-
-
-
-
-
-
-
-
ssl-serviceGroup
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
ssl-serviceGroup
The following operations can be performed on “ssl-serviceGroup”:
bind | unbind | show | unset | set |
bind ssl serviceGroup
Bind a SSL certkey or a SSL policy to a SSL service.
Synopsis
bind ssl serviceGroup
Arguments
serviceGroupName The name of the SSL service to which the SSL policy needs to be bound.
certkeyName The name of the CertKey
CA CA certificate.
crlCheck The rule for use of CRL corresponding to this CA certificate during client authentication. If crlCheck is set to Mandatory, the system will deny all SSL clients if the CRL is missing, expired - NextUpdate date is in the past, or is incomplete with remote CRL refresh enabled. If crlCheck is set to optional, the system will allow SSL clients in the above error cases.However, in any case if the client certificate is revoked in the CRL, the SSL client will be denied access.
Possible values: Mandatory, Optional
SNICert The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.
ocspCheck The state of the OCSP check parameter. (Mandatory/Optional)
Possible values: Mandatory, Optional
cipherName A cipher-suite can consist of an individual cipher name, the system predefined cipher-alias name, or user defined cipher-group name.
eccCurveName Named ECC curve bound to service group
Possible values: ALL, P_224, P_256, P_384, P_521, X_25519
Example
bind ssl service ssl_svc -policyName certInsert_pol -priority 10
unbind ssl serviceGroup
Unbind a SSL policy from a SSL service.
Synopsis
unbind ssl serviceGroup
Arguments
serviceGroupName The name of the SSL service from which the SSL policy needs to be unbound.
certkeyName The name of the certificate bound to the SSL service group.
CA CA certificate.
crlCheck The rule for use of CRL corresponding to this CA certificate during client authentication. If crlCheck is set to Mandatory, the system will deny all SSL clients if the CRL is missing, expired - NextUpdate date is in the past, or is incomplete with remote CRL refresh enabled. If crlCheck is set to optional, the system will allow SSL clients in the above error cases.However, in any case if the client certificate is revoked in the CRL, the SSL client will be denied access.
Possible values: Mandatory, Optional
SNICert The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.
cipherName A cipher-suite can consist of an individual cipher name, the system predefined cipher-alias name, or user defined cipher-group name.
eccCurveName Named ECC curve bound to service group
Possible values: ALL, P_224, P_256, P_384, P_521, X_25519
Example
unbind ssl service ssl_svc -policyName certInsert_pol
show ssl serviceGroup
Displays information about SSL-specific configuration for all SSL service groups, or displays detailed information about the specified SSL service group.
Synopsis
show ssl serviceGroup [
Arguments
serviceGroupName Name of the SSL service group for which to show detailed information.
Output
dh The state of DH key exchange support for the SSL service group.
dhFile The file name and path for the DH parameter.
dhCount The refresh count for the re-generation of DH public-key and private-key from the DH parameter.
dhKeyExpSizeLimit This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.
eRSA The state of Ephemeral RSA key exchange support for the SSL service group.Ephemeral RSA is used for export ciphers.
eRSACount The refresh count for the re-generation of RSA public-key and private-key pair.
sessReuse The state of session re-use support for the SSL service group.
sessTimeout The Session timeout value in seconds.
cipherRedirect The state of Cipher Redirect feature. Cipher Redirect feature can be used to provide more readable information to SSL clients about mismatch in ciphers between the client and the SSL vserver.
cipherURL The redirect URL to be used with the Cipher Redirect feature.
sslv2Redirect The state of SSLv2 Redirect feature.SSLv2 Redirect feature can be used to provide more readable information to SSL client about non-support of SSLv2 protocol on the SSL vserver.
sslv2URL The redirect URL to be used with SSLv2 Redirect feature.
clientAuth The state of Client-Authentication support for the SSL service group.
clientCert The rule for client certificate requirement in client authentication.
sslRedirect The state of HTTPS redirects for the SSL service group.
This is required for the proper functioning of the redirect messages from the server. The redirect message from the server provides the new location for the moved object. This is contained in the HTTP header field: Location, e.g. Location: http://www.moved.org/here.html
For the SSL session, if the client browser receives this message, the browser will try to connect to the new location. This will break the secure SSL session, as the object has moved from a secure site (https://) to an un-secure one (http://). Generally browsers flash a warning message on the screen and prompt the user, either to continue or disconnect.
The above feature, when enabled will automatically convert all such http:// redirect message to https://. This will not break the client SSL session.
Note: The set ssl service command can be used for configuring a front-end SSL service for service based SSL Off-Loading, or a backend SSL service for backend-encryption setup.
redirectPortRewrite The state of port-rewrite feature.
nonFipsCiphers The state of usage of non FIPS approved ciphers.
ssl2 The state of SSLv2 protocol support for the SSL service group.
ssl3 State of SSLv3 protocol support for the SSL service group. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.
tls1 State of TLSv1.0 protocol support for the SSL service group.
tls11 State of TLSv1.1 protocol support for the SSL service group.
tls12 State of TLSv1.2 protocol support for the SSL service group.
tls13 State of TLSv1.3 protocol support for the SSL service group.
SNIEnable The state of SNI extension. Server Name Indication (SNI) helps to enable SSL encryption on multiple subdomains if the domains are controlled by the same organization and share the same second-level domain name.
ocspStapling State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.
serverAuth The state of the server authentication configuration for the SSL service group. For SSL deployments where data is encrypted end-to-end using SSL, you can authenticate the server.
commonName Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server
cipherAliasName/cipherName/cipherGroupName The name of the cipher group/alias/name configured for the SSL service group.
cipherName The name of the cipher group/alias/name configured for the SSL service group.
ocspCheck The state of the OCSP check parameter. (Mandatory/Optional)
crlCheck The state of the CRL check parameter. (Mandatory/Optional)
description The description of the cipher.
certkeyName The name of the certificate bound to the SSL service group.
clearTextPort The port on the back-end web-servers where the clear-text data is sent by system. Use this setting for the wildcard IP based SSL Acceleration configuration (*:443).
serviceName The service name.
CA CA certificate.
SNICert The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.
stateflag sendCloseNotify Enable sending SSL Close-Notify at the end of a transaction
eccCurveName Named ECC curve bound to servicegroup.
sslProfile Name of the SSL profile that contains SSL settings for the Service Group.
strictSigDigestCheck Parameter indicating to check whether peer’s certificate is signed with one of signature-hash combination supported by Citrix ADC
service servicegroup devno count
Example
An example of output of show ssl servicegroup command is as shown below show ssl servicegroup ssl_svcg
Advanced SSL configuration for Back-end SSL Service Group ssl_svcg:
Session Reuse: ENABLED Timeout: 300 seconds
Server Auth: DISABLED
Non FIPS Ciphers: DISABLED
SSLv3: ENABLED TLSv1: ENABLED
1) Cipher Name: ALL Description: Predefined Cipher Alias
unset ssl serviceGroup
Use this command to remove ssl serviceGroup settings.Refer to the set ssl serviceGroup command for meanings of the arguments.
Synopsis
unset ssl serviceGroup
set ssl serviceGroup
Sets the advanced SSL configuration for an SSL service group.
Synopsis
set ssl serviceGroup
Arguments
serviceGroupName Name of the SSL service group for which to set advanced configuration.
sslProfile Name of the SSL profile that contains SSL settings for the Service Group.
sessReuse State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.
Possible values: ENABLED, DISABLED Default value: ENABLED
sessTimeout Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session. Default value: 300 Minimum value: 0 Maximum value: 4294967294
ssl3 State of SSLv3 protocol support for the SSL service group. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.
Possible values: ENABLED, DISABLED Default value: ENABLED
tls1 State of TLSv1.0 protocol support for the SSL service group.
Possible values: ENABLED, DISABLED Default value: ENABLED
tls11 State of TLSv1.1 protocol support for the SSL service group.
Possible values: ENABLED, DISABLED Default value: ENABLED
tls12 State of TLSv1.2 protocol support for the SSL service group.
Possible values: ENABLED, DISABLED Default value: ENABLED
tls13 State of TLSv1.3 protocol support for the SSL service group.
Possible values: ENABLED, DISABLED Default value: DISABLED
SNIEnable State of the Server Name Indication (SNI) feature on the service. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.
Possible values: ENABLED, DISABLED Default value: DISABLED
ocspStapling State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.
Possible values: ENABLED, DISABLED Default value: DISABLED
serverAuth State of server authentication support for the SSL service group.
Possible values: ENABLED, DISABLED Default value: DISABLED
commonName Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server
sendCloseNotify Enable sending SSL Close-Notify at the end of a transaction
Possible values: YES, NO Default value: YES
strictSigDigestCheck Parameter indicating to check whether peer’s certificate is signed with one of signature-hash combination supported by Citrix ADC
Possible values: ENABLED, DISABLED Default value: DISABLED
Example
1)set ssl servicegroup svcg1 -sessReuse DISABLED The above example disables session reuse for the service group ‘svcg1’.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.