Forum Discussion

h_elyot's avatar
h_elyot
Icon for Nimbostratus rankNimbostratus
Aug 06, 2019

Change Parent SSL profile of 3 SSL Clients on the same Virtual Server

Hello,   I currently have client SSL profiles attached to one Virtual Server. Their parent profile is the default "clientssl". In order to avoid using week ciphers, I have created a "no_CBC" cip...
  • jonwest1_uk's avatar
    jonwest1_uk
    Aug 07, 2019

    No problem.

    Yes I would probably use tmsh to list them out, copy the profiles you're interested in to a text editor, change the profile name and defaults-from value from clienssl to no_CBC. Then I would use load /sys config merge from-terminal to add it into the config.

    Something like this:

    [root@bigip:Active:Standalone] config # tmsh
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1
ltm profile client-ssl test1 {
    app-service none
    cert default.crt
    cert-key-chain {
        default_default {
            cert default.crt
            chain default.crt
            key default.key
        }
    }
    chain default.crt
    inherit-certkeychain false
    key default.key
    passphrase none
}
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# load /sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm profile client-ssl test1_new {
    app-service none
    cert default.crt
    cert-key-chain {
        default_default {
            cert default.crt
            chain default.crt
            key default.key
        }
    }
    chain default.crt
    inherit-certkeychain false
    key default.key
    passphrase none
	defaults-from no_CBC
}
Loading configuration...
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1_new 
ltm profile client-ssl test1_new {
    app-service none
    cert default.crt
    cert-key-chain {
        default_default {
            cert default.crt
            chain default.crt
            key default.key
        }
    }
    chain default.crt
    defaults-from no_CBC
    inherit-certkeychain true
    key default.key
    passphrase none
}
h_elyot's avatar
h_elyot
Icon for Nimbostratus rankNimbostratus
Aug 07, 2019

Hello jonwest1_uk and thank you for your answer.

 

If I want to avoid turning the Virtual Server down in order to safely switch SSL profiles, I have to go with option 2. Then, is there a way to make a copy of client SSL profile, to be sure the 3 new ones I will create are the same than the 3 existing ones (except the parent profile I will change for "no_CBC" ?