Forum Discussion

h_elyot's avatar
h_elyot
Icon for Nimbostratus rankNimbostratus
Aug 06, 2019

Change Parent SSL profile of 3 SSL Clients on the same Virtual Server

Hello,   I currently have client SSL profiles attached to one Virtual Server. Their parent profile is the default "clientssl". In order to avoid using week ciphers, I have created a "no_CBC" cip...
  • jonwest1_uk's avatar
    Aug 07, 2019

    No problem.

    Yes I would probably use tmsh to list them out, copy the profiles you're interested in to a text editor, change the profile name and defaults-from value from clienssl to no_CBC. Then I would use load /sys config merge from-terminal to add it into the config.

    Something like this:

    [root@bigip:Active:Standalone] config # tmsh
    root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1
    ltm profile client-ssl test1 {
        app-service none
        cert default.crt
        cert-key-chain {
            default_default {
                cert default.crt
                chain default.crt
                key default.key
            }
        }
        chain default.crt
        inherit-certkeychain false
        key default.key
        passphrase none
    }
    root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# load /sys config merge from-terminal
    Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
    ltm profile client-ssl test1_new {
        app-service none
        cert default.crt
        cert-key-chain {
            default_default {
                cert default.crt
                chain default.crt
                key default.key
            }
        }
        chain default.crt
        inherit-certkeychain false
        key default.key
        passphrase none
    	defaults-from no_CBC
    }
    Loading configuration...
    root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1_new 
    ltm profile client-ssl test1_new {
        app-service none
        cert default.crt
        cert-key-chain {
            default_default {
                cert default.crt
                chain default.crt
                key default.key
            }
        }
        chain default.crt
        defaults-from no_CBC
        inherit-certkeychain true
        key default.key
        passphrase none
    }