+
+
+
+
+
+
+ + + Support + + · + + Installation + + · + + License + + · + + Related Integrations + +
-The F5 Big IQ Orchestrator allows for the remote management of F5 Big IQ certificate stores. Inventory, Management, and Reenrollment functions are supported. +## Overview -#### Integration status: Production - Ready for use in production environments. +The F5 Big IQ Orchestrator Extension supports the following use cases: -## About the Keyfactor Universal Orchestrator Extension +- Inventories an existing F5 Big IQ device to import SSL certificates into Keyfactor Command for management +- Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device not already on that device. +- Remove a certificate and private key from an existing F5 Big IQ device. +- Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device already on that device. Optionally (based on the DeployCertificateOnRenewal setting on the certificate store), the newly renewed/replaced certificate will be deployed to any linked F5 Big IP device. +- Reenrollment (On Device Key Generation) of a new or existing certificate on the F5 Big IQ device. In this use case, the key pair and CSR will be created on the F5 Big IQ device, Keyfactor Command will enroll the certificate, and the certificate will then be installed on the device. If the DeployCertificateOnRenewal option is set, the certificate will be deployed to any linked F5 Big IP devices. -This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. +Use cases NOT supported by the F5 Big IQ Orchestrator Extension: -The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme. +- Creating new binding relationships between F5 Big IQ and any linked F5 Big IP devices. +- Storing binding relationships in Keyfactor Command during Inventory. -The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator. -## Support for F5 BigIQ -F5 BigIQ is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com +## Compatibility -###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. +This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later. ---- +## Support +The F5 BigIQ Universal Orchestrator extension is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. + +> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. +## Requirements & Prerequisites ---- +Before installing the F5 BigIQ Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command. +When creating a Keyfactor Command Certificate Store, you will be asked to enter server credentials. These credentials will serve two purposes: +1. They will be used to authenticate to the F5 Big IQ instance when accessing API endpoints. Please make sure these credentials have Admin authority on F5 Big IQ. +2. When Inventorying and Adding/Replacing certificates it will be necessary for certificate files to be transferred to and from the F5 device. The F5 Big IQ Orchestrator Extension uses SCP (Secure Copy Protocol) to perform these functions. Please make sure your F5 Big IQ device is set up to allow SCP to transfer files *to* /var/config/rest/downloads (a reserved F5 Big IQ folder used for file transfers) and *from* /var/config/rest/fileobject (the certificate file location path) and all subfolders. Other configuration tasks may be necessary in your environment to enable this feature. -## Keyfactor Version Supported -The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.4 -## Platform Specific Notes +## Create the F5-BigIQ Certificate Store Type -The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running. -| Operation | Win | Linux | -|-----|-----|------| -|Supports Management Add|✓ |✓ | -|Supports Management Remove|✓ |✓ | -|Supports Create Store| | | -|Supports Discovery| | | -|Supports Reenrollment|✓ |✓ | -|Supports Inventory|✓ |✓ | +To use the F5 BigIQ Universal Orchestrator extension, you **must** create the F5-BigIQ Certificate Store Type. This only needs to happen _once_ per Keyfactor Command instance. -## PAM Integration -This orchestrator extension has the ability to connect to a variety of supported PAM providers to allow for the retrieval of various client hosted secrets right from the orchestrator server itself. This eliminates the need to set up the PAM integration on Keyfactor Command which may be in an environment that the client does not want to have access to their PAM provider. +* **Create F5-BigIQ using kfutil**: -The secrets that this orchestrator extension supports for use with a PAM Provider are: + ```shell + # F5 Big IQ + kfutil store-types create F5-BigIQ + ``` -|Name|Description| -|----|-----------| -|ServerUsername|The user id that will be used to authenticate to the F5 Biq API endpoints| -|ServerPassword|The password that will be used to authenticate to the F5 Biq API endpoints| - +* **Create F5-BigIQ manually in the Command UI**: ++ The Basic tab should look like this: +  + #### Advanced Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | + | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | -### Example PAM Provider Setup + The Advanced tab should look like this: -To use a PAM Provider to resolve a field, in this example the __Server Password__ will be resolved by the `Hashicorp-Vault` provider, first install the PAM Provider extension from the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) on the Universal Orchestrator. +  -Next, complete configuration of the PAM Provider on the UO by editing the `manifest.json` of the __PAM Provider__ (e.g. located at extensions/Hashicorp-Vault/manifest.json). The "initialization" parameters need to be entered here: + #### Custom Fields Tab + Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: -~~~ json - "Keyfactor:PAMProviders:Hashicorp-Vault:InitializationInfo": { - "Host": "http://127.0.0.1:8200", - "Path": "v1/secret/data", - "Token": "xxxxxx" - } -~~~ + | Name | Display Name | Description | Type | Default Value/Options | Required | + | ---- | ------------ | ---- | --------------------- | -------- | ----------- | + | DeployCertificateOnRenewal | Deploy Certificate to Linked Big IP on Renewal | This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. | Bool | false | 🔲 Unchecked | + | IgnoreSSLWarning | Ignore SSL Warning | If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. | Bool | false | 🔲 Unchecked | + | UseTokenAuth | Use Token Authentication | If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. | Bool | false | 🔲 Unchecked | + | LoginProviderName | Authentication Provider Name | If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. | String | | 🔲 Unchecked | + | ServerUsername | Server Username | Login credential for the F5 Big IQ device. MUST be an Admin account. | Secret | | 🔲 Unchecked | + | ServerPassword | Server Password | Login password for the F5 Big IQ device. | Secret | | 🔲 Unchecked | -After these values are entered, the Orchestrator needs to be restarted to pick up the configuration. Now the PAM Provider can be used on other Orchestrator Extensions. + The Custom Fields tab should look like this: -### Use the PAM Provider -With the PAM Provider configured as an extenion on the UO, a `json` object can be passed instead of an actual value to resolve the field with a PAM Provider. Consult the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) for the specific format of the `json` object. +  -To have the __Server Password__ field resolved by the `Hashicorp-Vault` provider, the corresponding `json` object from the `Hashicorp-Vault` extension needs to be copied and filed in with the correct information: -~~~ json -{"Secret":"my-kv-secret","Key":"myServerPassword"} -~~~ -This text would be entered in as the value for the __Server Password__, instead of entering in the actual password. The Orchestrator will attempt to use the PAM Provider to retrieve the __Server Password__. If PAM should not be used, just directly enter in the value for the field. -
-