:source: fadcos_client_ssl_profile.py
:orphan:
.. fadcos_client_ssl_profile:
fadcos_client_ssl_profile -- client ssl profile configuration in Fortinet's FortiADC
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.. versionadded:: 1.0.0
.. contents::
:local:
:depth: 1
Synopsis
--------
- Configure FortiADC client ssl profile
Requirements
------------
The below requirements are needed on the host that executes this module.
- ansible>=2.8
FortiADC Version Compatibility
------------------------------
.. raw:: html
|
v7.0.0 |
v7.0.1 |
v7.0.2 |
v7.1.0 |
v7.1.4 |
v7.2.2 |
v7.4.0 |
| fortiadc_client_ssl_profile |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Parameters
----------
.. raw:: html
- action - Type of action to perform on the object.type: str required: true
- name - Client SSL Profile name.type: str required: true
- backend_ciphers_tlsv13 - TLSv1.3 ciphers, only available if the backendTLSv1.3 is enabled.type: str required: false
- backend_customized_ssl_ciphers_flag - Enabled by default. You must specify the backend customized SSL ciphers.type: str required: false default: enalbe
- backend_ssl_OCSP_stapling_support - Enable it to let FortiADC support OCSP stapling at the backend.type: str required: false default: disable
- backend_ssl_allowed_versions - Supported backend SSL versions.type: str required: false default: sslv3 tlsv1.0 tlsv1.1 tlsv1.2
- backend_ssl_ciphers - Backend SSL cipher suite.type: str required: false
- backend_ssl_sni_forward - Enable it to let FortiADC forward Server Name Indication (SNI) from the client to the backend.type: str required: false default: disable
- client_certificate_verify - The client certificate verify configuration object.type: str required: false
- client_certificate_verify_mode - Available only when the Client Certificate Verify is selected. Required by default.type: str required: false default: required
- client_sni_required - Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.type: str required: false default: disable
- customized_ssl_ciphers_flag - Enable or disable the use of user-specified cipher suites. If enabled, you must specify an ordered list of a customized SSL cipher suites.type: str required: false default: disable
- forward_proxy - By default, (SSL) Forward Proxy is disabled. When enabled, you'll have to configure additional settings noted below.type: str required: false default: disable
- forward_proxy_certificate_caching - Select a Forward Proxy Certificate Caching rule.type: str required: false
- forward_proxy_intermediate_ca_group - Select a Forward Proxy Intermediate CA Group.type: str required: false
- forward_proxy_local_signing_ca - Select a Forward Proxy Local Signing CA.type: str required: false default: SSLPROXY_LOCAL_CA
- http_forward_client_certificate - Disabled by default. When enabled, you must specify the client certificate forward header.type: str required: false default:disable
- http_forward_client_certificate_header - When Client Certificate Forward is enabled, specify the client certificate forward header.type: str required: false default: X-Client-Cert
- local_certificate_group - Select a local certificate group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers' certificate.type: str required: false default: LOCAL_CERT_GROUP
- reject_ocsp_stapling_with_missing_nextupdate - This flag is meaningful only when you have configured OCSP stapling in Local Certificate Group.type: str required: false default: disable
- ssl_allowed_versions - Allowed SSL versions.type: str required: false default: tlsv1.1 tlsv1.2
- ssl_ciphers - SSL cipher suite.type: str required: false
- ssl_ciphers_tlsv13 - TLS v1.3 Cipher suite.type: str required: false
- ssl_dh_param_size - Specify the pubkey length in Diffie Hellman.type: str required: false default: 1024bit
- ssl_dynamic_record_sizing - Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments.type: str required: false default: disable
- ssl_renegotiate_period - Specify the period in second (default), minute, or hour at which FortiADC will initiate SSL renegotiation.type: str required: false default: 0
- ssl_renegotiate_size - Specify the amount (MB) of application data that must have been transmitted over the SSL connection whenFortiADC initiates SSL renegotiation.type: str required: false default: 0
- ssl_renegotiation - Enable or disable SSL renegotiation from the client side.type: str required: false default: disable
- ssl_renegotiation_interval - Specify the minimum interval between two successive client-initiated SSL renegotiation requests. The unit of measurement can be second, minute, or hour, e.g., 100s, 20m, or 1h.type: str required: false default: -1
- ssl_secure_renegotiation - Secure renegotiation of SSL connections.type: str required: false default: require
- ssl_session_cache_flag - Allows to the same SSL client attempts to reconnect to this SSL server and requests a resumption of a previous SSL session.type: str required: false default: enable
- use_tls_tickets - Allows resuming TLS sessions by storing key material encrypted on the clients.type: str required: false default: enable
- vdom - VDOM name if enabled.type: str required: Yes (if VDOM is enabled)
Examples
--------
.. code-block:: yaml+jinja
- name:
hosts: all
connection: httpapi
gather_facts: false
tasks:
- name: Manage Client SSL Profile
fadcos_client_ssl_profile:
action: add
name: test_client_ssl_profile
Return Values
-------------
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
.. raw:: html
- 200 - OK: Request returns successful.
- 400 - Bad Request: Request cannot be processed by the API.
- 401 - Not Authorized: Request without successful login session.
- 403 - Forbidden: Request is missing CSRF token or administrator is missing access profile permissions.
- 404 - Resource Not Found: Unable to find the specified resource.
- 405 - Method Not Allowed: Specified HTTP method is not allowed for this resource.
- 413 - Request Entity Too Large: Request cannot be processed due to large entity.
- 424 - Failed Dependency: Fail dependency can be duplicate resource, missing required parameter, missing required attribute, or invalid attribute value.
- 429 - Access temporarily blocked: Maximum failed authentications reached. The offended source is temporarily blocked for certain amount of time.
- 500 - Internal Server Error: Internal error when processing the request.
For errorcode please check FortiADC API errorcode at : https://fndn.fortinet.net/index.php?/fortiapi/981-fortiadc/
Status
------
- This module is not guaranteed to have a backwards compatible interface.
Authors
-------
- Jie Li
- Aravindh Sri
.. hint::
If you notice any issues in this documentation, you can create a pull request to improve it.