bigip_sslo_config_ssl – Manage an SSL Orchestrator SSL configuration

New in version 1.6.0.

Synopsis

  • Manage an SSL Orchestrator SSL configuration.

Parameters

Parameter Choices/Defaults Configuration Comments
bypass_client_cert_failure
boolean
    Choices:
  • no
  • yes
Defines the action to take if a server side TLS handshake client certificate request is detected.
A value of no causes the connection to fail.
A value of yes shuts down TLS decryption and allows the connection to proceed un-decrypted.
bypass_handshake_failure
boolean
    Choices:
  • no
  • yes
Defines the action to take if a server side TLS handshake failure is detected.
A value of no causes the connection to fail.
A value of no shuts down TLS decryption and allows the connection to proceed un-decrypted.
client_settings
dictionary
Specifies the client-side SSL settings.
alpn
boolean
    Choices:
  • no
  • yes
Enables or disables ALPN HTTP/2 full proxy.
This parameter can only be used when proxy_type is forward.
This parameter is only available in SSLO version 9.0 and later.
ca_cert
string
Defines the CA certificate applied in the client side settings.
This parameter is required when proxy_type is forward, otherwise this setting is ignored.
This parameter is required together with ca_key.
ca_chain
string
Defines the CA certificate keychain in the client side settings.
This parameter is required if proxy_type is forward, otherwise this setting is ignored.
ca_key
string
Defines the CA private key applied in the client side settings.
This parameter is required when proxy_type is forward, otherwise this setting is ignored.
This parameter is required together with ca_key.
cert
string
Defines the certificate applied in the client side settings.
This parameter is required together with key.
chain
string
Defines the certificate keychain in the client side settings.
cipher_group
string
Defines the existing cipher group.
This parameter is mutually exclusive with cipher_string.
This parameter is required when cipher_type is group.
cipher_string
string
Defines the string used for cipher strings.
This parameter is mutually exclusive with cipher_group.
This parameter is required when cipher_type is string.
cipher_type
string
    Choices:
  • string
  • group
Defines the type of cipher used.
key
string
Defines the private key applied in the client side settings.
This parameter is required together with cert.
log_publisher
string
Defines a specific log publisher to use for client-side SSL-related events.
This parameter is only available in SSLO version 9.0 and later.
proxy_type
string
    Choices:
  • forward
  • reverse
Defines the type of proxy to configure.
This parameter is immutable after the object has been created.
This parameter is required when state is present.
dump_json
boolean
    Choices:
  • no ←
  • yes
Sets the module to output a JSON blob for further consumption.
When yes, does not make any changes on the device and always returns changed=False.
The output provided is idempotent in nature, meaning if there are no changes to be made during MODIFY on an existing service no JSON output is generated.
name
string / required
Specifies the name of the authentication object.
The configuration auto-prepends ssloT_ to the object.
Names should be less than 14 characters and not contain dashes -.
server_settings
dictionary
Specifies the server-side SSL settings
block_expired
boolean
    Choices:
  • no
  • yes
Defines the action to take if an expired remote server certificate is encountered.
For reverse proxy, the default is to ignore expired certificates no.
For forward proxy, the default is to drop expired certificates yes.
block_untrusted
boolean
    Choices:
  • no
  • yes
Defines the action to take if an untrusted remote server certificate is encountered, based on the defined ca_bundle.
For reverse proxy, the default is to ignore untrusted certificates no.
For forward proxy, the default is to drop untrusted certificates yes.
ca_bundle
string
Defines the certificate authority bundle used to validate remote server certificates.
This setting is most applicable in the forward proxy use case to validate remote server certificates.
cipher_group
string
Defines the existing cipher group.
This parameter is mutually exclusive with cipher_string.
This parameter is required when cipher_type is group.
cipher_string
string
Defines the string used for cipher strings.
This parameter is mutually exclusive with cipher_group.
This parameter is required when cipher_type is string.
cipher_type
string
    Choices:
  • string
  • group
Defines the type of cipher used.
crl
string
Defines a CRL configuration to use to perform certificate revocation checking against remote server certificates.
log_publisher
string
Defines a specific log publisher to use for server-side SSL-related events.
This parameter is only available in SSLO version 9.0 and above.
ocsp
string
Defines an OCSP configuration to use to perform certificate revocation checking against remote server certificates.
sni
dictionary
Specifies the SNI settings.
sni_default
boolean
    Choices:
  • no
  • yes
Specify whether it is the default SNI server.
sni_server_name
string
The SNI server name in FQDN format.
state
string
    Choices:
  • present ←
  • absent
When state is present, ensures the object is created or modified.
When state is absent, ensures the service is removed.
timeout
integer
Default:
300
The amount of time to wait for the CREATE, MODIFY or DELETE task to complete, in seconds.
The accepted value range is between 10 and 1800 seconds.

Examples

- hosts: all
  collections:
    - f5networks.f5_bigip
  connection: httpapi

  vars:
    ansible_host: "lb.mydomain.com"
    ansible_user: "admin"
    ansible_httpapi_password: "secret"
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: yes

  tasks:
    - name: Create an SSLO SSL config with reverse proxy - output json only
      bigip_sslo_config_ssl:
        name: "reverse_foo"
        client_settings:
          proxy_type: "reverse"
          cert: "/Common/sslo_test.crt"
          key: "/Common/sslo_test.key"
        dump_json: yes

    - name: Create an SSLO SSL config with forward proxy
      bigip_sslo_config_ssl:
        name: "forward_foo"
        client_settings:
          proxy_type: "forward"
          cipher_type: "group"
          cipher_group: "/Common/f5-default"
          ca_cert: "/Common/default.crt"
          ca_key: "/Common/default.key"
          alpn: yes
        server_settings:
          cipher_type: "group"
          cipher_group: "/Common/f5-default"
        bypass_handshake_failure: yes
        timeout: 400

    - name: Modify an SSLO SSL config with forward proxy
      bigip_sslo_config_ssl:
        name: "forward_foo"
        client_settings:
          proxy_type: "forward"
          ca_cert: "/Common/sslo_test.crt"
          ca_key: "/Common/sslo_test.key"

    - name: Delete an SSLO SSL config
      bigip_sslo_config_ssl:
        name: "forward_foo"
        state: absent

Return Values

The following are the fields unique to this module:

Key Returned Description
bypass_client_cert_failure
boolean
changed
Defines the action to take if a server side TLS handshake client certificate request is detected.

Sample:
True
bypass_handshake_failure
boolean
changed
Defines the action to take if a server side TLS handshake failure is detected.

Sample:
True
client_settings
complex
changed
Client-side SSL settings.

  alpn
boolean
Enables or disables ALPN HTTP/2 full proxy.

Sample:
True
  ca_cert
string
The CA certificate applied in the client side settings.

Sample:
/Common/default.crt
  ca_chain
string
The CA certificate keychain in the client side settings.

Sample:
/Common/local-ca-chain.crt
  ca_key
string
The CA private key applied in the client side settings.

Sample:
/Common/default.key
  cert
string
The certificate applied in the client side settings.

Sample:
/Common/default.crt
  chain
string
The certificate keychain in the client side settings.

Sample:
/Common/local-ca-chain.crt
  cipher_group
string
The existing cipher group.

Sample:
/Common/f5-default
  cipher_string
string
The string used for cipher strings.

Sample:
DEFAULT
  cipher_type
string
The type of cipher used.

Sample:
string
  key
string
The private key applied in the client side settings.

Sample:
/Common/default.key
  log_publisher
string
The log publisher used for client-side SSL-related events.

Sample:
/Common/sys-ssl-publisher
  proxy_type
string
The type of proxy configured.

Sample:
forward
server_settings
complex
changed
Specifies the server-side SSL settings.

  block_expired
boolean
The action to take if an expired remote server certificate is encountered.

Sample:
True
  block_untrusted
boolean
The action to take if an untrusted remote server certificate is encountered.

Sample:
True
  ca_bundle
string
The certificate authority bundle used to validate remote server certificates

Sample:
/Common/ca-bundle.crt
  cipher_group
string
The existing cipher group

Sample:
/Common/f5-default
  cipher_string
string
The string used for cipher strings.

Sample:
DEFAULT
  cipher_type
string
The type of cipher used.

Sample:
string
  crl
string
The existing CRL configuration to validate revocation of remote server certificates.

Sample:
/Common/my-crl
  log_publisher
string
The log publisher used for server-side SSL-related events.

Sample:
/Common/sys-ssl-publisher
  ocsp
string
Then existing OCSP configuration to validate revocation of remote server certificates.

Sample:
/Common/my-ocsp


Status

Authors

  • Wojciech Wypior (@wojtek0806)
  • Kevin Stewart (@kevingstewart)