Forum Discussion
Cole
Nimbostratus
NimbostratusStrategy for updating large amount of SSL profiles associated with a single virtual server
I'm looking to shed some of the older ciphers that are a part of the DEFAULT cipher string in our SSL profiles. The problem is, we host quite a few SSL profiles (100+) with a single virtual server. ...
eey0re
Cirrostratus
CirrostratusMy 14.1.4 lets me - what version are you on, and is it just the ciphers you are changing or something else too?
Anyway, there here a few options:
1. Use a custom parent profile.
With over 100 profiles, using a custom parent profile for them all is a really good idea so that you can manage the shared settings in one place. Do not modify the base profile (/Common/clientssl).
Start by creating a profile that customises nothing, and still has the "DEFAULT" cipher string. Then edit each profile to use that new profile as a parent, and uncheck the Cipher custom checkbox (right-hand side) to inherit the ciphers. Finally, edit the ciphers in the parent profile.
Docs: LTM Profiles Reference - The custom profile as the parent profile
Run "create /cli transaction", then all your "modify ltm profile client-ssl" commands, then "submit /cli transaction"
3. Transactions in iControlREST. The same can be achieve with the REST API, but this needs some dev skills. See DevCentral article: Demystifying iControl REST Part 7 - Understanding Transactions.
4. Load config merge. Use TMSH to "list" all your profiles, edit them in a text editor, then merge them back in using: load /sys config from-terminal merge
I hope one of these options works for you.