ADC NITRO APIs

sslservice

Configuration for SSL service resource.

Properties

(click to see Operations )

Name Data Type Permissions Description
servicename Read-write Name of the SSL service.

Minimum length = 1
dh Read-write State of Diffie-Hellman (DH) key exchange. This parameter is not applicable when configuring a backend service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
dhfile Read-write Name for and, optionally, path to the PEM-format DH parameter file to be installed. /nsconfig/ssl/ is the default path. This parameter is not applicable when configuring a backend service.

Minimum length = 1
dhcount Read-write Number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies infinite use (no refresh). This parameter is not applicable when configuring a backend service. Allowed DH count values are 0 and >= 500.

Minimum value = 0

Maximum value = 65534
dhkeyexpsizelimit Read-write This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

Default value: DISABLED

Possible values = ENABLED, DISABLED
ersa Read-write State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts.

This parameter is not applicable when configuring a backend service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
ersacount Read-write Refresh count for regeneration of RSA public-key and private-key pair. Zero (0) specifies infinite usage (no refresh).

This parameter is not applicable when configuring a backend service.

Minimum value = 0

Maximum value = 65534
sessreuse Read-write State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Default value: ENABLED

Possible values = ENABLED, DISABLED
sesstimeout Read-write Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session.

Default value: 300

Minimum value = 0

Maximum value = 4294967294
cipherredirect Read-write State of Cipher Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client.

This parameter is not applicable when configuring a backend service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
cipherurl Read-write URL of the page to which to redirect the client in case of a cipher mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from.

This parameter is not applicable when configuring a backend service.
sslv2redirect Read-write State of SSLv2 Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a protocol version mismatch between the virtual server or service and the client.

This parameter is not applicable when configuring a backend service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
sslv2url Read-write URL of the page to which to redirect the client in case of a protocol version mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from.

This parameter is not applicable when configuring a backend service.
clientauth Read-write State of client authentication. In service-based SSL offload, the service terminates the SSL handshake if the SSL client does not provide a valid certificate.

This parameter is not applicable when configuring a backend service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
clientcert Read-write Type of client authentication. If this parameter is set to MANDATORY, the appliance terminates the SSL handshake if the SSL client does not provide a valid certificate. With the OPTIONAL setting, the appliance requests a certificate from the SSL clients but proceeds with the SSL transaction even if the client presents an invalid certificate.

This parameter is not applicable when configuring a backend SSL service.

Caution: Define proper access control policies before changing this setting to Optional.

Possible values = Mandatory, Optional
sslredirect Read-write State of HTTPS redirects for the SSL service.



For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect.

If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break.



This parameter is not applicable when configuring a backend service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
redirectportrewrite Read-write State of the port rewrite while performing HTTPS redirect. If this parameter is set to ENABLED, and the URL from the server does not contain the standard port, the port is rewritten to the standard.

Default value: DISABLED

Possible values = ENABLED, DISABLED
ssl2 Read-write State of SSLv2 protocol support for the SSL service.

This parameter is not applicable when configuring a backend service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
ssl3 Read-write State of SSLv3 protocol support for the SSL service.

Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Default value: ENABLED

Possible values = ENABLED, DISABLED
tls1 Read-write State of TLSv1.0 protocol support for the SSL service.

Default value: ENABLED

Possible values = ENABLED, DISABLED
tls11 Read-write State of TLSv1.1 protocol support for the SSL service.

Default value: ENABLED

Possible values = ENABLED, DISABLED
tls12 Read-write State of TLSv1.2 protocol support for the SSL service.

Default value: ENABLED

Possible values = ENABLED, DISABLED
tls13 Read-write State of TLSv1.3 protocol support for the SSL service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
dtls1 Read-write State of DTLSv1.0 protocol support for the SSL service.

Default value: ENABLED

Possible values = ENABLED, DISABLED
dtls12 Read-write State of DTLSv1.2 protocol support for the SSL service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
snienable Read-write State of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Default value: DISABLED

Possible values = ENABLED, DISABLED
ocspstapling Read-write State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate. . Default value: DISABLED Possible values = ENABLED, DISABLED
serverauth Read-write State of server authentication support for the SSL service.

Default value: DISABLED

Possible values = ENABLED, DISABLED
commonname Read-write Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server.

Minimum length = 1
pushenctrigger Read-write Trigger encryption on the basis of the PUSH flag value. Available settings function as follows
  • ALWAYS - Any PUSH packet triggers encryption.
  • IGNORE - Ignore PUSH packet for triggering encryption.
  • MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.
  • TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box. Possible values = Always, Merge, Ignore, Timer
  • sendclosenotify Read-write Enable sending SSL Close-Notify at the end of a transaction.

    Default value: YES

    Possible values = YES, NO
    dtlsprofilename Read-write Name of the DTLS profile that contains DTLS settings for the service.

    Minimum length = 1

    Maximum length = 127
    sslprofile Read-write Name of the SSL profile that contains SSL settings for the service.

    Minimum length = 1

    Maximum length = 127
    strictsigdigestcheck Read-write Parameter indicating to check whether peer’s certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC.

    Default value: DISABLED

    Possible values = ENABLED, DISABLED
    nonfipsciphers Read-only The state of usage of non FIPS approved ciphers.

    Default value: DISABLED

    Possible values = ENABLED, DISABLED
    service Read-only .
    skipcaname Read-only The flag is used to indicate whether this particular CA certificate’s CA_Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake.
    dtlsflag Read-only The flag is used to indicate whether DTLS is set or not.
    __count Read-only count parameter

    Operations

    (click to see Properties )

    • UPDATE
    • UNSET
    • GET (ALL)
    • GET
    • COUNT

    Some options that you can use for each operations:

    • Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the 'warning' query parameter as 'yes'. For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:

      http:// <netscaler-ip-address> /nitro/v1/config/login?warning=yes

      If any, the warnings are displayed in the response payload with the HTTP code '209 X-NITRO-WARNING'.

    • Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,

      To do this, you must specify the username and password in the request header of the NITRO request as follows:

      X-NITRO-USER: <username>

      X-NITRO-PASS: <password>

      Note: In such cases, make sure that the request header DOES not include the following:

      Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    *Note: *

    Mandatory parameters are marked in red and placeholder content is marked in green

    update

    URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservice

    HTTP Method: PUT

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Content-Type:application/json

    Request Payload:

    
    {"sslservice":{
    <b>      "servicename":<String_value>,
    </b>      "dh":<String_value>,
          "dhfile":<String_value>,
          "dhcount":<Double_value>,
          "dhkeyexpsizelimit":<String_value>,
          "ersa":<String_value>,
          "ersacount":<Double_value>,
          "sessreuse":<String_value>,
          "sesstimeout":<Double_value>,
          "cipherredirect":<String_value>,
          "cipherurl":<String_value>,
          "sslv2redirect":<String_value>,
          "sslv2url":<String_value>,
          "clientauth":<String_value>,
          "clientcert":<String_value>,
          "sslredirect":<String_value>,
          "redirectportrewrite":<String_value>,
          "ssl2":<String_value>,
          "ssl3":<String_value>,
          "tls1":<String_value>,
          "tls11":<String_value>,
          "tls12":<String_value>,
          "tls13":<String_value>,
          "dtls1":<String_value>,
          "dtls12":<String_value>,
          "snienable":<String_value>,
          "ocspstapling":<String_value>,
          "serverauth":<String_value>,
          "commonname":<String_value>,
          "pushenctrigger":<String_value>,
          "sendclosenotify":<String_value>,
          "dtlsprofilename":<String_value>,
          "sslprofile":<String_value>,
          "strictsigdigestcheck":<String_value>
    }}
    
    <!--NeedCopy-->
    

    Response:

    HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    unset

    URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservice? action=unset

    HTTP Method: POST

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Content-Type:application/json

    Request Payload:

    
    {"sslservice":{
    <b>      "servicename":<String_value>,
    </b>      "dh":true,
          "dhfile":true,
          "dhcount":true,
          "dhkeyexpsizelimit":true,
          "ersa":true,
          "ersacount":true,
          "sessreuse":true,
          "sesstimeout":true,
          "cipherredirect":true,
          "cipherurl":true,
          "sslv2redirect":true,
          "sslv2url":true,
          "clientauth":true,
          "clientcert":true,
          "sslredirect":true,
          "redirectportrewrite":true,
          "ssl2":true,
          "ssl3":true,
          "tls1":true,
          "tls11":true,
          "tls12":true,
          "tls13":true,
          "dtls1":true,
          "dtls12":true,
          "snienable":true,
          "ocspstapling":true,
          "serverauth":true,
          "commonname":true,
          "sendclosenotify":true,
          "dtlsprofilename":true,
          "sslprofile":true,
          "strictsigdigestcheck":true
    }}
    
    <!--NeedCopy-->
    

    Response:

    HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    get (all)

    URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservice

    Query-parameters:

    attrs

    http:// <netscaler-ip-address> /nitro/v1/config/sslservice? attrs=property-name1,property-name2

    Use this query parameter to specify the resource details that you want to retrieve.

    filter

    http:// <netscaler-ip-address> /nitro/v1/config/sslservice? filter=property-name1:property-val1,property-name2:property-val2

    Use this query-parameter to get the filtered set of sslservice resources configured on NetScaler.Filtering can be done on any of the properties of the resource.

    view

    http:// <netscaler-ip-address> /nitro/v1/config/sslservice? view=summary

    Use this query-parameter to get the summary output of sslservice resources configured on NetScaler.

    Note: By default, the retrieved results are displayed in detail view (?view=detail).

    pagination

    http:// <netscaler-ip-address> /nitro/v1/config/sslservice? pagesize=#no;pageno=#no

    Use this query-parameter to get the sslservice resources in chunks.

    HTTP Method: GET

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Accept:application/json

    Response:

    HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    Response Header:

    Content-Type:application/json

    Response Payload:

    
    { "sslservice": [ {
          "servicename":<String_value>,
          "dh":<String_value>,
          "dhfile":<String_value>,
          "dhcount":<Double_value>,
          "dhkeyexpsizelimit":<String_value>,
          "ersa":<String_value>,
          "ersacount":<Double_value>,
          "sessreuse":<String_value>,
          "sesstimeout":<Double_value>,
          "cipherredirect":<String_value>,
          "cipherurl":<String_value>,
          "sslv2redirect":<String_value>,
          "sslv2url":<String_value>,
          "clientauth":<String_value>,
          "clientcert":<String_value>,
          "sslredirect":<String_value>,
          "redirectportrewrite":<String_value>,
          "nonfipsciphers":<String_value>,
          "ssl2":<String_value>,
          "ssl3":<String_value>,
          "tls1":<String_value>,
          "tls11":<String_value>,
          "tls12":<String_value>,
          "tls13":<String_value>,
          "dtls1":<String_value>,
          "dtls12":<String_value>,
          "snienable":<String_value>,
          "ocspstapling":<String_value>,
          "serverauth":<String_value>,
          "commonname":<String_value>,
          "service":<Double_value>,
          "pushenctrigger":<String_value>,
          "skipcaname":<Boolean_value>,
          "sendclosenotify":<String_value>,
          "dtlsprofilename":<String_value>,
          "dtlsflag":<Boolean_value>,
          "sslprofile":<String_value>,
          "strictsigdigestcheck":<String_value>
    }]}
    
    <!--NeedCopy-->
    

    get

    URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservice/ servicename_value<String>

    Query-parameters:

    attrs

    http:// <netscaler-ip-address> /nitro/v1/config/sslservice/ servicename_value<String> ? attrs=property-name1,property-name2

    Use this query parameter to specify the resource details that you want to retrieve.

    view

    http:// <netscaler-ip-address> /nitro/v1/config/sslservice/ servicename_value<String> ? view=summary

    Use this query-parameter to get the summary output of sslservice resources configured on NetScaler.

    Note: By default, the retrieved results are displayed in detail view (?view=detail).

    HTTP Method: GET

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Accept:application/json

    Response:

    HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    Response Header:

    Content-Type:application/json

    Response Payload:

    
    {  "sslservice": [ {
          "servicename":<String_value>,
          "dh":<String_value>,
          "dhfile":<String_value>,
          "dhcount":<Double_value>,
          "dhkeyexpsizelimit":<String_value>,
          "ersa":<String_value>,
          "ersacount":<Double_value>,
          "sessreuse":<String_value>,
          "sesstimeout":<Double_value>,
          "cipherredirect":<String_value>,
          "cipherurl":<String_value>,
          "sslv2redirect":<String_value>,
          "sslv2url":<String_value>,
          "clientauth":<String_value>,
          "clientcert":<String_value>,
          "sslredirect":<String_value>,
          "redirectportrewrite":<String_value>,
          "nonfipsciphers":<String_value>,
          "ssl2":<String_value>,
          "ssl3":<String_value>,
          "tls1":<String_value>,
          "tls11":<String_value>,
          "tls12":<String_value>,
          "tls13":<String_value>,
          "dtls1":<String_value>,
          "dtls12":<String_value>,
          "snienable":<String_value>,
          "ocspstapling":<String_value>,
          "serverauth":<String_value>,
          "commonname":<String_value>,
          "service":<Double_value>,
          "pushenctrigger":<String_value>,
          "skipcaname":<Boolean_value>,
          "sendclosenotify":<String_value>,
          "dtlsprofilename":<String_value>,
          "dtlsflag":<Boolean_value>,
          "sslprofile":<String_value>,
          "strictsigdigestcheck":<String_value>
    }]}
    
    <!--NeedCopy-->
    

    count

    URL: http:// <netscaler-ip-address> /nitro/v1/config/sslservice? count=yes

    HTTP Method: GET

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Accept:application/json

    Response:

    HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    Response Header:

    Content-Type:application/json

    Response Payload:

    
    { "sslservice": [ { "__count": "#no"} ] }
    
    <!--NeedCopy-->
    
    sslservice