Forum Discussion

h_elyot's avatar
h_elyot
Icon for Nimbostratus rankNimbostratus
Aug 06, 2019

Change Parent SSL profile of 3 SSL Clients on the same Virtual Server

Hello,   I currently have client SSL profiles attached to one Virtual Server. Their parent profile is the default "clientssl". In order to avoid using week ciphers, I have created a "no_CBC" cip...
  • jonwest1_uk's avatar
    jonwest1_uk
    Aug 07, 2019

    No problem.

    Yes I would probably use tmsh to list them out, copy the profiles you're interested in to a text editor, change the profile name and defaults-from value from clienssl to no_CBC. Then I would use load /sys config merge from-terminal to add it into the config.

    Something like this:

    [root@bigip:Active:Standalone] config # tmsh
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1
ltm profile client-ssl test1 {
    app-service none
    cert default.crt
    cert-key-chain {
        default_default {
            cert default.crt
            chain default.crt
            key default.key
        }
    }
    chain default.crt
    inherit-certkeychain false
    key default.key
    passphrase none
}
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# load /sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm profile client-ssl test1_new {
    app-service none
    cert default.crt
    cert-key-chain {
        default_default {
            cert default.crt
            chain default.crt
            key default.key
        }
    }
    chain default.crt
    inherit-certkeychain false
    key default.key
    passphrase none
	defaults-from no_CBC
}
Loading configuration...
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1_new 
ltm profile client-ssl test1_new {
    app-service none
    cert default.crt
    cert-key-chain {
        default_default {
            cert default.crt
            chain default.crt
            key default.key
        }
    }
    chain default.crt
    defaults-from no_CBC
    inherit-certkeychain true
    key default.key
    passphrase none
}
jonwest1_uk's avatar
jonwest1_uk
Icon for Cirrus rankCirrus
Aug 06, 2019

Hi, you've got a couple of options. You can either remove the client SSL profiles from being assigned to the Virtual server, change their parent and they re-add them.

 

Or if this isn't an option create new client SSL profiles that are using "no_CBC" as a parent then swap them out on the virtual server for the existing 3 profiles.