LocalLB::ProfileClientSSL

Introduced : BIG-IP_v9.0
The ProfileClientSSL interface enables you to manipulate a local load balancer&aposs client SSL profile.

Methods

Method Description Introduced
add_certificate_key_chain Adds certificate-key-chain objects to a client SSL profile. BIG-IP_v11.5.0
create Certificates and keys are officially managed as certificate and certificate key file objects via the create_v2 method and the Management::KeyCertificate interface. Thus this method has been deprecated. Creates the specified client SSL profiles, using key and certificate file objects. Starting in v11.5.0, for adding or modifying DSA or ECDSA keys and certificates, please use the add_certificate_key_chain, or the set_certificate_key_chain method. The key and certificate input parameters in this method should be used for setting RSA keys and certificates only. The default flag merely indicates if the key and/or certificate have to be set to the values that are set in the RSA certificate-key-chain object in the pre-defined &aposclientssl&apos profile. BIG-IP_v9.0
create_v2 Creates the specified client SSL profiles, using key and certificate file object names. Certificate and key file objects are managed by the Management::KeyCertificate interface. Starting in v11.5.0, for adding or modifying DSA or ECDSA keys and certificates, please use the add_certificate_key_chain, or the set_certificate_key_chain method. The key and certificate input parameters in this method should be used for setting RSA keys and certificates only. The default flag merely indicates if the key and/or certificate have to be set to the values that are set in the RSA certificate-key-chain object in the pre-defined &aposclientssl&apos profile. BIG-IP_v11.0.0
delete_all_profiles Deletes all client SSL profiles. BIG-IP_v9.0
delete_profile Deletes the specified client SSL profiles. BIG-IP_v9.0
get_alert_timeout Gets the connection timeouts (in seconds) after sending an alert for the specified client SSL profiles. BIG-IP_v9.0
get_all_statistics Gets the statistics for all the client SSL profiles. BIG-IP_v9.0
get_allow_dynamic_record_sizing_state Gets the states to indicate whether to allow dynamic record sizing. BIG-IP_v12.1.0
get_allow_expired_crl_state Gets the states to allow using an expired CRL file. system-IP_v12.0.0
get_allow_nonssl_state Gets the states to indicate whether to allow non-SSL connections to pass through as cleartext. BIG-IP_v9.0
get_authenticate_depth Gets the client certificate chain maximum traversal depth for the specified client SSL profiles. BIG-IP_v9.0
get_authenticate_once_state Gets the states to request the client certificate once for the specified client SSL profiles. BIG-IP_v9.0
get_bypass_on_failed_client_certificate_state Gets the bypass_on_fail_client_certificate state for the specified client SSL profiles. BIG-IP_v13.0.0
get_bypass_on_handshake_alert_state Gets the bypass_on_handshake_alert state for the specified client SSL profiles. BIG-IP_v13.0.0
get_ca_file Certificate files are officially managed as certificate file objects via the get_ca_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Gets the CA file object names for the specified client SSL profiles. BIG-IP_v9.0
get_ca_file_v2 Gets the certificate file object names for the certificate authority files for the specified client SSL profiles. Certificate file objects are managed by the Management::KeyCertificate interface. BIG-IP_v11.0.0
get_cache_size Gets the SSL session cache sizes for the specified client SSL profiles. BIG-IP_v9.0
get_cache_timeout Gets the SSL session cache timeouts for the specified client SSL profiles. BIG-IP_v9.0
get_certificate_file Certificate files are officially managed as certificate file objects via the get_certificate_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Starting in v11.5.0, this method will get the RSA certificate associated with the RSA certificate-key-chain object in the profile. For certificates in other certificate-key-chain objects, please use the get_certificate_key_chain_certificate_file method. Gets the certificate file object names to be used by BIG-IP acting as an SSL server. BIG-IP_v9.0
get_certificate_file_v2 Gets the certificate file object names to be used by BIG-IP acting as an SSL server. Certificate file objects are managed by the Management::KeyCertificate interface. Starting in v11.5.0, this method will get the RSA certificate associated with the RSA certificate-key-chain object in the profile. For certificates in other certificate-key-chain objects, please use the get_certificate_key_chain_certificate_file method. BIG-IP_v9.0
get_certificate_key_chain Gets the names of the certificate-key-chain objects in a client SSL profile. BIG-IP_v11.5.0
get_certificate_key_chain_certificate_file Gets the file object name of the certificate in a certificate-key-chain a client SSL profile. BIG-IP_v11.5.0
get_certificate_key_chain_chain_file Gets the file object name of the chain certificate in a certificate-key-chain object in a client SSL profile. BIG-IP_v11.5.0
get_certificate_key_chain_key_file Gets the file object name of the key in a certificate-key-chain object in a client SSL profile. BIG-IP_v11.5.0
get_certificate_key_chain_ocsp_stapling_parameters This method has been deprecated as of v13.0.0. Deprecation note: The attribute OCSP stapling parameters of certificate-key-chain is no longer used in v13.0.0. If the user tries to get this value via old TMSH or iControl calls, it will return empty strings. Gets the name of the OCSP stapling parameters object in a certificate-key-chain object. BIG-IP_v11.6.0
get_chain_file Certificate files are officially managed as certificate file objects via the get_chain_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Gets the certificate chain file object names for the specified client SSL profiles. Starting in v11.5.0, this method will get the name of the chain certificate associated with the RSA certificate-key chain object. For getting the names of the chain certificates associated with other certificate-key-chain objects, please use the get_certificate_key_chain_chain_file method. BIG-IP_v9.0
get_chain_file_v2 Gets the certificate file object names for the chain certificate files for the specified client SSL profiles. Certificate file objects are managed by the Management::KeyCertificate interface. Starting in v11.5.0, this method will get the name of the chain certificate associated with the RSA certificate-key-chain object. For getting the names of the chain certificates associated with other certificate-key-chain objects, please use the get_certificate_key_chain_chain_file method. BIG-IP_v11.0.0
get_cipher_list Gets the cipher lists for the specified client SSL profiles. BIG-IP_v9.0
get_client_certificate_ca_file Certificate files are officially managed as certificate file objects via the get_client_certificate_ca_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Gets the client certificate CA file object names for the specified client SSL profiles. BIG-IP_v9.0
get_client_certificate_ca_file_v2 Gets the certificate file object names for the client certificate authority files for the specified client SSL profiles. Certificate file objects are managed by the Management::KeyCertificate interface. BIG-IP_v11.0.0
get_crl_file Certificate revocation list files are officially managed as certificate revocation list file objects via the get_crl_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Gets the CRL file object names for the specified client SSL profiles. BIG-IP_v9.0
get_crl_file_v2 Gets the certificate revocation list file object names for the specified client SSL profiles. Certificate revocation list file objects are managed by the Management::KeyCertificate interface. BIG-IP_v11.0.0
get_default_profile Gets the names of the default profiles from which the specified profiles will derive default values for its attributes. BIG-IP_v9.0
get_description Gets the descriptions for a set of client SSL profiles. BIG-IP_v11.0.0
get_forward_proxy_bypass_default_action Gets the SSL forward proxy bypass default action for the specified client SSL profiles. BIG-IP_v11.5.0
get_forward_proxy_bypass_destination_ip_black_list Gets the SSL forward proxy bypass Destination IP Blacklist to be used by BIG-IP as a policy list to intercept traffic for client SSL profiles. BIG-IP_v11.5.0
get_forward_proxy_bypass_destination_ip_white_list Gets the SSL forward proxy bypass Destination IP whitelist to be used by BIG-IP as a policy list to bypass traffic for client SSL profiles. BIG-IP_v11.5.0
get_forward_proxy_bypass_hostname_black_list Gets the SSL forward proxy bypass Hostname Blacklist to be used by BIG-IP as a policy list to intercept traffic for client SSL profiles. BIG-IP_v11.5.0
get_forward_proxy_bypass_hostname_white_list Gets the SSL forward proxy bypass Hostname Whitelist to be used by BIG-IP as a policy list to bypass traffic for client SSL profiles. BIG-IP_v11.5.0
get_forward_proxy_bypass_source_ip_black_list Gets the SSL forward proxy bypass Source IP Blacklist to be used by BIG-IP as a policy list to intercept traffic for client SSL profiles. BIG-IP_v11.5.0
get_forward_proxy_bypass_source_ip_white_list Gets the SSL forward proxy bypass Source IP Whitelist to be used by BIG-IP as a policy list to bypass traffic for client SSL profiles. BIG-IP_v11.5.0
get_forward_proxy_bypass_state Gets the SSL forward proxy bypass enabled states for the specified client SSL profiles. BIG-IP_v11.5.0
get_forward_proxy_ca_certificate_file Gets the SSL forward proxy CA certificate file object names to be used by BIG-IP acting as an SSL forward proxy server. Certificate file objects are managed by the Management::KeyCertificate interface. BIG-IP_v11.3.0
get_forward_proxy_ca_key_file Gets the names of the SSL forward proxy CA certificate key file objects used by BIG-IP acting as an SSL forward proxy server for a set of client SSL profiles. Certificate key file objects are managed by the Management::KeyCertificate interface. BIG-IP_v11.3.0
get_forward_proxy_ca_passphrase Gets the SSL forward proxy CA key passphrases (if any) for the specified client SSL profiles. BIG-IP_v11.3.0
get_forward_proxy_certificate_extension_include Gets the extensions to be included in the SSL forward proxy generated certificates for the specified client SSL profiles. BIG-IP_v11.3.0
get_forward_proxy_certificate_lifespan Gets the SSL forward proxy generated certificate lifespans for the specified client SSL profiles. BIG-IP_v11.3.0
get_forward_proxy_enabled_state Gets the SSL forward proxy enabled states for the specified client SSL profiles. BIG-IP_v11.3.0
get_forward_proxy_lookup_by_ipaddr_port_state Gets the SSL forward proxy certificate cache by IPAddr-Port enabled states for the specified client SSL profiles. BIG-IP_v11.4.0
get_generic_alert_state Gets the states to enforce to use generic alert number in Alert message when sending Alert message. BIG-IP_v11.5.0
get_handshake_timeout Gets the connection timeouts (in seconds) during handshake phase for the specified client SSL profiles. BIG-IP_v9.0
get_inherit_certkeychain_state Gets the inherit-certificate-key-chain states for the specified client SSL profiles that are used to indicate whether the profiles&aposs certificate-key-chains are inherited and changed along with their parents&apos profiles&apos certificate-key-chains. There will not be a set method for setting the inherit-certificate-key-chain state. The inherit-certificate-key-chain state will be set to true when a client SSL profile is created and will be set to false when the certificate-key-chain of the profile is explicitly set. BIG-IP_v12.0.0
get_key_file Certificate keys are officially managed as certificate key file objects via the get_key_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Gets the full path to the key file used by BIG-IP acting as an SSL server. Starting in v11.5.0, this method will get the RSA key associated with the RSA certificate-key-chain object in the profile. For keys in other certificate-key-chain objects, please use the get_certificate_key_chain_key_file method. BIG-IP_v9.0
get_key_file_v2 Gets the names of the certificate key file objects used by BIG-IP acting as an SSL server for a set of client SSL profiles. Certificate key file objects are managed by the Management::KeyCertificate interface. Starting in v11.5.0, this method will get the RSA key associated with the RSA certificate-key-chain object in the profile. For keys in other certificate-key-chain objects, please use the get_certificate_key_chain_key_file method. BIG-IP_v9.0
get_list Gets a list of all client SSL profiles. BIG-IP_v9.0
get_maximum_active_handshakes Gets the per-profile maximum number of outstanding SSL handshakes for the specified client SSL profiles. BIG-IP_v12.1.0
get_maximum_record_size Gets the maximum SSL record size values. BIG-IP_v12.1.0
get_modssl_emulation_state Gets the states to emulate modSSL for the specified client SSL profiles. BIG-IP_v9.0
get_notify_certificate_status_to_virtual_server_state Gets the notify-certificate-status-to-virtual-server enabled states for the specified client SSL profiles that are used to indicate whether the status of the certificats are propagated to the virtual server. BIG-IP_v13.0.0
get_ocsp_stapling_state Gets the OCSP stapling enabled states for the specified client SSL profiles that are used to indicate whether the OCSP stapling feature is in effect for stapling the OCSP responses of the certificates in the TLS/SSL handshakes when the TLS/SSL clients request for it. BIG-IP_v13.0.0
get_passphrase Gets the key passphrases (if any) for the specified client SSL profiles. Starting in v11.5.0, this method will get the passphrase corresponding to the RSA certificate-key-chain object. The user should not rely on the &aposdefault_flag&apos in the returned sequence of passphrases. BIG-IP_v9.0
get_peer_certification_mode Gets the peer certification modes for the specified client SSL profiles. BIG-IP_v9.0
get_peer_no_renegotiate_timeout Gets the timeouts (in seconds) that the system will wait for a client hello message before sending a fatal alert. BIG-IP_v11.6.0
get_profile_mode Gets the modes for the specified client SSL profiles. BIG-IP_v9.0
get_proxy_ssl_passthrough_state Gets the proxy SSL passthrough states for the specified client SSL profiles. BIG-IP_v11.6.0
get_proxy_ssl_state Gets the proxy SSL states for the specified client SSL profiles. BIG-IP_v11.6.0
get_renegotiation_maximum_record_delay Gets the SSL renegotiation maximum record delay for the specified client SSL profiles. BIG-IP_v9.0
get_renegotiation_period Gets the SSL renegotiation periods for the specified client SSL profiles. BIG-IP_v9.0
get_renegotiation_state Gets the states controlling whether mid-stream renegotiation is allowed for the specified client SSL profiles. BIG-IP_v10.1.0
get_renegotiation_throughput Gets the SSL renegotiation throughputs for the specified client SSL profiles. BIG-IP_v9.0
get_retain_certificate_state Gets the certificate retention state for the specified client SSL profiles. BIG-IP_v11.4.0
get_secure_renegotiation_mode Gets the secure renegotiation mode for the specified client SSL profiles. See SecureRenegotiationMode for more details. BIG-IP_v10.2.3
get_server_name Gets the SNI server names (if any) for the specified client SSL profiles. BIG-IP_v11.1.0
get_session_mirroring_state Gets the states to enable using session mirroring for the specified client SSL profiles. BIG-IP_v11.6.0
get_session_ticket_state Gets the states to enforce to use session ticket per RFC 5077 for the specified client SSL profiles. BIG-IP_v11.3.0
get_session_ticket_timeout Gets the SSL session ticket timeouts (in seconds) which determines the lifetime of the session ticket for the specified client SSL profiles. BIG-IP_v12.0.0
get_sni_default_state Gets the SNI default states for the specified client SSL profiles. BIG-IP_v11.1.0
get_sni_require_state Gets the SNI require states for the specified client SSL profiles. BIG-IP_v11.1.0
get_ssl_maximum_aggregate_renegotiations_per_minute Gets the per-profile maximum number of aggregate renegotiation attempts allowed within a minute for the specified client SSL profiles. 0 means that the feature is disabled. BIG-IP_v12.0.0
get_ssl_maximum_renegotiations_per_minute Gets the maximum number of renegotiation attempts allowed within a minute for the specified client SSL profiles. BIG-IP_v11.6.0
get_ssl_option Gets the SSL options for the specified client SSL profiles. BIG-IP_v9.0
get_ssl_sign_hash Gets the SSL sign hash algorithm to sign and verify SSL Server Key Exchange and Certificate Verify messages with for the specified SSL profiles. BIG-IP_v9.0
get_statistics Gets the statistics for the specified client SSL profiles. BIG-IP_v9.0
get_statistics_by_virtual Gets the statistics for the specified profiles, by virtual server. BIG-IP_v11.0.0
get_strict_resume_state Gets the states to enforce strict SSL session resumption per RFC2246 for the specified client SSL profiles. BIG-IP_v9.0
get_unclean_shutdown_state Gets the states to do an unclean shutdown for the specified client SSL profiles. BIG-IP_v9.0
get_version Gets the version information for this interface. BIG-IP_v9.0
is_base_profile Determines whether the specified client SSL profiles are base profiles. A base profile sits at the base of the profile&aposs inheritance tree, supplying the defaults for every profile derived from it. (See also is_system_profile). BIG-IP_v9.0
is_system_profile Determines whether the specified client SSL profiles are system profiles. A system profile is a profile pre-configured on the system, ready for use. Non-system profiles are profiles created or modified by a user. Note that if a system profile is modified, it is no longer considered a system profile. (See also is_base_profile). BIG-IP_v11.0.0
remove_certificate_key_chain Removes certificate-key-chain objects from a client SSL profile. It should be noted that a client SSL profile should always have an RSA certificate-key-chain object. If you attempt to remove the RSA certificate-key-chain object, the system will throw an exception. BIG-IP_v11.5.0
reset_statistics Resets the statistics for the specified client SSL profiles. BIG-IP_v9.0
reset_statistics_by_virtual Resets the statistics for the specified profiles, for specified virtual servers. BIG-IP_v11.0.0
set_alert_timeout Sets the connection timeouts (in seconds) after sending an alert for the specified client SSL profiles. BIG-IP_v9.0
set_allow_dynamic_record_sizing_state Sets the states to indicate whether to allow dynamic record sizing. With dynamic record sizing, the first record sent will fit within the TCP MSS. The record sizes will then increase over time until the configured maximum is reached. It has been found that certain protocols, notably HTTP, show better client response times using this method. BIG-IP_v12.1.0
set_allow_expired_crl_state Sets the states to allow using an expired CRL file. If the state is enabled, use the CRL file even if it has expired. system-IP_v12.0.0
set_allow_nonssl_state Sets the states to indicate whether to allow non-SSL connections to pass through as cleartext. BIG-IP_v9.0
set_authenticate_depth Sets the client certificate chain maximum traversal depth for the specified client SSL profiles. BIG-IP_v9.0
set_authenticate_once_state Sets the states to request the client certificate once for the specified client SSL profiles. If the state is false/disabled, client certificate is requested for each SSL session renegotiation. BIG-IP_v9.0
set_bypass_on_failed_client_certificate_state Sets the SSL forward proxy bypass_on_failed_client_certificate state for the specified client SSL profiles. When this is enabled, the SSL forward proxy traffic will bypass the system if ServerSSL receives the Certificate Request message in the virtual servers that use this profile, but system is not configured to have the corresponding Client Certificate. The default value is disabled. BIG-IP_v13.0.0
set_bypass_on_handshake_alert_state Sets the SSL forward proxy bypass_on_handshake_alert state for the specified client SSL profiles. When this is enabled, the SSL forward proxy traffic will bypass the system if ServerSSL receive the handshake failure(40)/protocol version(70)/unsupported extension(110) alert message in the virtual servers that use this profile. The default value is disabled. BIG-IP_v13.0.0
set_ca_file Certificate files are officially managed as certificate file objects via the set_ca_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Sets the CA file object names for the specified client SSL profiles. BIG-IP_v9.0
set_ca_file_v2 Sets the certificate file object names for the certificate authority files for the specified client SSL profiles. Certificate file objects are managed by the Management::KeyCertificate interface. BIG-IP_v11.0.0
set_cache_size Sets the SSL session cache sizes for the specified client SSL profiles. BIG-IP_v9.0
set_cache_timeout Sets the SSL session cache timeouts for the specified client SSL profiles. BIG-IP_v9.0
set_certificate_file This method has been deprecated, due to switching to file objects as the parameters and due to the fact that calling this method usually results in an error thanks to a mismatched key and certificate. Please use set_key_certificate_file in its stead. Sets the certificate file object names to be used by BIG-IP acting as an SSL server. Starting in v11.5.0, this method will set the RSA certificate associated with the RSA certificate-key-chain object in the profile. For adding or modifying DSA or ECDSA certificates, please use add_certificate_key_chain or set_certificate_key_chain_members or set_certificate_key_chain_certificate_file methods. BIG-IP_v9.0
set_certificate_key_chain_certificate_file Sets the certificate file object name in a certificate-key-chain object in a client SSL profile. BIG-IP_v11.5.0
set_certificate_key_chain_chain_file Sets the chain certificate file object name in a certificate-key-chain object in a client SSL profile. BIG-IP_v11.5.0
set_certificate_key_chain_key_file Sets the key file object name in a certificate-key-chain object in a client SSL profile. BIG-IP_v11.5.0
set_certificate_key_chain_members Sets the members of certificate-key-chain objects in a client SSL profile. This is intended as a convenience to prevent you from having to set keys, passphrases, certificates and chains in a transaction. BIG-IP_v11.5.0
set_certificate_key_chain_ocsp_stapling_parameters This method has been deprecated as of v13.0.0. Deprecation note: The attribute OCSP stapling parameters of certificate-key-chain is no longer used in v13.0.0. This configuration can now be achieved with associating the OCSP validator configuration with the certificate via add_certificate_validator, and then enabling OCSP validation for the certifiate via set_certificate_status_validation_options, and then enabling the OCSP stapling flag for the clientssl profile via set_ocsp_stapling_state. Sets the OCSP stapling parameters object in a certificate-key-chain object. BIG-IP_v11.6.0
set_certificate_key_chain_passphrase Sets the key passphrase in a certificate-key-chain object in a client SSL profile. BIG-IP_v11.5.0
set_chain_file Certificate files are officially managed as certificate file objects via the set_chain_file_v2 method and Management::KeyCertificateFile interface. Thus this method is deprecated. Sets the certificate chain file object names for the specified client SSL profiles. Starting in v11.5.0, this method will set the chain certificate associated with the RSA certificate-key-chain object in the profile. For setting the certificate chain file in other certificate-key-chain objects, please use the add_certificate_key_chain, the set_certificate_key_chain_members, or the set_certificate_key_chain_chain_file method. BIG-IP_v9.0
set_chain_file_v2 Sets the certificate file object names for the chain certificate files for the specified client SSL profiles. Certificate file objects are managed by the Management::KeyCertificate interface. Starting in v11.5.0, this method will set the chain certificate associated with the RSA certificate-key-chain object in the profile. For setting the certificate chain file in other objects, please use the add_certificate_key_chain, the set_certificate_key_chain_members, or the or set_certificate_key_chain_chain_file methods. BIG-IP_v9.0
set_cipher_list Sets the cipher lists for the specified client SSL profiles. BIG-IP_v9.0
set_client_certificate_ca_file Certificate files are officially managed as certificate file objects via the set_client_certificate_ca_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Sets the client certificate CA file object names for the specified client SSL profiles. BIG-IP_v9.0
set_client_certificate_ca_file_v2 Sets the certificate file object names for the client certificate authority files for the specified client SSL profiles. Certificate file objects are managed by the Management::KeyCertificate interface. BIG-IP_v11.0.0
set_crl_file Certificate revocation list files are officially managed as certificate revocation list file objects via the set_crl_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Sets the CRL file object names for the specified client SSL profiles. BIG-IP_v9.0
set_crl_file_v2 Sets the certificate revocation list file object names for the specified client SSL profiles. Certificate revocation list file objects are managed by the Management::KeyCertificate interface. BIG-IP_v11.0.0
set_default_profile Sets the names of the default profiles from which the specified profiles will derive default values for its attributes. BIG-IP_v9.0
set_description Sets the description for a set of client SSL profiles. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.0.0
set_forward_proxy_bypass_default_action Sets the SSL forward proxy bypass default action for the specified client SSL profiles. The default value is intercept. Example: If a user configures the SSL forward proxy bypass default action to intercept, below is what the system does. 1. Check packet&aposs destination IP address against entries in destination IP blacklist. If there is a match, the packet will go through SSL forward proxy (or the packet is intercepted by SSL forward proxy). 2. If there is no match in 1, the system will check packet&aposs destination IP address against entries in destination IP whitelist. If there is a match, the packet will bypass the SSL forward proxy. 3. If still there is no match, the system will go to the next stage which is to compare the source IP and hostname similar to step 1 & 2. 4. If there are no matches after all, the packet will be set to the default action which in this case is to intercept. If the SSL forward proxy bypass default action is set to bypass, the steps will be 2, 1, 3, 4. In 4, the default action is to bypass. BIG-IP_v11.5.0
set_forward_proxy_bypass_destination_ip_black_list Sets the SSL forward proxy bypass Destination IP Blacklist to be used by BIG-IP as a policy list to intercept traffic for client SSL profiles. The Data Group List interface is used to create the Destination IP Blacklist. BIG-IP_v11.5.0
set_forward_proxy_bypass_destination_ip_white_list Sets the SSL forward proxy bypass Destination IP Whitelist to be used by BIG-IP as a policy list to bypass traffic for client SSL profiles. The Data Group List interface is used to create the Destination IP Whitelist. BIG-IP_v11.5.0
set_forward_proxy_bypass_hostname_black_list Sets the SSL forward proxy bypass Hostname Blacklist to be used by BIG-IP as a policy list to intercept traffic for client SSL profiles. The Data Group List interface is used to create the Hostname Blacklist. BIG-IP_v11.5.0
set_forward_proxy_bypass_hostname_white_list Sets the SSL forward proxy bypass Hostname Whitelist to be used by BIG-IP as a policy list to bypass traffic for client SSL profiles. The Data Group List interface is used to create the Hostname Whitelist. BIG-IP_v11.5.0
set_forward_proxy_bypass_source_ip_black_list Sets the SSL forward proxy bypass Source IP Blacklist to be used by BIG-IP as a policy list to intercept traffic for client SSL profiles. The Data Group List interface is used to create the Source IP Blacklist. BIG-IP_v11.5.0
set_forward_proxy_bypass_source_ip_white_list Sets the SSL forward proxy bypass Source IP Whitelist to be used by BIG-IP as a policy list to bypass traffic for client SSL profiles. The Data Group List interface is used to create the Source IP Whitelist. BIG-IP_v11.5.0
set_forward_proxy_bypass_state Sets the SSL forward proxy bypass states for the specified client SSL profiles. When this is enabled, SSL forward proxy bypass feature is enabled for the virtual server that uses this profile. The default value is disabled. BIG-IP_v11.5.0
set_forward_proxy_ca_key_certificate_file Sets the SSL forward proxy CA key and certificate file object names to be used by BIG-IP acting as an SSL forward proxy server for a set of client SSL profiles. Key and certificate file objects are managed by the Management::KeyCertificate interface. These values can be retrieved via the get_forward_proxy_ca_key_file and get_forward_proxy_ca_certificate_file methods. BIG-IP_v11.3.0
set_forward_proxy_ca_passphrase Sets the SSL forward proxy CA key passphrases (if any) for the specified client SSL profiles. BIG-IP_v11.3.0
set_forward_proxy_certificate_extension_include Sets the extensions to be included in the SSL forward proxy generated certificates for the specified client SSL profiles. BIG-IP_v11.3.0
set_forward_proxy_certificate_lifespan Sets the SSL forward proxy generated certificate lifespans for the specified client SSL profiles. BIG-IP_v11.3.0
set_forward_proxy_enabled_state Sets the SSL forward proxy enabled states for the specified client SSL profiles. When this is enabled, SSL forward proxy feature is enabled for the virtual server that uses this profile. The default value is disabled. Please make sure that the forward proxy CA certificate and key file object names and passphrases have been set correctly via set_forward_proxy_ca_key_certificate_file and set_forward_proxy_ca_passphrase before setting this to true. BIG-IP_v11.3.0
set_forward_proxy_lookup_by_ipaddr_port_state Sets the SSL forward proxy certificate cache by IPAddr-Port enabled states for the specified client SSL profiles. When this is enabled, SSL forward proxy certificate cache by IPAddr-port feature is enabled for the virtual server that uses this profile. The default value is disabled. BIG-IP_v11.4.0
set_generic_alert_state Sets the states to enforce to use generic alert number in Alert message when sending Alert message. If the state is enabled, use generic alert number in Alert message when sending Alert message. Otherwise, use alert number defined in RFC5246/RFC6066 strictly in Alert message when sending Alert message. The default value is enabled. BIG-IP_v11.5.0
set_handshake_timeout Sets the connection timeouts (in seconds) during handshake phase for the specified client SSL profiles. BIG-IP_v9.0
set_key_certificate_file Sets the key and certificate file object names to be used by BIG-IP acting as an SSL server for a set of client SSL profiles. Key and certificate file objects are managed by the Management::KeyCertificate interface. These values can be retrieved via the get_key_file_v2 and get_certificate_file_v2 methods. Starting in v11.5.0, this method will set the RSA key and certificate associated with the RSA certificate-key-chain object in the profile. For adding or modifying DSA or ECDSA keys and certificates, please use the add_certificate_key_chain or the set_certificate_key_chain_members or the set_certificate_key_chain_certificate_file method. BIG-IP_v9.0
set_key_file This method has been deprecated, due to switching to file objects as the parameters and due to the fact that calling this method usually results in an error thanks to a mismatched key and certificate. Please use set_key_certificate_file in its stead. Sets the key file object names to be used by BIG-IP acting as an SSL server. If a full path is not specified, the file name is relative to /config/ssl/ssl.key. Starting in v11.5.0, this method will set the RSA key associated with the RSA certificate-key-chain object in the profile. For adding or modifying DSA or ECDSA keys, please use the add_certificate_key_chain, the set_certificate_key_chain_members or the set_certificate_key_chain_key_file method. BIG-IP_v9.0
set_maximum_active_handshakes Sets the per-profile maximum number of outstanding SSL handshakes for the specified client SSL profiles. The default is 0 which means the maximum number is infinity. BIG-IP_v12.1.0
set_maximum_record_size Sets the maximum record size used by SSL. Typically, this is the maximum allowed by the protocol, 16K, but in some instances better performance will be seen with smaller record sizes. BIG-IP_v12.1.0
set_modssl_emulation_state Sets the states to emulate modSSL for the specified client SSL profiles. BIG-IP_v9.0
set_notify_certificate_status_to_virtual_server_state Sets the notify-certificate-status-to-virtual-server enabled states for the specified client SSL profiles, to indicate whether to propagate the status of the certificates to the virtual server. When this is set to enabled, at least one certificate validator configuration on the certificates of each of the specified client SSL profiles is required. The default value is disabled. BIG-IP_v13.0.0
set_ocsp_stapling_state Sets the OCSP stapling enabled states for the specified client SSL profiles. When this is set to enabled, at least one OCSP certificate validator configuration on the certificates of each of the specified client SSL profiles is required; and the OCSP responses of the certificate will be stapled with the TLS/SSL handshake if the TLS/SSL clients request it in the ClientHello handshake message. The default value is disabled. BIG-IP_v13.0.0
set_passphrase Sets the key passphrases (if any) for the specified client SSL profiles. Starting in v11.5.0, this method will set the passphrase corresponding to the RSA certificate-key-chain object. For setting passphrases corresponding to other certificate-key-chain objects, please use the set_certificate_key_chain_passphrase method. The user should refrain from using the &aposdefault_flag&apos, and the exact passphrase should be specified. BIG-IP_v9.0
set_peer_certificate_mode Sets the peer certification modes for the specified client SSL profiles. BIG-IP_v9.0
set_peer_no_renegotiate_timeout Sets the timeout that the system will wait for a client hello message before sending a fatal alert. The timer starts when the hello request is sent and stops when the client hello message is received within the allotted timeout, or if the timer expires before the client hello is received, a fatal alert is sent. The default is 10 seconds. You can set it to indefinite (-1) which specifies that the system continue to wait for client hello message for an unlimited time. BIG-IP_v11.6.0
set_profile_mode Sets the modes for the specified client SSL profiles. BIG-IP_v9.0
set_proxy_ssl_passthrough_state When SSL client and server negotiate a cipher suite which is not supported by the proxy SSL, setting the passthrough mode enables the SSL traffic to passthrough proxy SSL. The default value is disabled. BIG-IP_v11.6.0
set_proxy_ssl_state Proxy SSL enables SSL client and server to authenticate each other directly. When this is enabled, proxy SSL feature is enabled for the virtual server that uses this profile. The default value is disabled. BIG-IP_v11.6.0
set_renegotiation_maximum_record_delay Sets the SSL renegotiation maximum record delay for the specified client SSL profiles. BIG-IP_v9.0
set_renegotiation_period Sets the SSL renegotiation periods for the specified client SSL profiles. BIG-IP_v9.0
set_renegotiation_state Sets the states controlling whether mid-stream renegotiation is allowed for the specified client SSL profiles. If renegotiations are enabled, the behavior is unchanged from previous releases, and mid-stream SSL renegotiations are allowed. If renegotiations are disabled, and we are acting as an SSL server, we will abort the connection. For ClientSSL, renegotiations are disabled by default. BIG-IP_v10.1.0
set_renegotiation_throughput Sets the SSL renegotiation throughputs for the specified client SSL profiles. BIG-IP_v9.0
set_retain_certificate_state Sets the certificate retention state for the specified client SSL profiles. When set to false, certificate received in SSL handshake will not be stored in SSL session thus saving the memory required for processing. This setting should be set to true when using the APM module. The default value is true. BIG-IP_v11.4.0
set_secure_renegotiation_mode Sets the secure renegotiation mode for the specified client SSL profiles. See SecureRenegotiationMode for more details. BIG-IP_v10.2.3
set_server_name Sets the SNI server name (if any) for the specified client SSL profiles. BIG-IP_v11.1.0
set_session_mirroring_state Sets the states to enable using session mirroring for the specified client SSL profiles. If the state is enabled, sessions will be mirrored to high availability peer. BIG-IP_v11.6.0
set_session_ticket_state Sets the states to enforce to use session ticket per RFC 5077 for the specified client SSL profiles. If the state is enabled, use session ticket in session connection. BIG-IP_v11.3.0
set_session_ticket_timeout Sets the SSL session ticket timeouts (in seconds) which determines the lifetime of the session ticket for the specified client SSL profiles. The default is 0 which means the SSL session cache lifetime is used. BIG-IP_v12.0.0
set_sni_default_state Sets the SNI default states for the specified client SSL profiles. When this is set to true, this profile is the default SSL profile when a client connection does not specify a known server name, or does not specify any server name at all. The default value is false. BIG-IP_v11.1.0
set_sni_require_state Sets the SNI require states for the specified client SSL profiles. When this is set to true, SNI support is required for the peer and if a client connection does not specify a known server name, or does not specify any server name at all, the handshake will fail. The default value is false. BIG-IP_v11.1.0
set_ssl_maximum_aggregate_renegotiations_per_minute Sets the per-profile maximum number of aggregate renegotiation attempts allowed within a minute for the specified client SSL profiles. 0 means that the feature is disabled. BIG-IP_v12.0.0
set_ssl_maximum_renegotiations_per_minute Sets the maximum number of renegotiation attempts allowed within a minute for the specified client SSL profiles. BIG-IP_v11.6.0
set_ssl_option Sets the SSL options for the specified client SSL profiles. BIG-IP_v9.0
set_ssl_sign_hash Sets the SSL sign hash algorithm to sign and verify SSL Server Key Exchange and Certificate Verify messages with for the specified SSL profiles. BIG-IP_v9.0
set_strict_resume_state Sets the states to enforce strict SSL session resumption per RFC2246 for the specified client SSL profiles. If the state is true/enabled, don&apost send a close notify alert when closing connection. BIG-IP_v9.0
set_unclean_shutdown_state Sets the states to do an unclean shutdown for the specified client SSL profiles. If the state is true/enabled, don&apost send a close notify alert when closing connection. BIG-IP_v9.0

Structures

Structure

Description

CertificateKeyChain

A struct that holds the members of the certificate-key-chain object. A client SSL profile can be associated with at most one certificate-key-chain object of a given key-type.

ProfileClientSSLStatisticEntry

A struct that describes statistics for a particular client SSL profile.

ProfileClientSSLStatistics

A struct that describes profile statistics and timestamp.


Enumerations

Enumeration Description

Exceptions

Exception Description

Constants

Constant Type Value Description

Aliases

Alias Type Description
CertificateKeyChainSequence CertificateKeyChain [] A sequence of CertificateKeyChain objects.
CertificateKeyChainSequenceSequence CertificateKeyChain [] [] A sequence of sequence of CertificateKeyChain objects.
ProfileClientSSLStatisticEntrySequence ProfileClientSSLStatisticEntry [] A sequence of ProfileClientSSL statistics.

See Also

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.