Forum Discussion
h_elyot
Nimbostratus
NimbostratusChange Parent SSL profile of 3 SSL Clients on the same Virtual Server
Hello, I currently have client SSL profiles attached to one Virtual Server. Their parent profile is the default "clientssl". In order to avoid using week ciphers, I have created a "no_CBC" cip...
No problem.
Yes I would probably use tmsh to list them out, copy the profiles you're interested in to a text editor, change the profile name and defaults-from value from clienssl to no_CBC. Then I would use load /sys config merge from-terminal to add it into the config.
Something like this:
[root@bigip:Active:Standalone] config # tmsh root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1 ltm profile client-ssl test1 { app-service none cert default.crt cert-key-chain { default_default { cert default.crt chain default.crt key default.key } } chain default.crt inherit-certkeychain false key default.key passphrase none } root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# load /sys config merge from-terminal Enter configuration. Press CTRL-D to submit or CTRL-C to cancel. ltm profile client-ssl test1_new { app-service none cert default.crt cert-key-chain { default_default { cert default.crt chain default.crt key default.key } } chain default.crt inherit-certkeychain false key default.key passphrase none defaults-from no_CBC } Loading configuration... root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1_new ltm profile client-ssl test1_new { app-service none cert default.crt cert-key-chain { default_default { cert default.crt chain default.crt key default.key } } chain default.crt defaults-from no_CBC inherit-certkeychain true key default.key passphrase none }
jonwest1_uk
Cirrus
CirrusNo problem.
Yes I would probably use tmsh to list them out, copy the profiles you're interested in to a text editor, change the profile name and defaults-from value from clienssl to no_CBC. Then I would use load /sys config merge from-terminal to add it into the config.
Something like this:
[root@bigip:Active:Standalone] config # tmsh
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1
ltm profile client-ssl test1 {
app-service none
cert default.crt
cert-key-chain {
default_default {
cert default.crt
chain default.crt
key default.key
}
}
chain default.crt
inherit-certkeychain false
key default.key
passphrase none
}
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# load /sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm profile client-ssl test1_new {
app-service none
cert default.crt
cert-key-chain {
default_default {
cert default.crt
chain default.crt
key default.key
}
}
chain default.crt
inherit-certkeychain false
key default.key
passphrase none
defaults-from no_CBC
}
Loading configuration...
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1_new
ltm profile client-ssl test1_new {
app-service none
cert default.crt
cert-key-chain {
default_default {
cert default.crt
chain default.crt
key default.key
}
}
chain default.crt
defaults-from no_CBC
inherit-certkeychain true
key default.key
passphrase none
}