-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
sslparameter
-
-
-
-
-
videooptimizationdetectionpolicylabel_videooptimizationdetectionpolicy_binding
-
videooptimizationdetectionpolicy_videooptimizationglobaldetection_binding
-
videooptimizationglobaldetection_videooptimizationdetectionpolicy_binding
-
videooptimizationglobalpacing_videooptimizationpacingpolicy_binding
-
videooptimizationpacingpolicylabel_videooptimizationpacingpolicy_binding
-
videooptimizationpacingpolicy_videooptimizationglobalpacing_binding
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
sslparameter
Configuration for SSL parameter resource.
Properties
(click to see Operations )
| Name | Data Type | Permissions | Description |
|---|---|---|---|
| quantumsize |
|
Read-write | Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.
Default value: 8192 Possible values = 4096, 8192, 16384 |
| crlmemorysizemb |
|
Read-write | Maximum memory size to use for certificate revocation lists (CRLs). This parameter reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded on the appliance can consume.
Default value: 256 Minimum value = 10 Maximum value = 1024 |
| strictcachecks |
|
Read-write | Enable strict CA certificate checks on the appliance.
Default value: NO Possible values = YES, NO |
| ssltriggertimeout |
|
Read-write | Time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the Citrix ADC because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue.
Default value: 100 Minimum value = 1 Maximum value = 200 |
| sendclosenotify |
|
Read-write | Send an SSL Close-Notify message to the client at the end of a transaction.
Default value: YES Possible values = YES, NO |
| encrypttriggerpktcount |
|
Read-write | Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC.
Default value: 45 Minimum value = 10 Maximum value = 50 |
| denysslreneg |
|
Read-write | Deny renegotiation in specified circumstances. Available settings function as follows
|
| insertionencoding |
|
Read-write | Encoding method used to insert the subject or issuer’s name in HTTP requests to servers.
Default value: Unicode Possible values = Unicode, UTF-8 |
| ocspcachesize |
|
Read-write | Size, per packet engine, in megabytes, of the OCSP cache. A maximum of 10% of the packet engine memory can be assigned. Because the maximum allowed packet engine memory is 4GB, the maximum value that can be assigned to the OCSP cache is approximately 410 MB.
Default value: 10 Minimum value = 0 Maximum value = 512 |
| pushflag |
|
Read-write | Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows 0 - Auto (PUSH flag is not set.) 1 - Insert PUSH flag into every decrypted record. 2 -Insert PUSH flag into every encrypted record. 3 - Insert PUSH flag into every decrypted and encrypted record. Minimum value = 0 Maximum value = 3 |
| dropreqwithnohostheader |
|
Read-write | Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension), the request is dropped.
Default value: NO Possible values = YES, NO |
| snihttphostmatch |
|
Read-write | Controls how the HTTP ‘Host’ header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension) and HTTP request contains ‘Host’ header. Available settings function as follows CERT - Request is forwarded if the ‘Host’ value is covered by the certificate used to establish this SSL session. Note: ‘CERT’ matching mode cannot be applied in TLS 1.3 connections established by resuming from a previous TLS 1.3 session. On these connections, ‘STRICT’ matching mode will be used instead. STRICT - Request is forwarded only if value of ‘Host’ header in HTTP is identical to the ‘Server name’ value passed in ‘Client Hello’ of the SSL connection. NO - No validation is performed on the HTTP ‘Host’ header value. Default value: CERT Possible values = NO, CERT, STRICT |
| pushenctriggertimeout |
|
Read-write | PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.
Default value: 1 Minimum value = 1 Maximum value = 200 |
| cryptodevdisablelimit |
|
Read-write | Limit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart.
Default value: 0 |
| undefactioncontrol |
|
Read-write | Name of the undefined built-in control action: CLIENTAUTH, NOCLIENTAUTH, NOOP, RESET, or DROP.
Default value: “CLIENTAUTH” |
| undefactiondata |
|
Read-write | Name of the undefined built-in data action: NOOP, RESET or DROP.
Default value: “NOOP” |
| defaultprofile |
|
Read-write | Global parameter used to enable default profile feature.
Default value: DISABLED Possible values = ENABLED, DISABLED |
| softwarecryptothreshold |
|
Read-write | Citrix ADC CPU utilization threshold (in percentage) beyond which crypto operations are not done in software.
A value of zero implies that CPU is not utilized for doing crypto in software. Default value: 0 Minimum value = 0 Maximum value = 100 |
| hybridfipsmode |
|
Read-write | When this mode is enabled, system will use additional crypto hardware to accelerate symmetric crypto operations.
Default value: DISABLED Possible values = ENABLED, DISABLED |
| sigdigesttype | <String[]> | Read-write | Signature Digest Algorithms that are supported by appliance. Default value is “ALL” and it will enable the following algorithms depending on the platform.
On VPX: ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512 RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 DSA-SHA1 DSA-SHA224 DSA-SHA256 DSA-SHA384 DSA-SHA512 On MPX with Nitrox-III and coleto cards: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512 Others: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512. Note:ALL doesnot include RSA-MD5 for any platform. Default value: ALL Possible values = ALL, RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512, DSA-SHA1, DSA-SHA224, DSA-SHA256, DSA-SHA384, DSA-SHA512, ECDSA-SHA1, ECDSA-SHA224, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512 |
| sslierrorcache |
|
Read-write | Enable or disable dynamically learning and caching the learned information to make the subsequent interception or bypass decision. When enabled, NS does the lookup of this cached data to do early bypass.
Default value: DISABLED Possible values = ENABLED, DISABLED |
| sslimaxerrorcachemem |
|
Read-write | Specify the maximum memory that can be used for caching the learned data. This memory is used as a LRU cache so that the old entries gets replaced with new entry once the set memory limit is fully utilised. A value of 0 decides the limit automatically.
Default value: 0 Minimum value = 0 Maximum value = 4294967294 |
| insertcertspace |
|
Read-write | To insert space between lines in the certificate header of request.
Default value: YES Possible values = YES, NO |
| ndcppcompliancecertcheck |
|
Read-write | Applies when the Citrix ADC appliance acts as a client (back-end connection). Settings apply as follows YES - During certificate verification, ignore the common name if SAN is present in the certificate. NO - Do not ignore common name. Default value: NO Possible values = YES, NO |
| heterogeneoussslhw |
|
Read-write | To support both cavium and coleto based platforms in cluster environment, this mode has to be enabled.
Default value: DISABLED Possible values = ENABLED, DISABLED |
| operationqueuelimit |
|
Read-write | Limit in percentage of capacity of the crypto operations queue beyond which new SSL connections are not accepted until the queue is reduced.
Default value: 150 Minimum value = 0 Maximum value = 10000 |
| svctls1112disable |
|
Read-only | Disable TLS 1.1 and 1.2 for dynamic and VPN created services.
Default value: NO Possible values = YES, NO |
| montls1112disable |
|
Read-only | Disable TLS 1.1 and 1.2 for secure (https) monitors bound to SSL_BRIDGE services.
Default value: NO Possible values = YES, NO |
Operations
(click to see Properties )
- UPDATE
- UNSET
- GET (ALL)
Some options that you can use for each operations:
-
Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the 'warning' query parameter as 'yes'. For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:
http:// <netscaler-ip-address> /nitro/v1/config/login?warning=yes
If any, the warnings are displayed in the response payload with the HTTP code '209 X-NITRO-WARNING'.
-
Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,
To do this, you must specify the username and password in the request header of the NITRO request as follows:
X-NITRO-USER: <username>
X-NITRO-PASS: <password>
Note: In such cases, make sure that the request header DOES not include the following:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
*Note:
*
Mandatory parameters are marked in
red
and placeholder content is marked in
green
update
URL: http:// <netscaler-ip-address> /nitro/v1/config/sslparameter HTTP Method: PUT
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Content-Type:application/json
Request Payload:
{"sslparameter":{
"quantumsize":<String_value>,
"crlmemorysizemb":<Double_value>,
"strictcachecks":<String_value>,
"ssltriggertimeout":<Double_value>,
"sendclosenotify":<String_value>,
"encrypttriggerpktcount":<Double_value>,
"denysslreneg":<String_value>,
"insertionencoding":<String_value>,
"ocspcachesize":<Double_value>,
"pushflag":<Double_value>,
"dropreqwithnohostheader":<String_value>,
"snihttphostmatch":<String_value>,
"pushenctriggertimeout":<Double_value>,
"cryptodevdisablelimit":<Double_value>,
"undefactioncontrol":<String_value>,
"undefactiondata":<String_value>,
"defaultprofile":<String_value>,
"softwarecryptothreshold":<Double_value>,
"hybridfipsmode":<String_value>,
"sigdigesttype":<String[]_value>,
"sslierrorcache":<String_value>,
"sslimaxerrorcachemem":<Double_value>,
"insertcertspace":<String_value>,
"ndcppcompliancecertcheck":<String_value>,
"heterogeneoussslhw":<String_value>,
"operationqueuelimit":<Double_value>
}}
<!--NeedCopy-->
Response: HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
unset
URL: http:// <netscaler-ip-address> /nitro/v1/config/sslparameter? action=unset HTTP Method: POST
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Content-Type:application/json
Request Payload:
{"sslparameter":{
"quantumsize":true,
"crlmemorysizemb":true,
"strictcachecks":true,
"ssltriggertimeout":true,
"sendclosenotify":true,
"encrypttriggerpktcount":true,
"denysslreneg":true,
"insertionencoding":true,
"ocspcachesize":true,
"pushflag":true,
"dropreqwithnohostheader":true,
"snihttphostmatch":true,
"pushenctriggertimeout":true,
"cryptodevdisablelimit":true,
"undefactioncontrol":true,
"undefactiondata":true,
"defaultprofile":true,
"softwarecryptothreshold":true,
"hybridfipsmode":true,
"sigdigesttype":true,
"sslierrorcache":true,
"sslimaxerrorcachemem":true,
"insertcertspace":true,
"ndcppcompliancecertcheck":true,
"heterogeneoussslhw":true,
"operationqueuelimit":true
}}
<!--NeedCopy-->
Response: HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
get (all)
URL: http:// <netscaler-ip-address> /nitro/v1/config/sslparameter HTTP Method: GET
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Accept:application/json
Response: HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
Response Header:
Content-Type:application/json
Response Payload:
{ "sslparameter": [ {
"quantumsize":<String_value>,
"crlmemorysizemb":<Double_value>,
"strictcachecks":<String_value>,
"ssltriggertimeout":<Double_value>,
"sendclosenotify":<String_value>,
"encrypttriggerpktcount":<Double_value>,
"denysslreneg":<String_value>,
"insertionencoding":<String_value>,
"ocspcachesize":<Double_value>,
"pushflag":<Double_value>,
"dropreqwithnohostheader":<String_value>,
"snihttphostmatch":<String_value>,
"pushenctriggertimeout":<Double_value>,
"cryptodevdisablelimit":<Double_value>,
"undefactioncontrol":<String_value>,
"undefactiondata":<String_value>,
"defaultprofile":<String_value>,
"svctls1112disable":<String_value>,
"montls1112disable":<String_value>,
"softwarecryptothreshold":<Double_value>,
"hybridfipsmode":<String_value>,
"sigdigesttype":<String[]_value>,
"sslierrorcache":<String_value>,
"sslimaxerrorcachemem":<Double_value>,
"insertcertspace":<String_value>,
"ndcppcompliancecertcheck":<String_value>,
"heterogeneoussslhw":<String_value>,
"operationqueuelimit":<Double_value>
}]}
<!--NeedCopy-->
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.