ADC CLI Commands

ssl-serviceGroup

The following operations can be performed on “ssl-serviceGroup”:

bind unbind show unset set

bind ssl serviceGroup

Bind a SSL certkey or a SSL policy to a SSL service.

Synopsis

bind ssl serviceGroup @ \(\(-certkeyName \[\(-CA \[-crlCheck \( Mandatory | Optional ) | -ocspCheck \( Mandatory | Optional )]) | -SNICert] ) | -cipherName ) \[-eccCurveName ]

Arguments

serviceGroupName The name of the SSL service to which the SSL policy needs to be bound.

certkeyName The name of the CertKey

CA CA certificate.

crlCheck The rule for use of CRL corresponding to this CA certificate during client authentication. If crlCheck is set to Mandatory, the system will deny all SSL clients if the CRL is missing, expired - NextUpdate date is in the past, or is incomplete with remote CRL refresh enabled. If crlCheck is set to optional, the system will allow SSL clients in the above error cases.However, in any case if the client certificate is revoked in the CRL, the SSL client will be denied access.

Possible values: Mandatory, Optional

SNICert The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.

ocspCheck The state of the OCSP check parameter. (Mandatory/Optional)

Possible values: Mandatory, Optional

cipherName A cipher-suite can consist of an individual cipher name, the system predefined cipher-alias name, or user defined cipher-group name.

eccCurveName Named ECC curve bound to service group

Possible values: ALL, P_224, P_256, P_384, P_521, X_25519

Example

bind ssl service ssl_svc -policyName certInsert_pol -priority 10

unbind ssl serviceGroup

Unbind a SSL policy from a SSL service.

Synopsis

unbind ssl serviceGroup @ \(\(-certkeyName \[\(-CA \[-crlCheck \( Mandatory | Optional )]) | -SNICert] ) | -cipherName ) \[-eccCurveName ]

Arguments

serviceGroupName The name of the SSL service from which the SSL policy needs to be unbound.

certkeyName The name of the certificate bound to the SSL service group.

CA CA certificate.

crlCheck The rule for use of CRL corresponding to this CA certificate during client authentication. If crlCheck is set to Mandatory, the system will deny all SSL clients if the CRL is missing, expired - NextUpdate date is in the past, or is incomplete with remote CRL refresh enabled. If crlCheck is set to optional, the system will allow SSL clients in the above error cases.However, in any case if the client certificate is revoked in the CRL, the SSL client will be denied access.

Possible values: Mandatory, Optional

SNICert The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.

cipherName A cipher-suite can consist of an individual cipher name, the system predefined cipher-alias name, or user defined cipher-group name.

eccCurveName Named ECC curve bound to service group

Possible values: ALL, P_224, P_256, P_384, P_521, X_25519

Example

unbind ssl service ssl_svc -policyName certInsert_pol

show ssl serviceGroup

Displays information about SSL-specific configuration for all SSL service groups, or displays detailed information about the specified SSL service group.

Synopsis

show ssl serviceGroup []

Arguments

serviceGroupName Name of the SSL service group for which to show detailed information.

Output

dh The state of DH key exchange support for the SSL service group.

dhFile The file name and path for the DH parameter.

dhCount The refresh count for the re-generation of DH public-key and private-key from the DH parameter.

dhKeyExpSizeLimit This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

eRSA The state of Ephemeral RSA key exchange support for the SSL service group.Ephemeral RSA is used for export ciphers.

eRSACount The refresh count for the re-generation of RSA public-key and private-key pair.

sessReuse The state of session re-use support for the SSL service group.

sessTimeout The Session timeout value in seconds.

cipherRedirect The state of Cipher Redirect feature. Cipher Redirect feature can be used to provide more readable information to SSL clients about mismatch in ciphers between the client and the SSL vserver.

cipherURL The redirect URL to be used with the Cipher Redirect feature.

sslv2Redirect The state of SSLv2 Redirect feature.SSLv2 Redirect feature can be used to provide more readable information to SSL client about non-support of SSLv2 protocol on the SSL vserver.

sslv2URL The redirect URL to be used with SSLv2 Redirect feature.

clientAuth The state of Client-Authentication support for the SSL service group.

clientCert The rule for client certificate requirement in client authentication.

sslRedirect The state of HTTPS redirects for the SSL service group.

This is required for the proper functioning of the redirect messages from the server. The redirect message from the server provides the new location for the moved object. This is contained in the HTTP header field: Location, e.g. Location: http://www.moved.org/here.html

For the SSL session, if the client browser receives this message, the browser will try to connect to the new location. This will break the secure SSL session, as the object has moved from a secure site (https://) to an un-secure one (http://). Generally browsers flash a warning message on the screen and prompt the user, either to continue or disconnect.

The above feature, when enabled will automatically convert all such http:// redirect message to https://. This will not break the client SSL session.

Note: The set ssl service command can be used for configuring a front-end SSL service for service based SSL Off-Loading, or a backend SSL service for backend-encryption setup.

redirectPortRewrite The state of port-rewrite feature.

nonFipsCiphers The state of usage of non FIPS approved ciphers.

ssl2 The state of SSLv2 protocol support for the SSL service group.

ssl3 State of SSLv3 protocol support for the SSL service group. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

tls1 State of TLSv1.0 protocol support for the SSL service group.

tls11 State of TLSv1.1 protocol support for the SSL service group.

tls12 State of TLSv1.2 protocol support for the SSL service group.

tls13 State of TLSv1.3 protocol support for the SSL service group.

SNIEnable The state of SNI extension. Server Name Indication (SNI) helps to enable SSL encryption on multiple subdomains if the domains are controlled by the same organization and share the same second-level domain name.

ocspStapling State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.

serverAuth The state of the server authentication configuration for the SSL service group. For SSL deployments where data is encrypted end-to-end using SSL, you can authenticate the server.

commonName Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server

cipherAliasName/cipherName/cipherGroupName The name of the cipher group/alias/name configured for the SSL service group.

cipherName The name of the cipher group/alias/name configured for the SSL service group.

ocspCheck The state of the OCSP check parameter. (Mandatory/Optional)

crlCheck The state of the CRL check parameter. (Mandatory/Optional)

description The description of the cipher.

certkeyName The name of the certificate bound to the SSL service group.

clearTextPort The port on the back-end web-servers where the clear-text data is sent by system. Use this setting for the wildcard IP based SSL Acceleration configuration (*:443).

serviceName The service name.

CA CA certificate.

SNICert The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.

stateflag sendCloseNotify Enable sending SSL Close-Notify at the end of a transaction

eccCurveName Named ECC curve bound to servicegroup.

sslProfile Name of the SSL profile that contains SSL settings for the Service Group.

strictSigDigestCheck Parameter indicating to check whether peer’s certificate is signed with one of signature-hash combination supported by Citrix ADC

service servicegroup devno count

Example

An example of output of show ssl servicegroup command is as shown below show ssl servicegroup ssl_svcg

    Advanced SSL configuration for Back-end SSL Service Group ssl_svcg:
    Session Reuse: ENABLED          Timeout: 300 seconds
    Server Auth: DISABLED
    Non FIPS Ciphers: DISABLED
    SSLv3: ENABLED  TLSv1: ENABLED

1) Cipher Name: ALL Description: Predefined Cipher Alias

unset ssl serviceGroup

Use this command to remove ssl serviceGroup settings.Refer to the set ssl serviceGroup command for meanings of the arguments.

Synopsis

unset ssl serviceGroup @ [-sslProfile] [-sessReuse] [-sessTimeout] [-ssl3] [-tls1] [-tls11] [-tls12] [-tls13] [-SNIEnable] [-ocspStapling] [-serverAuth] [-commonName] [-sendCloseNotify] [-strictSigDigestCheck]

set ssl serviceGroup

Sets the advanced SSL configuration for an SSL service group.

Synopsis

set ssl serviceGroup @ \[-sslProfile ] \[-sessReuse \( ENABLED | DISABLED ) \[-sessTimeout <positive\_integer>]] \[-ssl3 \( ENABLED | DISABLED )] \[-tls1 \( ENABLED | DISABLED )] \[-tls11 \( ENABLED | DISABLED )] \[-tls12 \( ENABLED | DISABLED )] \[-tls13 \( ENABLED | DISABLED )] \[-SNIEnable \( ENABLED | DISABLED )] \[-ocspStapling \( ENABLED | DISABLED )] \[-serverAuth \( ENABLED | DISABLED )] \[-commonName ] \[-sendCloseNotify \( YES | NO )] \[-strictSigDigestCheck \( ENABLED | DISABLED )]

Arguments

serviceGroupName Name of the SSL service group for which to set advanced configuration.

sslProfile Name of the SSL profile that contains SSL settings for the Service Group.

sessReuse State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Possible values: ENABLED, DISABLED Default value: ENABLED

sessTimeout Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session. Default value: 300 Minimum value: 0 Maximum value: 4294967294

ssl3 State of SSLv3 protocol support for the SSL service group. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls1 State of TLSv1.0 protocol support for the SSL service group.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls11 State of TLSv1.1 protocol support for the SSL service group.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls12 State of TLSv1.2 protocol support for the SSL service group.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls13 State of TLSv1.3 protocol support for the SSL service group.

Possible values: ENABLED, DISABLED Default value: DISABLED

SNIEnable State of the Server Name Indication (SNI) feature on the service. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Possible values: ENABLED, DISABLED Default value: DISABLED

ocspStapling State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.

Possible values: ENABLED, DISABLED Default value: DISABLED

serverAuth State of server authentication support for the SSL service group.

Possible values: ENABLED, DISABLED Default value: DISABLED

commonName Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server

sendCloseNotify Enable sending SSL Close-Notify at the end of a transaction

Possible values: YES, NO Default value: YES

strictSigDigestCheck Parameter indicating to check whether peer’s certificate is signed with one of signature-hash combination supported by Citrix ADC

Possible values: ENABLED, DISABLED Default value: DISABLED

Example

1)set ssl servicegroup svcg1 -sessReuse DISABLED The above example disables session reuse for the service group ‘svcg1’.

ssl-serviceGroup