. Default is disabled.
- partition String
- name of partition
- passphrase String
- Client Certificate Constrained Delegation CA passphrase
- peer
Cert StringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- proxy
Ca StringCert - Proxy CA Cert
- proxy
Ca StringKey - Proxy CA Key
- proxy
Ssl String - Proxy SSL enabled / disabled. Default is disabled.
- renegotiate
Period String - Renogotiate Period (seconds)
- renegotiate
Size String - Renogotiate Size
- renegotiation String
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- retain
Certificate String - When
true
, client certificate is retained in SSL session. - secure
Renegotiation String - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - server
Name String - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - session
Mirroring String - Session Mirroring (enabled / disabled)
- session
Ticket String - Session Ticket (enabled / disabled)
- sni
Default String - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- sni
Require String - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - ssl
C3d String - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- ssl
Forward StringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- ssl
Forward StringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- ssl
Sign StringHash - SSL sign hash (any, sha1, sha256, sha384)
- strict
Resume String - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- tm
Options List<String> - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - unclean
Shutdown String - Unclean Shutdown (enabled / disabled)
- untrusted
Cert StringResponse Control - Unclean Shutdown (drop / ignore)
- name string
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - alert
Timeout string - Alert time out
- authenticate string
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - authenticate
Depth number - Client certificate chain traversal depth. Default 9.
- c3d
Ca stringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- c3d
Ca stringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- c3d
Ca stringPassphrase - CA Passphrase. Default
- c3d
Cert string[]Extension Custom Oids - Certificate Extensions List. Default
- c3d
Cert string[]Extension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- c3d
Cert numberLifespan - Certificate Lifespan. Default
- c3d
Certificate stringExtensions - CA Passphrase. Default enabled
- ca
File string - Client certificate file path. Default None.
- cache
Size number - Cache size (sessions).
- cache
Timeout number - Cache time out
- cert string
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- chain string
- Specifies the certificates-key chain to associate with the SSL profile
- cipher
Group string - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - ciphers string
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- defaults
From string - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - expire
Cert stringResponse Control - Response if the cert is expired (drop / ignore).
- full
Path string - full path of the profile
- generation number
- generation
- generic
Alert string - Generic alerts enabled / disabled.
- handshake
Timeout string - Handshake time out (seconds)
- key string
- Specifies the file name of the SSL key.
- mod
Ssl stringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- mode string
- ModSSL Methods enabled / disabled. Default is disabled.
- partition string
- name of partition
- passphrase string
- Client Certificate Constrained Delegation CA passphrase
- peer
Cert stringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- proxy
Ca stringCert - Proxy CA Cert
- proxy
Ca stringKey - Proxy CA Key
- proxy
Ssl string - Proxy SSL enabled / disabled. Default is disabled.
- renegotiate
Period string - Renogotiate Period (seconds)
- renegotiate
Size string - Renogotiate Size
- renegotiation string
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- retain
Certificate string - When
true
, client certificate is retained in SSL session. - secure
Renegotiation string - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - server
Name string - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - session
Mirroring string - Session Mirroring (enabled / disabled)
- session
Ticket string - Session Ticket (enabled / disabled)
- sni
Default string - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- sni
Require string - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - ssl
C3d string - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- ssl
Forward stringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- ssl
Forward stringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- ssl
Sign stringHash - SSL sign hash (any, sha1, sha256, sha384)
- strict
Resume string - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- tm
Options string[] - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - unclean
Shutdown string - Unclean Shutdown (enabled / disabled)
- untrusted
Cert stringResponse Control - Unclean Shutdown (drop / ignore)
- name str
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - alert_
timeout str - Alert time out
- authenticate str
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - authenticate_
depth int - Client certificate chain traversal depth. Default 9.
- c3d_
ca_ strcert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- c3d_
ca_ strkey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- c3d_
ca_ strpassphrase - CA Passphrase. Default
- c3d_
cert_ Sequence[str]extension_ custom_ oids - Certificate Extensions List. Default
- c3d_
cert_ Sequence[str]extension_ includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- c3d_
cert_ intlifespan - Certificate Lifespan. Default
- c3d_
certificate_ strextensions - CA Passphrase. Default enabled
- ca_
file str - Client certificate file path. Default None.
- cache_
size int - Cache size (sessions).
- cache_
timeout int - Cache time out
- cert str
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- chain str
- Specifies the certificates-key chain to associate with the SSL profile
- cipher_
group str - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - ciphers str
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- defaults_
from str - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - expire_
cert_ strresponse_ control - Response if the cert is expired (drop / ignore).
- full_
path str - full path of the profile
- generation int
- generation
- generic_
alert str - Generic alerts enabled / disabled.
- handshake_
timeout str - Handshake time out (seconds)
- key str
- Specifies the file name of the SSL key.
- mod_
ssl_ strmethods - ModSSL Methods enabled / disabled. Default is disabled.
- mode str
- ModSSL Methods enabled / disabled. Default is disabled.
- partition str
- name of partition
- passphrase str
- Client Certificate Constrained Delegation CA passphrase
- peer_
cert_ strmode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- proxy_
ca_ strcert - Proxy CA Cert
- proxy_
ca_ strkey - Proxy CA Key
- proxy_
ssl str - Proxy SSL enabled / disabled. Default is disabled.
- renegotiate_
period str - Renogotiate Period (seconds)
- renegotiate_
size str - Renogotiate Size
- renegotiation str
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- retain_
certificate str - When
true
, client certificate is retained in SSL session. - secure_
renegotiation str - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - server_
name str - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - session_
mirroring str - Session Mirroring (enabled / disabled)
- session_
ticket str - Session Ticket (enabled / disabled)
- sni_
default str - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- sni_
require str - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - ssl_
c3d str - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- ssl_
forward_ strproxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- ssl_
forward_ strproxy_ bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- ssl_
sign_ strhash - SSL sign hash (any, sha1, sha256, sha384)
- strict_
resume str - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- tm_
options Sequence[str] - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - unclean_
shutdown str - Unclean Shutdown (enabled / disabled)
- untrusted_
cert_ strresponse_ control - Unclean Shutdown (drop / ignore)
- name String
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - alert
Timeout String - Alert time out
- authenticate String
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - authenticate
Depth Number - Client certificate chain traversal depth. Default 9.
- c3d
Ca StringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- c3d
Ca StringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- c3d
Ca StringPassphrase - CA Passphrase. Default
- c3d
Cert List<String>Extension Custom Oids - Certificate Extensions List. Default
- c3d
Cert List<String>Extension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- c3d
Cert NumberLifespan - Certificate Lifespan. Default
- c3d
Certificate StringExtensions - CA Passphrase. Default enabled
- ca
File String - Client certificate file path. Default None.
- cache
Size Number - Cache size (sessions).
- cache
Timeout Number - Cache time out
- cert String
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- chain String
- Specifies the certificates-key chain to associate with the SSL profile
- cipher
Group String - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - ciphers String
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- defaults
From String - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - expire
Cert StringResponse Control - Response if the cert is expired (drop / ignore).
- full
Path String - full path of the profile
- generation Number
- generation
- generic
Alert String - Generic alerts enabled / disabled.
- handshake
Timeout String - Handshake time out (seconds)
- key String
- Specifies the file name of the SSL key.
- mod
Ssl StringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- mode String
- ModSSL Methods enabled / disabled. Default is disabled.
- partition String
- name of partition
- passphrase String
- Client Certificate Constrained Delegation CA passphrase
- peer
Cert StringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- proxy
Ca StringCert - Proxy CA Cert
- proxy
Ca StringKey - Proxy CA Key
- proxy
Ssl String - Proxy SSL enabled / disabled. Default is disabled.
- renegotiate
Period String - Renogotiate Period (seconds)
- renegotiate
Size String - Renogotiate Size
- renegotiation String
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- retain
Certificate String - When
true
, client certificate is retained in SSL session. - secure
Renegotiation String - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - server
Name String - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - session
Mirroring String - Session Mirroring (enabled / disabled)
- session
Ticket String - Session Ticket (enabled / disabled)
- sni
Default String - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- sni
Require String - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - ssl
C3d String - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- ssl
Forward StringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- ssl
Forward StringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- ssl
Sign StringHash - SSL sign hash (any, sha1, sha256, sha384)
- strict
Resume String - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- tm
Options List<String> - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - unclean
Shutdown String - Unclean Shutdown (enabled / disabled)
- untrusted
Cert StringResponse Control - Unclean Shutdown (drop / ignore)
Outputs
All input properties are implicitly available as output properties. Additionally, the ProfileServerSsl resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ProfileServerSsl Resource
Get an existing ProfileServerSsl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ProfileServerSslState, opts?: CustomResourceOptions): ProfileServerSsl
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
alert_timeout: Optional[str] = None,
authenticate: Optional[str] = None,
authenticate_depth: Optional[int] = None,
c3d_ca_cert: Optional[str] = None,
c3d_ca_key: Optional[str] = None,
c3d_ca_passphrase: Optional[str] = None,
c3d_cert_extension_custom_oids: Optional[Sequence[str]] = None,
c3d_cert_extension_includes: Optional[Sequence[str]] = None,
c3d_cert_lifespan: Optional[int] = None,
c3d_certificate_extensions: Optional[str] = None,
ca_file: Optional[str] = None,
cache_size: Optional[int] = None,
cache_timeout: Optional[int] = None,
cert: Optional[str] = None,
chain: Optional[str] = None,
cipher_group: Optional[str] = None,
ciphers: Optional[str] = None,
defaults_from: Optional[str] = None,
expire_cert_response_control: Optional[str] = None,
full_path: Optional[str] = None,
generation: Optional[int] = None,
generic_alert: Optional[str] = None,
handshake_timeout: Optional[str] = None,
key: Optional[str] = None,
mod_ssl_methods: Optional[str] = None,
mode: Optional[str] = None,
name: Optional[str] = None,
partition: Optional[str] = None,
passphrase: Optional[str] = None,
peer_cert_mode: Optional[str] = None,
proxy_ca_cert: Optional[str] = None,
proxy_ca_key: Optional[str] = None,
proxy_ssl: Optional[str] = None,
renegotiate_period: Optional[str] = None,
renegotiate_size: Optional[str] = None,
renegotiation: Optional[str] = None,
retain_certificate: Optional[str] = None,
secure_renegotiation: Optional[str] = None,
server_name: Optional[str] = None,
session_mirroring: Optional[str] = None,
session_ticket: Optional[str] = None,
sni_default: Optional[str] = None,
sni_require: Optional[str] = None,
ssl_c3d: Optional[str] = None,
ssl_forward_proxy: Optional[str] = None,
ssl_forward_proxy_bypass: Optional[str] = None,
ssl_sign_hash: Optional[str] = None,
strict_resume: Optional[str] = None,
tm_options: Optional[Sequence[str]] = None,
unclean_shutdown: Optional[str] = None,
untrusted_cert_response_control: Optional[str] = None) -> ProfileServerSsl
func GetProfileServerSsl(ctx *Context, name string, id IDInput, state *ProfileServerSslState, opts ...ResourceOption) (*ProfileServerSsl, error)
public static ProfileServerSsl Get(string name, Input<string> id, ProfileServerSslState? state, CustomResourceOptions? opts = null)
public static ProfileServerSsl get(String name, Output<String> id, ProfileServerSslState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Alert
Timeout string - Alert time out
- Authenticate string
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - Authenticate
Depth int - Client certificate chain traversal depth. Default 9.
- C3d
Ca stringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- C3d
Ca stringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- C3d
Ca stringPassphrase - CA Passphrase. Default
- C3d
Cert List<string>Extension Custom Oids - Certificate Extensions List. Default
- C3d
Cert List<string>Extension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- C3d
Cert intLifespan - Certificate Lifespan. Default
- C3d
Certificate stringExtensions - CA Passphrase. Default enabled
- Ca
File string - Client certificate file path. Default None.
- Cache
Size int - Cache size (sessions).
- Cache
Timeout int - Cache time out
- Cert string
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- Chain string
- Specifies the certificates-key chain to associate with the SSL profile
- Cipher
Group string - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - Ciphers string
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- Defaults
From string - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - Expire
Cert stringResponse Control - Response if the cert is expired (drop / ignore).
- Full
Path string - full path of the profile
- Generation int
- generation
- Generic
Alert string - Generic alerts enabled / disabled.
- Handshake
Timeout string - Handshake time out (seconds)
- Key string
- Specifies the file name of the SSL key.
- Mod
Ssl stringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- Mode string
- ModSSL Methods enabled / disabled. Default is disabled.
- Name string
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - Partition string
- name of partition
- Passphrase string
- Client Certificate Constrained Delegation CA passphrase
- Peer
Cert stringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- Proxy
Ca stringCert - Proxy CA Cert
- Proxy
Ca stringKey - Proxy CA Key
- Proxy
Ssl string - Proxy SSL enabled / disabled. Default is disabled.
- Renegotiate
Period string - Renogotiate Period (seconds)
- Renegotiate
Size string - Renogotiate Size
- Renegotiation string
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- Retain
Certificate string - When
true
, client certificate is retained in SSL session. - Secure
Renegotiation string - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - Server
Name string - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - Session
Mirroring string - Session Mirroring (enabled / disabled)
- Session
Ticket string - Session Ticket (enabled / disabled)
- Sni
Default string - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- Sni
Require string - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - Ssl
C3d string - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- Ssl
Forward stringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- Ssl
Forward stringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- Ssl
Sign stringHash - SSL sign hash (any, sha1, sha256, sha384)
- Strict
Resume string - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- Tm
Options List<string> - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - Unclean
Shutdown string - Unclean Shutdown (enabled / disabled)
- Untrusted
Cert stringResponse Control - Unclean Shutdown (drop / ignore)
- Alert
Timeout string - Alert time out
- Authenticate string
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - Authenticate
Depth int - Client certificate chain traversal depth. Default 9.
- C3d
Ca stringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- C3d
Ca stringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- C3d
Ca stringPassphrase - CA Passphrase. Default
- C3d
Cert []stringExtension Custom Oids - Certificate Extensions List. Default
- C3d
Cert []stringExtension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- C3d
Cert intLifespan - Certificate Lifespan. Default
- C3d
Certificate stringExtensions - CA Passphrase. Default enabled
- Ca
File string - Client certificate file path. Default None.
- Cache
Size int - Cache size (sessions).
- Cache
Timeout int - Cache time out
- Cert string
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- Chain string
- Specifies the certificates-key chain to associate with the SSL profile
- Cipher
Group string - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - Ciphers string
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- Defaults
From string - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - Expire
Cert stringResponse Control - Response if the cert is expired (drop / ignore).
- Full
Path string - full path of the profile
- Generation int
- generation
- Generic
Alert string - Generic alerts enabled / disabled.
- Handshake
Timeout string - Handshake time out (seconds)
- Key string
- Specifies the file name of the SSL key.
- Mod
Ssl stringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- Mode string
- ModSSL Methods enabled / disabled. Default is disabled.
- Name string
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - Partition string
- name of partition
- Passphrase string
- Client Certificate Constrained Delegation CA passphrase
- Peer
Cert stringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- Proxy
Ca stringCert - Proxy CA Cert
- Proxy
Ca stringKey - Proxy CA Key
- Proxy
Ssl string - Proxy SSL enabled / disabled. Default is disabled.
- Renegotiate
Period string - Renogotiate Period (seconds)
- Renegotiate
Size string - Renogotiate Size
- Renegotiation string
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- Retain
Certificate string - When
true
, client certificate is retained in SSL session. - Secure
Renegotiation string - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - Server
Name string - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - Session
Mirroring string - Session Mirroring (enabled / disabled)
- Session
Ticket string - Session Ticket (enabled / disabled)
- Sni
Default string - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- Sni
Require string - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - Ssl
C3d string - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- Ssl
Forward stringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- Ssl
Forward stringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- Ssl
Sign stringHash - SSL sign hash (any, sha1, sha256, sha384)
- Strict
Resume string - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- Tm
Options []string - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - Unclean
Shutdown string - Unclean Shutdown (enabled / disabled)
- Untrusted
Cert stringResponse Control - Unclean Shutdown (drop / ignore)
- alert
Timeout String - Alert time out
- authenticate String
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - authenticate
Depth Integer - Client certificate chain traversal depth. Default 9.
- c3d
Ca StringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- c3d
Ca StringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- c3d
Ca StringPassphrase - CA Passphrase. Default
- c3d
Cert List<String>Extension Custom Oids - Certificate Extensions List. Default
- c3d
Cert List<String>Extension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- c3d
Cert IntegerLifespan - Certificate Lifespan. Default
- c3d
Certificate StringExtensions - CA Passphrase. Default enabled
- ca
File String - Client certificate file path. Default None.
- cache
Size Integer - Cache size (sessions).
- cache
Timeout Integer - Cache time out
- cert String
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- chain String
- Specifies the certificates-key chain to associate with the SSL profile
- cipher
Group String - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - ciphers String
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- defaults
From String - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - expire
Cert StringResponse Control - Response if the cert is expired (drop / ignore).
- full
Path String - full path of the profile
- generation Integer
- generation
- generic
Alert String - Generic alerts enabled / disabled.
- handshake
Timeout String - Handshake time out (seconds)
- key String
- Specifies the file name of the SSL key.
- mod
Ssl StringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- mode String
- ModSSL Methods enabled / disabled. Default is disabled.
- name String
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - partition String
- name of partition
- passphrase String
- Client Certificate Constrained Delegation CA passphrase
- peer
Cert StringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- proxy
Ca StringCert - Proxy CA Cert
- proxy
Ca StringKey - Proxy CA Key
- proxy
Ssl String - Proxy SSL enabled / disabled. Default is disabled.
- renegotiate
Period String - Renogotiate Period (seconds)
- renegotiate
Size String - Renogotiate Size
- renegotiation String
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- retain
Certificate String - When
true
, client certificate is retained in SSL session. - secure
Renegotiation String - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - server
Name String - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - session
Mirroring String - Session Mirroring (enabled / disabled)
- session
Ticket String - Session Ticket (enabled / disabled)
- sni
Default String - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- sni
Require String - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - ssl
C3d String - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- ssl
Forward StringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- ssl
Forward StringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- ssl
Sign StringHash - SSL sign hash (any, sha1, sha256, sha384)
- strict
Resume String - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- tm
Options List<String> - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - unclean
Shutdown String - Unclean Shutdown (enabled / disabled)
- untrusted
Cert StringResponse Control - Unclean Shutdown (drop / ignore)
- alert
Timeout string - Alert time out
- authenticate string
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - authenticate
Depth number - Client certificate chain traversal depth. Default 9.
- c3d
Ca stringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- c3d
Ca stringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- c3d
Ca stringPassphrase - CA Passphrase. Default
- c3d
Cert string[]Extension Custom Oids - Certificate Extensions List. Default
- c3d
Cert string[]Extension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- c3d
Cert numberLifespan - Certificate Lifespan. Default
- c3d
Certificate stringExtensions - CA Passphrase. Default enabled
- ca
File string - Client certificate file path. Default None.
- cache
Size number - Cache size (sessions).
- cache
Timeout number - Cache time out
- cert string
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- chain string
- Specifies the certificates-key chain to associate with the SSL profile
- cipher
Group string - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - ciphers string
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- defaults
From string - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - expire
Cert stringResponse Control - Response if the cert is expired (drop / ignore).
- full
Path string - full path of the profile
- generation number
- generation
- generic
Alert string - Generic alerts enabled / disabled.
- handshake
Timeout string - Handshake time out (seconds)
- key string
- Specifies the file name of the SSL key.
- mod
Ssl stringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- mode string
- ModSSL Methods enabled / disabled. Default is disabled.
- name string
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - partition string
- name of partition
- passphrase string
- Client Certificate Constrained Delegation CA passphrase
- peer
Cert stringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- proxy
Ca stringCert - Proxy CA Cert
- proxy
Ca stringKey - Proxy CA Key
- proxy
Ssl string - Proxy SSL enabled / disabled. Default is disabled.
- renegotiate
Period string - Renogotiate Period (seconds)
- renegotiate
Size string - Renogotiate Size
- renegotiation string
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- retain
Certificate string - When
true
, client certificate is retained in SSL session. - secure
Renegotiation string - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - server
Name string - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - session
Mirroring string - Session Mirroring (enabled / disabled)
- session
Ticket string - Session Ticket (enabled / disabled)
- sni
Default string - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- sni
Require string - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - ssl
C3d string - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- ssl
Forward stringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- ssl
Forward stringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- ssl
Sign stringHash - SSL sign hash (any, sha1, sha256, sha384)
- strict
Resume string - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- tm
Options string[] - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - unclean
Shutdown string - Unclean Shutdown (enabled / disabled)
- untrusted
Cert stringResponse Control - Unclean Shutdown (drop / ignore)
- alert_
timeout str - Alert time out
- authenticate str
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - authenticate_
depth int - Client certificate chain traversal depth. Default 9.
- c3d_
ca_ strcert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- c3d_
ca_ strkey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- c3d_
ca_ strpassphrase - CA Passphrase. Default
- c3d_
cert_ Sequence[str]extension_ custom_ oids - Certificate Extensions List. Default
- c3d_
cert_ Sequence[str]extension_ includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- c3d_
cert_ intlifespan - Certificate Lifespan. Default
- c3d_
certificate_ strextensions - CA Passphrase. Default enabled
- ca_
file str - Client certificate file path. Default None.
- cache_
size int - Cache size (sessions).
- cache_
timeout int - Cache time out
- cert str
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- chain str
- Specifies the certificates-key chain to associate with the SSL profile
- cipher_
group str - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - ciphers str
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- defaults_
from str - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - expire_
cert_ strresponse_ control - Response if the cert is expired (drop / ignore).
- full_
path str - full path of the profile
- generation int
- generation
- generic_
alert str - Generic alerts enabled / disabled.
- handshake_
timeout str - Handshake time out (seconds)
- key str
- Specifies the file name of the SSL key.
- mod_
ssl_ strmethods - ModSSL Methods enabled / disabled. Default is disabled.
- mode str
- ModSSL Methods enabled / disabled. Default is disabled.
- name str
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - partition str
- name of partition
- passphrase str
- Client Certificate Constrained Delegation CA passphrase
- peer_
cert_ strmode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- proxy_
ca_ strcert - Proxy CA Cert
- proxy_
ca_ strkey - Proxy CA Key
- proxy_
ssl str - Proxy SSL enabled / disabled. Default is disabled.
- renegotiate_
period str - Renogotiate Period (seconds)
- renegotiate_
size str - Renogotiate Size
- renegotiation str
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- retain_
certificate str - When
true
, client certificate is retained in SSL session. - secure_
renegotiation str - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - server_
name str - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - session_
mirroring str - Session Mirroring (enabled / disabled)
- session_
ticket str - Session Ticket (enabled / disabled)
- sni_
default str - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- sni_
require str - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - ssl_
c3d str - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- ssl_
forward_ strproxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- ssl_
forward_ strproxy_ bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- ssl_
sign_ strhash - SSL sign hash (any, sha1, sha256, sha384)
- strict_
resume str - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- tm_
options Sequence[str] - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - unclean_
shutdown str - Unclean Shutdown (enabled / disabled)
- untrusted_
cert_ strresponse_ control - Unclean Shutdown (drop / ignore)
- alert
Timeout String - Alert time out
- authenticate String
- Specifies the frequency of server authentication for an SSL session.When
once
,specifies that the system authenticates the server once for an SSL session. Whenalways
, specifies that the system authenticates the server once for an SSL session and also upon reuse of that session. - authenticate
Depth Number - Client certificate chain traversal depth. Default 9.
- c3d
Ca StringCert - Specifies the name of the certificate file that is used as the certification authority certificate when SSL client certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system. When selecting this option, type a certificate file name.
- c3d
Ca StringKey Specifies the name of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this option, type a key file name.
c3d-ca-passphrase
(Optional) Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected c3d-ca-key.c3d-cert-extension-custom-oids
(Optional) Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation.
- c3d
Ca StringPassphrase - CA Passphrase. Default
- c3d
Cert List<String>Extension Custom Oids - Certificate Extensions List. Default
- c3d
Cert List<String>Extension Includes Specifies the extensions of the client certificates to be included in the generated certificates using SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:
basic-constraints Basic constraints are used to indicate whether the certificate belongs to a CA.
extended-key-usage Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate.
key-usage Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signature but not for encipherment.
subject-alternative-name Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.
c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The default value is 24.
- c3d
Cert NumberLifespan - Certificate Lifespan. Default
- c3d
Certificate StringExtensions - CA Passphrase. Default enabled
- ca
File String - Client certificate file path. Default None.
- cache
Size Number - Cache size (sessions).
- cache
Timeout Number - Cache time out
- cert String
- Specifies the name of the certificate that the system uses for server-side SSL processing.
- chain String
- Specifies the certificates-key chain to associate with the SSL profile
- cipher
Group String - Specifies the cipher group for the SSL server profile. It is mutually exclusive with the argument,
ciphers
. The default value isnone
. - ciphers String
- Specifies the list of ciphers that the system supports. When creating a new profile, the default cipher list is provided by the parent profile.
- defaults
From String - The parent template of this monitor template. Once this value has been set, it cannot be changed. By default, this value is
/Common/serverssl
. - expire
Cert StringResponse Control - Response if the cert is expired (drop / ignore).
- full
Path String - full path of the profile
- generation Number
- generation
- generic
Alert String - Generic alerts enabled / disabled.
- handshake
Timeout String - Handshake time out (seconds)
- key String
- Specifies the file name of the SSL key.
- mod
Ssl StringMethods - ModSSL Methods enabled / disabled. Default is disabled.
- mode String
- ModSSL Methods enabled / disabled. Default is disabled.
- name String
- Specifies the name of the profile.Name of Profile should be full path,full path is the combination of the
partition + profile name
. For example/Common/test-serverssl-profile
. - partition String
- name of partition
- passphrase String
- Client Certificate Constrained Delegation CA passphrase
- peer
Cert StringMode - Specifies the way the system handles client certificates.When ignore, specifies that the system ignores certificates from client systems.When require, specifies that the system requires a client to present a valid certificate.When request, specifies that the system requests a valid certificate from a client but always authenticate the client.
- proxy
Ca StringCert - Proxy CA Cert
- proxy
Ca StringKey - Proxy CA Key
- proxy
Ssl String - Proxy SSL enabled / disabled. Default is disabled.
- renegotiate
Period String - Renogotiate Period (seconds)
- renegotiate
Size String - Renogotiate Size
- renegotiation String
- Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile
- retain
Certificate String - When
true
, client certificate is retained in SSL session. - secure
Renegotiation String - Specifies the method of secure renegotiations for SSL connections. When creating a new profile, the setting is provided by the parent profile.
When
request
is set the system request secure renegotation of SSL connections.require
is a default setting and when set the system permits initial SSL handshakes from clients but terminates renegotiations from unpatched clients. Therequire-strict
setting the system requires strict renegotiation of SSL connections. In this mode the system refuses connections to insecure servers, and terminates existing SSL connections to insecure servers - server
Name String - Specifies the fully qualified DNS hostname of the server used in Server Name Indication communications. When creating a new profile, the setting is provided by the parent profile.The server name can also be a wildcard string containing the asterisk
*
character. - session
Mirroring String - Session Mirroring (enabled / disabled)
- session
Ticket String - Session Ticket (enabled / disabled)
- sni
Default String - Indicates that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.When creating a new profile, the setting is provided by the parent profile. There can be only one SSL profile with this setting enabled.
- sni
Require String - Requires that the network peers also provide SNI support, this setting only takes effect when
sni_default
is set totrue
.When creating a new profile, the setting is provided by the parent profile - ssl
C3d String - Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to use this feature.
- ssl
Forward StringProxy - Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled.
- ssl
Forward StringProxy Bypass - Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled.
- ssl
Sign StringHash - SSL sign hash (any, sha1, sha256, sha384)
- strict
Resume String - Enables or disables the resumption of SSL sessions after an unclean shutdown.When creating a new profile, the setting is provided by the parent profile.
- tm
Options List<String> - List of Enabled selection from a set of industry standard options for handling SSL processing.By default,
Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options.
Usage
: tm_options = ["dont-insert-empty-fragments","no-tlsv1.3"] - unclean
Shutdown String - Unclean Shutdown (enabled / disabled)
- untrusted
Cert StringResponse Control - Unclean Shutdown (drop / ignore)
Import
ing
An existing server-ssl profile can be imported into this resource by supplying server-ssl profile Name in full path
as id
.
An example is below:
$ terraform import bigip_ltm_profile_server_ssl.test-ServerSsl-import /Common/test-ServerSsl
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- f5 BIG-IP pulumi/pulumi-f5bigip
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
bigip
Terraform Provider.