Module for setup of SSLProfile Avi RESTful Object
- This module is used to configure SSLProfile object.
- More examples at (https://github.com/avinetworks/devops).
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
|
state
str
|
|
- The state that should be applied on the entity.
|
|
|
avi_api_update_method
str
|
|
- Default method for object update is HTTP PUT.
- Setting to patch will override that behavior to use HTTP PATCH.
|
|
|
avi_api_patch_op
str
|
|
- Patch operation to use when using avi_api_update_method as patch.
|
|
|
avi_patch_path
str
|
- Patch path to use when using avi_api_update_method as patch.
|
||
|
avi_patch_value
str
|
- Patch value to use when using avi_api_update_method as patch.
|
||
|
accepted_ciphers
str
|
- Ciphers suites represented as defined by https //www.openssl.org/docs/man1.1.1/man1/ciphers.html.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as AES:3DES:RC4.
|
||
|
accepted_versions
list
|
required: true
|
- Set of versions accepted by the server.
- Minimum of 1 items required.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
|
|
|
cipher_enums
list
|
- Enum options - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384,
- TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
- TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_AES_256_GCM_SHA384...
- Allowed in enterprise edition with any value, essentials edition(allowed values-
- tls_ecdhe_ecdsa_with_aes_128_gcm_sha256,tls_ecdhe_ecdsa_with_aes_256_gcm_sha384,tls_ecdhe_rsa_with_aes_128_gcm_sha256,tls_ecdhe_rsa_with_aes_256_gcm_sha384,tls_ecdhe_ecdsa_with_aes_128_cbc_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha384,tls_ecdhe_rsa_with_aes_128_cbc_sha256,tls_ecdhe_rsa_with_aes_256_cbc_sha384,tls_rsa_with_aes_128_gcm_sha256,tls_rsa_with_aes_256_gcm_sha384,tls_rsa_with_aes_128_cbc_sha256,tls_rsa_with_aes_256_cbc_sha256,tls_ecdhe_ecdsa_with_aes_128_cbc_sha,tls_ecdhe_ecdsa_with_aes_256_cbc_sha,tls_ecdhe_rsa_with_aes_128_cbc_sha,tls_ecdhe_rsa_with_aes_256_cbc_sha,tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_3des_ede_cbc_sha),
- basic edition(allowed values-
- tls_ecdhe_ecdsa_with_aes_128_gcm_sha256,tls_ecdhe_ecdsa_with_aes_256_gcm_sha384,tls_ecdhe_rsa_with_aes_128_gcm_sha256,tls_ecdhe_rsa_with_aes_256_gcm_sha384,tls_ecdhe_ecdsa_with_aes_128_cbc_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha384,tls_ecdhe_rsa_with_aes_128_cbc_sha256,tls_ecdhe_rsa_with_aes_256_cbc_sha384,tls_rsa_with_aes_128_gcm_sha256,tls_rsa_with_aes_256_gcm_sha384,tls_rsa_with_aes_128_cbc_sha256,tls_rsa_with_aes_256_cbc_sha256,tls_ecdhe_ecdsa_with_aes_128_cbc_sha,tls_ecdhe_ecdsa_with_aes_256_cbc_sha,tls_ecdhe_rsa_with_aes_128_cbc_sha,tls_ecdhe_rsa_with_aes_256_cbc_sha,tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_3des_ede_cbc_sha),
- enterprise with cloud services edition.
|
||
|
ciphersuites
str
|
- Tls 1.3 ciphers suites represented as defined by u(https //www.openssl.org/docs/man1.1.1/man1/ciphers.html).
- Field introduced in 18.2.6.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
- Special default for essentials edition is tls_aes_256_gcm_sha384-tls_aes_128_gcm_sha256, basic edition is
- tls_aes_256_gcm_sha384-tls_aes_128_gcm_sha256, enterprise is tls_aes_256_gcm_sha384-tls_chacha20_poly1305_sha256-tls_aes_128_gcm_sha256.
- Default value when not specified in API or module is interpreted by Avi Controller as
- TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256.
|
||
|
configpb_attributes
dict
|
- Protobuf versioning for config pbs.
- Field introduced in 21.1.1.
- Allowed in enterprise edition with any value, essentials edition with any value, basic edition with any value, enterprise with cloud services
- edition.
|
||
|
description
str
|
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
|
||
|
dhparam
str
|
- Dh parameters used in ssl.
- At this time, it is not configurable and is set to 2048 bits.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
|
||
|
ec_named_curve
str
|
- Elliptic curve cryptography namedcurves (tls supported groups)represented as defined by rfc 8422-section 5.1.1 andhttps
- Field introduced in 21.1.1.
- Allowed in enterprise edition with any value, enterprise with cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as auto.
|
||
|
enable_early_data
bool
|
- Enable early data processing for tls1.3 connections.
- Field introduced in 18.2.6.
- Allowed in enterprise edition with any value, essentials edition(allowed values- false), basic edition(allowed values- false), enterprise with
- cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as False.
|
||
|
enable_ssl_session_reuse
bool
|
- Enable ssl session re-use.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as True.
|
||
|
is_federated
bool
|
- It specifies whether the object has to be replicated to the gslb followers.
- Field introduced in 22.1.3.
- Allowed in enterprise edition with any value, enterprise with cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as False.
|
||
|
markers
list
|
- List of labels to be used for granular rbac.
- Field introduced in 20.1.5.
- Allowed in enterprise edition with any value, essentials edition with any value, basic edition with any value, enterprise with cloud services
- edition.
|
||
|
name
str
|
required: true
|
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
|
|
|
prefer_client_cipher_ordering
bool
|
- Prefer the ssl cipher ordering presented by the client during the ssl handshake over the one specified in the ssl profile.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as False.
|
||
|
send_close_notify
bool
|
- Send 'close notify' alert message for a clean shutdown of the ssl connection.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as True.
|
||
|
signature_algorithm
str
|
- Signature algorithms represented as defined by rfc5246-section 7.4.1.4.1 andhttps
- Field introduced in 21.1.1.
- Allowed in enterprise edition with any value, enterprise with cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as auto.
|
||
|
ssl_rating
dict
|
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
|
||
|
ssl_session_timeout
int
|
- The amount of time in seconds before an ssl session expires.
- Unit is sec.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as 86400.
|
||
|
tags
list
|
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
|
||
|
tenant_ref
str
|
- It is a reference to an object of type tenant.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
|
||
|
type
str
|
- Ssl profile type.
- Enum options - SSL_PROFILE_TYPE_APPLICATION, SSL_PROFILE_TYPE_SYSTEM.
- Field introduced in 17.2.8.
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
- Default value when not specified in API or module is interpreted by Avi Controller as SSL_PROFILE_TYPE_APPLICATION.
|
||
|
url
str
|
- Avi controller URL of the object.
|
||
|
uuid
str
|
- Allowed in enterprise edition with any value, essentials, basic, enterprise with cloud services edition.
|
||
- hosts: localhost
connection: local
collections:
- vmware.alb
vars:
avi_credentials:
username: "{{ username }}"
password: "{{ password }}"
controller: "{{ controller }}"
api_version: "{{ api_version }}"
tasks:
- name: Create SSL profile with list of allowed ciphers
avi_sslprofile:
avi_credentials: "{{ avi_credentials }}"
accepted_ciphers: >
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:
AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:
AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
accepted_versions:
- type: SSL_VERSION_TLS1
- type: SSL_VERSION_TLS1_1
- type: SSL_VERSION_TLS1_2
cipher_enums:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
name: PFS-BOTH-RSA-EC
send_close_notify: true
ssl_rating:
compatibility_rating: SSL_SCORE_EXCELLENT
performance_rating: SSL_SCORE_EXCELLENT
security_score: '100.0'
tenant_ref: /api/tenant?name=Demo- Gaurav Rastogi (grastogi@vmware.com)
- Sandeep Bandi (sbandi@vmware.com)
- Amol Shinde (samol@vmware.com)