security ssl modify
Modify the SSL configuration for HTTP servers
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command modifies the configuration of encrypted HTTP (SSL) for Vservers in the cluster. Depending on the requirements of the individual node's or cluster's web services (displayed by the vserver services web show command), this encryption might or might not be used. If the Vserver does not have a certificate associated with it, SSL will not be available.
Parameters
-vserver <Vserver Name>
- Vserver-
Identifies a Vserver for hosting SSL-encrypted web services.
[-ca <text>]
- Server Certificate Issuing CA-
Identifies a Certificate Authority (CA) of a certificate to be associated with the instance of a given Vserver. If this parameter, along with serial, is omitted during modification, a self-signed SSL certificate can be optionally generated for that Vserver.
[-serial <text>]
- Server Certificate Serial Number-
Identifies a serial number of a certificate to be associated with the instance of a given Vserver. If this parameter, along with ca, is omitted during modification, a self-signed SSL certificate can be optionally generated for that Vserver.
[-common-name <FQDN or Custom Common Name>]
- Server Certificate Common Name-
Identifies the common name (CN) of a certificate to be associated with the instance of a given Vserver. This parameter becomes optional if serial and ca are specified. You can use the security certificate create and security certificate install commands to add new certificates to Vservers.
The use of self-signed SSL certificates exposes users to man-in-the-middle security attacks. Where possible, obtain a certificate that is signed by a reputable certificate authority (CA) and use the security certificate install command to configure it before enabling SSL on a Vserver. [-server-enabled {true|false}]
- SSL Server Authentication Enabled-
Defines the working condition of SSL server authentication in an instance of the Vserver. Any Vserver with a valid certificate of type server is server-enabled.
[-client-enabled {true|false}]
- SSL Client Authentication Enabled-
Defines the working condition of SSL client authentication in an instance of the Vserver. Any Vserver with a valid certificate of type client-ca is client-enabled. It can only be enabled if server-enabled is true.
[-ocsp-enabled {true|false}]
- Online Certificate Status Protocol Validation Enabled-
This parameter enables OCSP validation of the client certificate chain. When this parameter is enabled, certificates in the certificate chain of the client will be validated against an OCSP responder after normal verification (including CRL checks) has occurred. The OCSP responder used for validation process is either extracted from the certificate itself, or it is derived by configuration.
[-ocsp-default-responder <text>]
- URI of the Default Responder for OCSP Validation-
This parameter sets the default OCSP responder to use. If this parameter is not enabled, the URI given will be used only if no responder URI is specified in the certificate that are being verified.
[-ocsp-override-responder {true|false}]
- Force the Use of the Default Responder URI for OCSP Validation-
This parameter forces the configured default OCSP responder to be used during OCSP certificate validation, even if the certificate that is being validated references an OCSP responder.
[-ocsp-responder-timeout <[<integer>d][<integer>h][<integer>m][<integer>s]>]
- Timeout for OCSP Queries-
Use this parameter to specify the timeout in seconds for OSCP responders. Specify zero for the minimum possible timeout. The default value is 10 seconds.
[-ocsp-max-response-age <integer_or_unlimited>]
- Maximum Allowable Age for OCSP Responses (secs)-
This parameter sets the maximum allowable age (freshness) in seconds for the OCSP responses. The default value for this parameter is unlimited, which does not enforce a maximum age and the OCSP responses are considered valid as long as their expiration date field is in the future.
[-ocsp-max-response-time-skew <[<integer>d][<integer>h][<integer>m][<integer>s]>]
- Maximum Allowable Time Skew for OCSP Response Validation-
This parameter sets the maximum allowable time difference for OCSP responses (when validating their "ThisUpdate" and "NextUpdate" fields).
[-ocsp-use-request-nonce {true|false}]
- Use a NONCE within OCSP Queries-
This parameter determines whether the queries to the OCSP responders should contain a NONCE or not. By default, a query NONCE is always used and checked against the OCSP response. When the responder does not use NONCEs, this parameter should be disabled.
A NONCE is a unique identifier included in each OCSP request or OCSP response to prevent a replay attack.
Examples
The following example enables SSL server authentication for a Vserver named vs0 with a certificate that has ca as www.example.com and serial as 4F4EB629.
cluster1::> security ssl modify -vserver vs0 -ca www.example.com -serial 4F4EB629 -server-enabled true
The following example disables SSL server authentication for a Vserver name vs0.
cluster1::> security ssl modify -vserver vs0 -server-enabled false
The following example enables SSL client authentication for a Vserver named vs0.
cluster1::> security ssl modify -vserver vs0 -client-enabled true
The following example disables SSL client authentication for a Vserver named vs0.
cluster1::> security ssl modify -vserver vs0 -client-enabled false