The F5 Big IQ Orchestrator allows for the remote management of F5 Big IQ certificate stores. Inventory, Management, and Reenrollment functions are supported.
This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme.
The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
F5 BigIQ is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.4
The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
Operation | Win | Linux |
---|---|---|
Supports Management Add | ✓ | ✓ |
Supports Management Remove | ✓ | ✓ |
Supports Create Store | ||
Supports Discovery | ||
Supports Reenrollment | ✓ | ✓ |
Supports Inventory | ✓ | ✓ |
This orchestrator extension has the ability to connect to a variety of supported PAM providers to allow for the retrieval of various client hosted secrets right from the orchestrator server itself. This eliminates the need to set up the PAM integration on Keyfactor Command which may be in an environment that the client does not want to have access to their PAM provider.
The secrets that this orchestrator extension supports for use with a PAM Provider are:
Name | Description |
---|---|
ServerUsername | The user id that will be used to authenticate to the F5 Biq API endpoints |
ServerPassword | The password that will be used to authenticate to the F5 Biq API endpoints |
It is not necessary to use a PAM Provider for all of the secrets available above. If a PAM Provider should not be used, simply enter in the actual value to be used, as normal.
If a PAM Provider will be used for one of the fields above, start by referencing the Keyfactor Integration Catalog. The GitHub repo for the PAM Provider to be used contains important information such as the format of the json
needed. What follows is an example but does not reflect the json
values for all PAM Providers as they have different "instance" and "initialization" parameter names and values.
General PAM Provider Configuration
To use a PAM Provider to resolve a field, in this example the Server Password will be resolved by the Hashicorp-Vault
provider, first install the PAM Provider extension from the Keyfactor Integration Catalog on the Universal Orchestrator.
Next, complete configuration of the PAM Provider on the UO by editing the manifest.json
of the PAM Provider (e.g. located at extensions/Hashicorp-Vault/manifest.json). The "initialization" parameters need to be entered here:
"Keyfactor:PAMProviders:Hashicorp-Vault:InitializationInfo": {
"Host": "http://127.0.0.1:8200",
"Path": "v1/secret/data",
"Token": "xxxxxx"
}
After these values are entered, the Orchestrator needs to be restarted to pick up the configuration. Now the PAM Provider can be used on other Orchestrator Extensions.
With the PAM Provider configured as an extenion on the UO, a json
object can be passed instead of an actual value to resolve the field with a PAM Provider. Consult the Keyfactor Integration Catalog for the specific format of the json
object.
To have the Server Password field resolved by the Hashicorp-Vault
provider, the corresponding json
object from the Hashicorp-Vault
extension needs to be copied and filed in with the correct information:
{"Secret":"my-kv-secret","Key":"myServerPassword"}
This text would be entered in as the value for the Server Password, instead of entering in the actual password. The Orchestrator will attempt to use the PAM Provider to retrieve the Server Password. If PAM should not be used, just directly enter in the value for the field.
The F5 Big IQ Orchestrator Extension supports the following use cases:
- Inventories an existing F5 Big IQ device to import SSL certificates into Keyfactor Command for management
- Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device not already on that device.
- Remove a certificate and private key from an existing F5 Big IQ device.
- Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device already on that device. Optionally (based on the DeployCertificateOnRenewal setting on the certificate store), the newly renewed/replaced certificate will be deployed to any linked F5 Big IP device.
- Reenrollment (On Device Key Generation) of a new or existing certificate on the F5 Big IQ device. In this use case, the key pair and CSR will be created on the F5 Big IQ device, Keyfactor Command will enroll the certificate, and the certificate will then be installed on the device. If the DeployCertificateOnRenewal option is set, the certificate will be deployed to any linked F5 Big IP devices.
Use cases NOT supported by the F5 Big IQ Orchestrator Extension:
- Creating new binding relationships between F5 Big IQ and any linked F5 Big IP devices.
- Storing binding relationships in Keyfactor Command during Inventory.
The version number of a the F5 Big IQ Orchestrator Extension can be verified by right clicking on the F5BigIQ.dll file, selecting Properties, and then clicking on the Details tab.
When creating a Keyfactor Command Certificate Store, you will be asked to enter server credentials. These credentials will serve two purposes:
- They will be used to authenticate to the F5 Big IQ instance when accessing API endpoints. Please make sure these credentials have Admin authority on F5 Big IQ.
- When Inventorying and Adding/Replacing certificates it will be necessary for certificate files to be transferred to and from the F5 device. The F5 Big IQ Orchestrator Extension uses SCP (Secure Copy Protocol) to perform these functions. Please make sure your F5 Big IQ device is set up to allow SCP to transfer files to /var/config/rest/downloads (a reserved F5 Big IQ folder used for file transfers) and from /var/config/rest/fileobject (the certificate file location path) and all subfolders. Other configuration tasks may be necessary in your environment to enable this feature.
- Stop the Keyfactor Universal Orchestrator Service.
- In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "extensions" folder. Underneath that, create a new folder named F5BigIQ or another name of your choosing.
- Download the latest version of the F5 BigIQ Orchestrator Extension from GitHub.
- Copy the contents of the download installation zip file into the folder created in step 2.
- Start the Keyfactor Universal Orchestrator Service.
1. In Keyfactor Command, create a new certificate store type by navigating to Settings (the "gear" icon in the top right) => Certificate Store Types, and clicking ADD. Then enter the following information:
Basic Tab
- Name – Required. The descriptive display name of the new Certificate Store Type. Suggested => F5 Big IQ
- Short Name – Required. This value must be F5-BigIQ.
- Custom Capability - Leave unchecked
- Supported Job Types – Select Inventory, Add, and Remove.
- General Settings - Select Needs Server. Select Blueprint Allowed if you plan to use blueprinting. Leave Uses PowerShell unchecked.
- Password Settings - Leave both options unchecked
Advanced Tab
- Store Path Type - Select Freeform
- Supports Custom Alias - Required
- Private Key Handling - Required
- PFX Password Style - Default
Custom Fields Tab
-
Deploy Certificate to Linked Big IP on Renewal - optional - This setting determines you wish to deploy renewed certificates (Management-Add jobs with Overwrite selected) to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An "immediate" deployment is then scheduled within F5 Big IQ for each linked Big IP device.
- Name=DeployCertificateOnRenewal
- Display Name=Deploy Certificate to Linked Big IP on Renewal
- Type=Bool
- Default Value={client preference}
- Depends on=unchecked
- Required=unchecked
-
Ignore SSL Warning - optional - If you use a self signed certificate for the F5 Big IQ portal, you will need add this Custom Field and set the value to True on the managed certificate store.
- Name=IgnoreSSLWarning
- Display Name=Ignore SSL Warning
- Type=Bool
- Default Value={client preference}
- Depends on=unchecked
- Required=unchecked
-
Use Token Authentication - optional - If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls that the integration uses, you will need to add this Custom Field and set the value to True on the managed certificate store. If this exists and is set to True for the store, the store userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all remaining API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set on the certificate store will be used for each API call.
- Name=UseTokenAuth
- Display Name=Use Token Authentication
- Type=Bool
- Default Value={client preference}
- Depends on=unchecked
- Required=unchecked
-
Use Token Authentication Provider Name - optional - If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used.
- Name=LoginProviderName
- Display Name=Use Token Authentication Provider Name
- Type=String
- Default Value={client preference}
- Depends on="UseTokenAuth"
- Required=unchecked
Please note, after saving the store type, going back into this screen will show three additional Custom Fields: Server Username, Server Password, and Use SSL. These are added internally by Keyfactor Command and should not be modified.
Entry Parameters Tab
Entry parameters are required ONLY if you will be taking advantage of the Reenrollment (ODKG - On Device Key Generation) capability of the F5 Big IQ Orchestrator Extension. When scheduling Reenrollment or Management jobs, some versions of Keyfactor Command may show multiple Alias and Overwrite fields. The ones below will be used for Reenrollment while the others will be used for Management.
-
Alias - required - The identifying name of the certificate
- Name=Alias
- Display Name=Alias (Reenrollment Only)
- Type=String
- Default Value=Leave Blank
- Depends On=unchecked
- Required When=Check Reenrolling an entry
-
Overwrite - required - Allow overwriting an existing certificate when reenrolling?
- Name=Overwrite
- Display Name=Overwrite (Reenrollment Only)
- Type=Bool
- Default Value=False
- Depends On=unchecked
- Required When=Check Reenrolling an entry
-
SANs - optional - External SANs for the requested certificate. Each SAN must be prefixed with the type (DNS: or IP:) and multiple SANs must be delimitted by an ampersand (&). Example: DNS:server.domain.com&IP:127.0.0.1&DNS:server2.domain.com
- Name=SANs
- Display Name=SANs (Reenrollment Only)
- Type=String
- Default Value=Leave Blank
- Depends On=unchecked
- Required When=Leave all unchecked
Navigate to Certificate Locations => Certificate Stores within Keyfactor Command to add the store. Below are the values that should be entered:
-
Category – Required. Select the Name you entered when creating the Certificate Store Type. Suggested value was F5 Big IQ.
-
Container – Optional. Select a container if utilized.
-
Client Machine & Credentials – Required. The full URL of the F5 Big IQ device portal.
-
Store Path – Required. Enter the name of the partition on the F5 Big IQ device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common".
-
Orchestrator – Required. Select the orchestrator you wish to use to manage this store
-
Deploy Certificate to Linked Big IP on Renewal - Optional. Set this to True if you wish to deploy renewed certificates (Management-Add jobs with Overwrite selected) to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An "immediate" deployment is then scheduled within F5 Big IQ for each linked Big IP device.
-
Ignore SSL Warning - Optional. Set this to True if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you chose not to add this Custom Field when creating the Certificate Store Type, the default value of False will be assumed. If this value is False (or missing) SSL warnings will cause errors during orchestrator extension jobs.
-
Use Token Authentication - Optional. Set this to True if you wish to use F5 Big IQ's token authentiation instead of basic authentication for all API requests. If you chose not to add this optional Custom Field when creating the Certificate Store Type, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests.
-
Use Token Authentication Provider Name - Optional - If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose leave this field blank, the default of "TMOS" will be used.
-
Server Username/Password - Required. The credentials used to log into the F5 Big IQ device to perform API calls. These values for server login can be either:
- UserId/Password
- PAM provider information used to look up the UserId/Password credentials
Please make sure these credentials have Admin rights on the F5 Big IQ device and can perform SCP functions as described in the F5 Big IQ Prerequisites section above.
-
Use SSL - N/A. This value is not referenced in the F5 Big IQ Orchestrator Extension. The value you enter for Client Machine, and specifically whether the protocol entered is http:// or https:// will determine whether a TLS (SSL) connection is utilized.
-
Inventory Schedule – Set a schedule for running Inventory jobs or "none", if you choose not to schedule Inventory at this time.
When creating cert store type manually, that store property names and entry parameter names are case sensitive