ansible-collection-netscaleradc icon indicating copy to clipboard operation
ansible-collection-netscaleradc copied to clipboard

Published 20 hours ago verified publisher icon netscaler

How to disable SSLv3, TLS1.0 and TLS1.1 for a service group and vserver

Open lumarel opened this issue 2 years ago • 2 comments

Similar to #64 I'm searching for a way to disable noted protocols for a service group, has the implementation already been updated or am I just search for the wrong modules?

Best would be if it would be possible to define the list similar to servicemembers or monitor_bindings in citrix_adc_servicegroup, citrix_adc_cs_vserver and citrix_adc_lb_vserver.

The same would also be nice to have for the eccCurve 👌🏻

Thank you for the already quite useful modules! Cheers, Lukas

lumarel avatar Jul 05 '22 09:07 lumarel

@lumarel , can you please help us in understanding what exactly you are trying to achieve and what you are not able to achieve with relevant CLI and ansible playbook examples?

sumanth-lingappa avatar Aug 10 '22 04:08 sumanth-lingappa

@sumanth-lingappa Thank you for the reply!

So it's basically this here:

    - name: Server config
      citrix.adc.citrix_adc_server:
        nitro_user: "{{ netscaler_user }}"
        nitro_pass: "{{ netscaler_pass }}"
        nsip: "{{ netscaler_fqdn }}"
        name: "{{ item.name }}"
        ipaddress: "{{ item.ip }}"
      with_items:
        - name: server01.example.com
          ip: 10.0.0.1

    - name: Servicegroup config SSL
      citrix.adc.citrix_adc_servicegroup:
        nitro_user: "{{ netscaler_user }}"
        nitro_pass: "{{ netscaler_pass }}"
        nsip: "{{ netscaler_fqdn }}"
        servicegroupname: SG_example.com
        servicetype: SSL
        cip: enabled
        cipheader: X-Forwarded-For
        cka: false
        clttimeout: 180
        cmp: true
        maxclient: 0
        maxreq: 0
        svrtimeout: 360
        tcpb: false
        tcpprofilename: nstcp_default_tcp_lan
        useproxyport: true
        usip: false
        servicemembers:
          mode: exact
          attributes:
            - servername: server01.example.com
              port: 443
        monitor_bindings:
          mode: exact
          attributes:
            - mon_1

    - name: Disable SSL and TLS for Servicegroup
      citrix.adc.citrix_adc_nitro_request:
        nitro_user: "{{ netscaler_user }}"
        nitro_pass: "{{ netscaler_pass }}"
        nsip: "{{ netscaler_fqdn }}"
        operation: update
        resource: sslservicegroup
        name: SG_example.com
        attributes:
          servicegroupname: SG_example.com
          ssl3: "DISABLED"
          tls1: "DISABLED"
          tls11: "DISABLED"

    - name: vServer config SSL
      citrix.adc.citrix_adc_cs_vserver:
        nitro_user: "{{ netscaler_user }}"
        nitro_pass: "{{ netscaler_pass }}"
        nsip: "{{ netscaler_fqdn }}"
        name: example.com
        servicetype: SSL
        ipv46: 10.1.0.1
        port: 443
        clttimeout: 180
        servicegroupbindings:
          - servicegroupname: SG_example.com
        ssl_certkey: Cert_example.com

    - name: Update eccCurve for vServer
      citrix.adc.citrix_adc_nitro_request:
        nitro_user: "{{ netscaler_user }}"
        nitro_pass: "{{ netscaler_pass }}"
        nsip: "{{ netscaler_fqdn }}"
        operation: add
        resource: sslvserver_ecccurve_binding
        name: example.com
        attributes:
          vservername: example.com
          ecccurvename: "{{ item }}"
      with_items:
        - P_384
        - P_521

As you can see we want to create a vserver (in this case now a content switching vserver, as this was the first example that came across my way, but also needed for the lb vserver), which has only enabled the more modern SSL protocols and only has enabled specific ciphers. As far as I could see this is only possible with the nitro request module right now, but as far as I understood it, that's comparable to the command module, so just executes something, but is not state-based. So, makes sure that only the listed protocols or ciphers are enabled.

It could be that I overlooked this somewhere, so if also a link to the docs or the code would be great 🙂

Thanks!

lumarel avatar Aug 16 '22 06:08 lumarel

I know it's a very late reply :-)

Hello @lumarel, We have migrated to a new netscaler.adc ansible collection. Your question can be handled using the below module. https://netscaler.github.io/ansible-collection-netscaleradc/collections/netscaler/adc/sslvserver_ecccurve_binding_module.html#ansible-collections-netscaler-adc-sslvserver-ecccurve-binding-module

Please let me know if you need further assistance.

sumanth-lingappa avatar Feb 01 '24 10:02 sumanth-lingappa

closing this for now. Please re-open/create a new issue if you need any help

sumanth-lingappa avatar Feb 12 '24 10:02 sumanth-lingappa

@sumanth-lingappa Sorry for the late reply as well, only had time to update our deployments now.

But yeah easily said, the new netscaler.adc modules are a blessing, everything I needed so far is available (except a way to detect the cluster primary, aka _info modules, but the workaround in #296 made that no issue) Some of the modules might need an example (i.e. how to correctly use servicegroupbindings for lbvserver), but the variable docs were mostly enough to find the correct way in the end. Thank you so much, it's amazing how well this collection is able to used now! 😃

lumarel avatar Apr 17 '24 20:04 lumarel