DataScript: avi.ssl.set_pki_profile

DataScript

Function avi.ssl.set_pki_profile{(<Mode>[<pkiprofilename><frequency>)
Description This function is used to change the PKI profile of the initial or the renegotiated TLS session based on factors like Client IP, TLS servername, HTTP host or URI etc.
avi.CLIENT_VERIFY_DISABLE must be used without PKI Profile Name and Frequency parameters in the API call.
avi.CLIENT_VERIFY_REQUEST can be used without PKI Profile Name and Frequency parameters in the API call.
avi.CLIENT_VERIFY_REQUIRE must be used with the PKI Profile Name and optionally with Frequency parameters in the API call.
PKI configuration from the DataScript takes precedence over configuration from the application profile.
Events VS_DATASCRIPT_EVT_CLIENT_SSL_PRE_CONNECT​
VS_DATASCRIPT_EVT_CLIENT_SSL_CLIENT_HELLO​​
VS_DATASCRIPT_EVT_HTTP_REQ
VS_DATASCRIPT_EVT_HTTP_REQ_DATA
Parameter Currently, in application profile, there are two knobs. One knob controls the mode and the other knob controls the PKI profile object.
On the same lines, the API is a mode (mandatory), with a profile name (optional) and frequency of authentication (optional) parameter. The following are the three modes supported:
  • Mode of Client Authentication:
    avi.CLIENT_VERIFY_DISABLE
    avi.CLIENT_VERIFY_REQUEST
    avi.CLIENT_VERIFY_REQUIRE
  • Name of the PKI profile object
  • Frequency of the authentication
    avi.AUTHENTICATE_ONLY_ONCE
    avi.AUTHENTICATE_ONLY_ALWAYS
Returns None
Examples 

To disable client certificate authentication

if avi.ssl.server_name() == "legacy.example.com" then 
    avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_DISABLE) 
end 
Here, the client verififcation for the PKI profile is disabled on this TLS server connections. To change client certificate authentication settings 

if avi.ssl.server_name() == "secure.example.com" then 
    avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-crl", avi.AUTHENTICATE_ONLY_ONCE) 
else
    avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUEST) 
end
If TLS Server name is secure.example.com and when the PKI profile is mandatory, then the client verification is marked as required, PKI profile as CRL, and authenticate once. Use avi.ssl.set_pki_profile with just avi.CLIENT_VERIFY_REQUEST if you want to request a certificate from the client and just log the details in further events like HTTP request.

Note: Since the PKI configuration can be done both via Application Profile and DataScripts, during execution, the PKI profile configured via DataScript takes precedence over the configuration made through the Application Profile. For example, if the PKI profile configured to mark the certificate as required, but if through DataScripts the PKI profile for a specific server name is marked to be disabled, this will override the application profile configuration.