Set SSL parameters on a secure monitor


This feature is supported only on the new Default profiles. For more information about these profiles, see Enhanced SSL Profiles Infrastructure Overview.

A monitor inherits either the global settings or the settings of the service to which it is bound. If a monitor is bound to a non-SSL or non-SSL_TCP service, such as SSL_BRIDGE, you cannot configure it with SSL settings such as the protocol version or the ciphers to be used. Therefore, if your deployment requires SSL-based monitoring of the back-end servers, the monitoring is ineffective.

You can have more control over SSL-based monitoring of back-end servers, by binding an SSL profile to a monitor. An SSL profile contains SSL parameters, cipher bindings, and ECC bindings. For example, you can set server authentication, ciphers, and protocol version in an SSL profile and bind the profile to a monitor. To perform server authentication, you must also bind a CA certificate to a monitor. To perform client authentication, you must bind a client certificate to the monitor. New parameters for the “bind lb monitor” command enable you to do so.


The SSL settings take effect only if you add a secure monitor. Also, the SSL profile type must be BackEnd.

Monitor Types that Support SSL Profiles

SSL profiles can be bound to the following monitor types:

  • HTTP
  • TCP

To specify an SSL profile while adding a monitor by using the command line

At the command prompt, type:

add lb monitor <monitorName> <type> -secure  YES   -sslprofile <string>

set lb monitor <monitorName> <type> -secure YES -sslprofile <string>


add ssl profile prof1 -sslProfileType  BackEnd

add lb monitor mon1 HTTP -secure  YES -sslprofile prof1

To bind a certificate-key pair to a monitor by using the command line

At the command prompt, type:

bind monitor  <monitor name> -certkeyName <string>  [(-CA  [-crlCheck ( Mandatory | Optional ) | -ocspCheck ( Mandatory | Optional )]
Set SSL parameters on a secure monitor