Last updated on: 2024-04-01 03:24:20.
bigip_sslo_config_ssl – Manage an SSL Orchestrator SSL configuration¶
New in version 1.6.0.
Parameters¶
| Parameter | Choices/Defaults | Configuration | Comments | |
|---|---|---|---|---|
|
bypass_client_cert_failure
boolean
|
|
Defines the action to take if a server side TLS handshake client certificate request is detected.
A value of
false causes the connection to fail.A value of
true shuts down TLS decryption and allows the connection to proceed un-decrypted. |
||
|
bypass_handshake_failure
boolean
|
|
Defines the action to take if a server side TLS handshake failure is detected.
A value of
false causes the connection to fail.A value of
false shuts down TLS decryption and allows the connection to proceed un-decrypted. |
||
|
client_settings
dictionary
|
Specifies the client-side SSL settings.
|
|||
|
alpn
boolean
|
|
Enables or disables ALPN HTTP/2 full proxy.
This parameter can only be used when
proxy_type is forward.This parameter is only available in SSLO version 9.0 and later.
|
||
|
ca_cert
string
|
Defines the CA certificate applied in the client side settings.
This parameter is required when
proxy_type is forward, otherwise this setting is ignored.This parameter is required together with
ca_key. |
|||
|
ca_chain
string
|
Defines the CA certificate keychain in the client side settings.
This parameter is required if
proxy_type is forward, otherwise this setting is ignored. |
|||
|
ca_key
string
|
Defines the CA private key applied in the client side settings.
This parameter is required when
proxy_type is forward, otherwise this setting is ignored.This parameter is required together with
ca_key. |
|||
|
ca_key_passphrase
string
added in 3.3.0 |
Defines the passphrase for the CA private key in the client side settings.
|
|||
|
cert
string
|
Defines the certificate applied in the client side settings.
This parameter is required together with
key. |
|||
|
chain
string
|
Defines the certificate keychain in the client side settings.
|
|||
|
cipher_group
string
|
Defines the existing cipher group.
This parameter is mutually exclusive with
cipher_string.This parameter is required when
cipher_type is group. |
|||
|
cipher_string
string
|
Defines the string used for cipher strings.
This parameter is mutually exclusive with
cipher_group.This parameter is required when
cipher_type is string. |
|||
|
cipher_type
string
|
|
Defines the type of cipher used.
|
||
|
client_ssl_options
list
/ elements=string
added in 1.12.0 |
The processing options using various TLS and SSL versions.
|
|||
|
key
string
|
Defines the private key applied in the client side settings.
This parameter is required together with
cert. |
|||
|
key_passphrase
string
added in 3.3.0 |
Defines the passphrase for the private key in the client side settings.
|
|||
|
log_publisher
string
|
Defines a specific log publisher to use for client-side SSL-related events.
This parameter is only available in SSLO version 9.0 and later.
|
|||
|
proxy_type
string
|
|
Defines the type of proxy to configure.
This parameter is immutable after the object has been created.
This parameter is required when
state is present. |
||
|
update_ca_key_passphrase
boolean
added in 3.3.0 |
|
Defines whether to update the passphrase for the CA private key in the client side settings.
Default values is
no.It must be set to
yes when wanting to update the passphrase or when trying to add a passphrase to a CA private key that does not have one in an existing ssl config. |
||
|
update_key_passphrase
boolean
added in 3.3.0 |
|
Defines whether to update the passphrase for the private key in the client side settings.
Default values is
no.It must be set to
yes when wanting to update the passphrase or when trying to add a passphrase to a private key that does not have one in an existing ssl config. |
||
|
dump_json
boolean
|
|
Sets the module to output a JSON blob for further consumption.
When
true, does not make any changes on the device and always returns changed=False.The output provided is idempotent in nature, meaning if there are no changes to be made during
MODIFY on an existing service no JSON output is generated. |
||
|
name
string
/ required
|
Specifies the name of the authentication object.
The configuration auto-prepends
ssloT_ to the object.Names should be less than 14 characters and not contain dashes
-. |
|||
|
server_settings
dictionary
|
Specifies the server-side SSL settings
|
|||
|
block_expired
string
|
|
Defines the action to take if an expired remote server certificate is encountered.
For reverse proxy, the default is to ignore expired certificates.
For forward proxy, the default is to drop expired certificates.
|
||
|
block_untrusted
string
|
|
Defines the action to take if an untrusted remote server certificate is encountered, based on the defined
ca_bundle.For reverse proxy, the default is to ignore untrusted certificates.
For forward proxy, the default is to drop untrusted certificates.
|
||
|
ca_bundle
string
|
Defines the certificate authority bundle used to validate remote server certificates.
This setting is most applicable in the forward proxy use case to validate remote server certificates.
|
|||
|
cipher_group
string
|
Defines the existing cipher group.
This parameter is mutually exclusive with
cipher_string.This parameter is required when
cipher_type is group. |
|||
|
cipher_string
string
|
Defines the string used for cipher strings.
This parameter is mutually exclusive with
cipher_group.This parameter is required when
cipher_type is string. |
|||
|
cipher_type
string
|
|
Defines the type of cipher used.
|
||
|
crl
string
|
Defines a CRL configuration to use to perform certificate revocation checking against remote server certificates.
|
|||
|
log_publisher
string
|
Defines a specific log publisher to use for server-side SSL-related events.
This parameter is only available in SSLO version 9.0 and above.
|
|||
|
ocsp
string
|
Defines an OCSP configuration to use to perform certificate revocation checking against remote server certificates.
|
|||
|
server_ssl_options
list
/ elements=string
added in 1.12.0 |
The processing options using various TLS and SSL versions.
|
|||
|
sni
dictionary
|
Specifies the SNI settings.
|
|||
|
sni_default
boolean
|
|
Specify whether it is the default SNI server.
|
||
|
sni_server_name
string
|
The SNI server name in FQDN format.
|
|||
|
state
string
|
|
When
state is present, ensures the object is created or modified.When
state is absent, ensures the service is removed. |
||
|
timeout
integer
|
Default: 300
|
The amount of time to wait for the
CREATE, MODIFY or DELETE task to complete, in seconds.The accepted value range is between
10 and 1800 seconds. |
||
Examples¶
- name: Create an SSLO SSL config with reverse proxy - output json only
bigip_sslo_config_ssl:
name: "reverse_foo"
client_settings:
proxy_type: "reverse"
cert: "/Common/sslo_test.crt"
key: "/Common/sslo_test.key"
dump_json: true
- name: Create an SSLO SSL config with forward proxy
bigip_sslo_config_ssl:
name: "forward_foo"
client_settings:
proxy_type: "forward"
cipher_type: "group"
cipher_group: "/Common/f5-default"
ca_cert: "/Common/default.crt"
ca_key: "/Common/default.key"
alpn: true
server_settings:
cipher_type: "group"
cipher_group: "/Common/f5-default"
bypass_handshake_failure: true
timeout: 400
- name: Modify an SSLO SSL config with forward proxy
bigip_sslo_config_ssl:
name: "forward_foo"
client_settings:
proxy_type: "forward"
ca_cert: "/Common/sslo_test.crt"
ca_key: "/Common/sslo_test.key"
- name: Delete an SSLO SSL config
bigip_sslo_config_ssl:
name: "forward_foo"
state: absent
Return Values¶
The following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
|
bypass_client_cert_failure
boolean
|
changed |
Defines the action to take if a server side TLS handshake client certificate request is detected.
Sample:
True
|
|
|
bypass_handshake_failure
boolean
|
changed |
Defines the action to take if a server side TLS handshake failure is detected.
Sample:
True
|
|
|
client_settings
complex
|
changed |
Client-side SSL settings.
|
|
|
alpn
boolean
|
Enables or disables ALPN HTTP/2 full proxy.
Sample:
True
|
||
|
ca_cert
string
|
The CA certificate applied in the client side settings.
Sample:
/Common/default.crt
|
||
|
ca_chain
string
|
The CA certificate keychain in the client side settings.
Sample:
/Common/local-ca-chain.crt
|
||
|
ca_key
string
|
The CA private key applied in the client side settings.
Sample:
/Common/default.key
|
||
|
cert
string
|
The certificate applied in the client side settings.
Sample:
/Common/default.crt
|
||
|
chain
string
|
The certificate keychain in the client side settings.
Sample:
/Common/local-ca-chain.crt
|
||
|
cipher_group
string
|
The existing cipher group.
Sample:
/Common/f5-default
|
||
|
cipher_string
string
|
The string used for cipher strings.
Sample:
DEFAULT
|
||
|
cipher_type
string
|
The type of cipher used.
Sample:
string
|
||
|
key
string
|
The private key applied in the client side settings.
Sample:
/Common/default.key
|
||
|
log_publisher
string
|
The log publisher used for client-side SSL-related events.
Sample:
/Common/sys-ssl-publisher
|
||
|
proxy_type
string
|
The type of proxy configured.
Sample:
forward
|
||
|
server_settings
complex
|
changed |
Specifies the server-side SSL settings.
|
|
|
block_expired
string
|
The action to take if an expired remote server certificate is encountered.
Sample:
ignore
|
||
|
block_untrusted
string
|
The action to take if an untrusted remote server certificate is encountered.
Sample:
ignore
|
||
|
ca_bundle
string
|
The certificate authority bundle used to validate remote server certificates
Sample:
/Common/ca-bundle.crt
|
||
|
cipher_group
string
|
The existing cipher group
Sample:
/Common/f5-default
|
||
|
cipher_string
string
|
The string used for cipher strings.
Sample:
DEFAULT
|
||
|
cipher_type
string
|
The type of cipher used.
Sample:
string
|
||
|
crl
string
|
The existing CRL configuration to validate revocation of remote server certificates.
Sample:
/Common/my-crl
|
||
|
log_publisher
string
|
The log publisher used for server-side SSL-related events.
Sample:
/Common/sys-ssl-publisher
|
||
|
ocsp
string
|
Then existing OCSP configuration to validate revocation of remote server certificates.
Sample:
/Common/my-ocsp
|
||