NetScaler can be configured for SSL offloading with end-to-end encryption, in which the NetScaler will re-encrypt the clear text data and use secure SSL sessions to communicate with the back-end web servers.
Configure the back-end SSL transactions so that the appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web servers. It helps in avoiding CPU-intensive key exchange (full handshake) operations and also reduces the overall number of SSL sessions on the server. As a result, it accelerates the SSL transaction while maintaining end-to-end security.
Following are the steps to configure an end-to-end encryption deployment :
- Create SSL services
- Create an SSL virtual server
- Add a certificate-key pair
- Bind the certificate-key pair to the SSL virtual server
- Bind the services to the SSL virtual server
Above procedural steps can be reduced to a single declarative file containing the desired state of NetScaler. Below is an Ansible playbook in yaml format that can configure end to end SSL offloading.
---- hosts: citrix_adc vars: max_clients: 5 remote_user: root gather_facts: False collections: - citrix.adc tasks: - name: SSL Service 1 delegate_to: localhost citrix_adc_service: nsip: "{{ nsip }}" nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" validate_certs: "{{ validate_certs }}" state: "{{ state }}" name: "{{ service1_name }}" servicetype: "{{ service1_servicetype }}" ipaddress: "{{ service1_ip }}" port: "{{ service1_port }}" - name: SSL Service 2 delegate_to: localhost citrix_adc_service: nsip: "{{ nsip }}" nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" validate_certs: "{{ validate_certs }}" state: "{{ state }}" name: "{{ service2_name }}" servicetype: "{{ service2_servicetype }}" ipaddress: "{{ service2_ip }}" port: "{{ service2_port }}" - name: Enable Default Profile in SSLParameter delegate_to: localhost citrix_adc_nitro_resource: nsip: "{{ nsip }}" nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" validate_certs: no state: "{{ state }}" workflow: lifecycle: parameter_object endpoint: sslparameter resource: defaultprofile: ENABLED - name: Upload SSL Cert to ADC delegate_to: localhost citrix_adc_system_file: nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" nsip: "{{ nsip }}" validate_certs: no state: "{{ state }}" filename: sslcert.pem filelocation: /var/tmp filecontent: "{{ lookup('file', ssl_certificate_path) }}" - name: Upload SSL Key to ADC delegate_to: localhost citrix_adc_system_file: nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" nsip: "{{ nsip }}" validate_certs: no state: "{{ state }}" filename: sslkey.ky filelocation: /var/tmp filecontent: "{{ lookup('file', ssl_key_path) }}" - name: Upload CA Cert to ADC delegate_to: localhost citrix_adc_system_file: nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" nsip: "{{ nsip }}" validate_certs: no state: "{{ state }}" filename: cacert.crt filelocation: /var/tmp filecontent: "{{ lookup('file', ssl_cacert_path ) }}" - name: Add CA Cert to ADC when: state == 'present' delegate_to: localhost citrix_adc_ssl_certkey: nsip: "{{ nsip }}" nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" validate_certs: "{{ validate_certs }}" state: "{{ state }}" certkey: "{{ ssl_cacert_name }}" cert: /var/tmp/cacert.crt - name: Configure SSL Certkey and linking it to CA cert when: state == 'present' delegate_to: localhost citrix_adc_ssl_certkey: nsip: "{{ nsip }}" nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" validate_certs: "{{ validate_certs }}" state: "{{ state }}" certkey: "{{ ssl_certkey_name }}" cert: /var/tmp/sslcert.pem key: /var/tmp/sslkey.ky - name: SSL V Server delegate_to: localhost citrix_adc_lb_vserver: nsip: "{{ nsip }}" nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" validate_certs: "{{ validate_certs }}" state: "{{ state }}" name: "{{ production_lb_name }}" servicetype: SSL ipv46: "{{ production_lb_ip }}" port: 443 ssl_certkey: "{{ ssl_certkey_name }}" servicebindings: - servicename: "{{ service1_name }}" weight: 1 - servicename: "{{ service2_name }}" weight: 1 disabled: no - name: Bind ssl profile to ssl vserver delegate_to: localhost citrix_adc_nitro_resource: nsip: "{{ nsip }}" nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" validate_certs: "{{ validate_certs }}" state: "{{ state }}" workflow: lifecycle: object endpoint: sslvserver primary_id_attribute: vservername resource_missing_errorcode: 461 allow_recreate: true non_updateable_attributes: [] resource: vservername: "{{ production_lb_name }}" sslprofile: ns_default_ssl_profile_secure_frontend - name: Link SSL Cert with CA cert delegate_to: localhost register: result citrix_adc_nitro_request: nsip: "{{ nsip }}" nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" validate_certs: no expected_nitro_errorcode: [0, 273] operation: action action: link resource: sslcertkey attributes: certkey: "{{ ssl_certkey_name }}" linkcertkeyname: "{{ ssl_cacert_name }}"
Above playbook can also be downloaded from our Ansible GitHub repo here .
You just need to fill in the variables in the inventory.txt and example_varfile.yaml. Post that run the following ansible command to appy the configurations to your target NetScaler:
ansible-playbook -i inventory.txt ssl-aplus.yaml --extra-vars="@example_varfile.yaml"
Post configuration, you can send HTTPS request at VIP to validate SSL traffic. Additionally, you provide the domain name in Qualys and ensure that your backend servers are A+ certified.
Learn more above SSL offloading capabilities in NetScaler here.
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now