Legacy SSL profile 编辑
Note:
Citrix recommends using the enhanced profiles instead of legacy profiles. For information about the enhanced profile infrastructure, see SSL profile infrastructure.
Important:
Bind an SSL profile to an SSL virtual server. Do not bind a DTLS profile to an SSL virtual server. For information about DTLS profiles, see DTLS Profiles.
You can use an SSL profile to specify how a Citrix ADC processes SSL traffic. The profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility. You are not limited to configuring only one set of global parameters. You can create multiple sets (profiles) of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:
- Front end profiles, containing parameters applicable to the front-end entity. That is, they apply to the entity that receives requests from a client.
- Back-end profiles, containing parameters applicable to the back-end entity. That is, they apply to the entity that sends client requests to a server.
Unlike a TCP or HTTP profile, an SSL profile is optional. Therefore, there is no default SSL profile. The same profile can be reused across multiples entities. If an entity does not have a profile attached, the values set at the global level apply. For dynamically learned services, current global values apply.
The following table lists the parameters that are part of each profile.
Front end profile | Back-end profile |
---|---|
cipherRedirect, cipherURL | denySSLReneg |
clearTextPort* | encryptTriggerPktCount |
clientAuth, clientCert | nonFipsCiphers |
denySSLReneg | pushEncTrigger |
dh, dhFile, dhCount | pushEncTriggerTimeout |
dropReqWithNoHostHeader | pushFlag |
encryptTriggerPktCount | quantumSize |
eRSA, eRSACount | serverAuth |
insertionEncoding | commonName |
nonFipsCiphers | sessReuse, sessTimeout |
pushEncTrigger | SNIEnable |
pushEncTriggerTimeout | ssl3 |
pushFlag | sslTriggerTimeout |
quantumSize | strictCAChecks |
redirectPortRewrite | tls1 |
sendCloseNotify | - |
sessReuse, sessTimeout | - |
SNIEnable | - |
ssl3 | - |
sslRedirect | - |
sslTriggerTimeout | - |
strictCAChecks | - |
tls1, tls11, tls12 | - |
* The clearTextPort parameter applies only to an SSL virtual server.
An error message appears if you try to set a parameter that is not part of the profile. For example, if you try to set the clientAuth parameter in a back-end profile.
Some SSL parameters, such as CRL memory size, OCSP cache size, UndefAction Control, and UndefAction Data, are not part of any of the preceding profiles, because these parameters are independent of entities.
An SSL profile supports the following operations:
- Add—Creates an SSL profile on the Citrix ADC. Specify whether the profile is front end or back end. Front end is the default.
- Set—Modifies the settings of an existing profile.
- Unset—Sets the specified parameters to their default values. If you do not specify any parameters, an error message appears. If you unset a profile on an entity, the profile is unbound from the entity.
- Remove—Deletes a profile. A profile that is being used by any entity cannot be deleted. Clearing the configuration deletes all the entities. As a result, the profiles are also deleted.
- Show—Displays all the profiles that are available on the Citrix ADC. If a profile name is specified, the details of that profile are displayed. If an entity is specified, the profiles associated with that entity are displayed.
Create an SSL profile by using the CLI
- To add an SSL profile, type:
add ssl profile <name> [-sslProfileType ( BackEnd | FrontEnd )]
<!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论