|This function is used to change the PKI profile of the initial or the renegotiated TLS session based on factors like Client IP, TLS servername, HTTP host or URI etc.
avi.CLIENT_VERIFY_DISABLE must be used without PKI Profile Name and Frequency parameters in the API call.
avi.CLIENT_VERIFY_REQUEST can be used without PKI Profile Name and Frequency parameters in the API call.
avi.CLIENT_VERIFY_REQUIRE must be used with the PKI Profile Name and optionally with Frequency parameters in the API call.
PKI configuration from the DataScript takes precedence over configuration from the application profile.
Currently, in application profile, there are two knobs. One knob controls the mode and the other knob controls the PKI profile object.
On the same lines, the API is a mode (mandatory), with a profile name (optional) and frequency of authentication (optional) parameter. The following are the three modes supported:
Here, the client verififcation for the PKI profile is disabled on this TLS server connections.
To change client certificate authentication settings
If TLS Server name is secure.example.com and when the PKI profile is mandatory, then the client verification is marked as required, PKI profile as CRL, and authenticate once.
Use avi.ssl.set_pki_profile with just avi.CLIENT_VERIFY_REQUEST if you want to request a certificate from the client and just log the details in further events like HTTP request.
Note: Since the PKI configuration can be done both via Application Profile and DataScripts, during execution, the PKI profile configured via DataScript takes precedence over the configuration made through the Application Profile. For example, if the PKI profile configured to mark the certificate as required, but if through DataScripts the PKI profile for a specific server name is marked to be disabled, this will override the application profile configuration.