You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+22-36Lines changed: 22 additions & 36 deletions
Original file line number
Diff line number
Diff line change
@@ -31,24 +31,16 @@
31
31
32
32
## Overview
33
33
34
-
The F5 Orchestrator supports three different types of certificates stores with the capabilities for each below:
35
-
36
-
- CA Bundles
37
-
- Discovery
38
-
- Inventory*
39
-
- Management (Add and Remove)
40
-
- Web Server Device Certificates
41
-
- Inventory*
42
-
- Management (Add, but replacement/renewal of existing certificate only)
43
-
- SSL Certificates
44
-
- Discovery
45
-
- Inventory*
46
-
- Management (Add and Remove)
47
-
48
-
*Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores.
34
+
The f5-rest-orchestrator orchestrator extension manages various types of certificates on a F5 Big IP device (version 15 or later). TLS certificates, CA bundles, and the certificate protecting the administrative website can all be managed with this integration within the scope described in the sections below. One important note, this integration DOES NOT handle high availability (HA) failover between primary and secondary nodes. If syncing between primary and secondary nodes is desired, this must either be handled within your F5 Big IP instance itself, or you can set up a Keyfactor Command certificate store for each node (primary and secondary) and manage each separately.
49
35
50
36
The F5 Universal Orchestrator extension implements 3 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.
51
37
38
+
-[F5 SSL Profiles REST](#F5-SL-REST)
39
+
40
+
-[F5 WS Profiles REST](#F5-WS-REST)
41
+
42
+
-[F5 CA Profiles REST](#F5-CA-REST)
43
+
52
44
53
45
## Compatibility
54
46
@@ -69,16 +61,18 @@ An administrator account must be set up in F5 to be used with this orchestrator
69
61
70
62
## Certificate Store Types
71
63
72
-
To use the F5 Universal Orchestrator extension, you **must** create the Certificate Store Types required for your usecase. This only needs to happen _once_ per Keyfactor Command instance.
64
+
To use the F5 Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance.
73
65
74
66
The F5 Universal Orchestrator extension implements 3 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types.
75
67
76
68
### F5-SL-REST
77
69
78
-
79
70
<details><summary>Click to expand details</summary>
80
71
81
72
73
+
The F5-SL-REST certificate store type manages F5 Big IP TLS certificates. Renewals of bound certificates is supported, but adding new bindings for new or replacement certificates is not.
74
+
75
+
82
76
83
77
84
78
#### Supported Operations
@@ -94,7 +88,7 @@ The F5 Universal Orchestrator extension implements 3 Certificate Store Types. De
94
88
#### Store Type Creation
95
89
96
90
##### Using kfutil:
97
-
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types.
91
+
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
98
92
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
99
93
<details><summary>Click to expand F5-SL-REST kfutil details</summary>
100
94
@@ -176,16 +170,17 @@ the Keyfactor Command Portal
<details><summary>Click to expand details</summary>
187
179
188
180
181
+
The F5-WS-REST certificate store type manages the TLS certificate bound to the F5 administration website. While replacing the existing website certificate is supported, adding a new certificate if one is not already present is not due to F5 limitations.
182
+
183
+
189
184
190
185
191
186
#### Supported Operations
@@ -201,7 +196,7 @@ the Keyfactor Command Portal
201
196
#### Store Type Creation
202
197
203
198
##### Using kfutil:
204
-
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types.
199
+
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
205
200
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
206
201
<details><summary>Click to expand F5-WS-REST kfutil details</summary>
207
202
@@ -282,16 +277,17 @@ the Keyfactor Command Portal
<details><summary>Click to expand details</summary>
293
286
294
287
288
+
The F5-CA-REST certificate store type manages F5 Big IP CA certificate bundles. Only custom CA bundles are supported by this integration. The default ""ca-bundle"" CA bundle under the "Common" partition is **not** supported, as F5's REST API endpoints will not return certificates from this bundle.
289
+
290
+
295
291
296
292
297
293
#### Supported Operations
@@ -307,7 +303,7 @@ the Keyfactor Command Portal
307
303
#### Store Type Creation
308
304
309
305
##### Using kfutil:
310
-
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types.
306
+
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
311
307
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
312
308
<details><summary>Click to expand F5-CA-REST kfutil details</summary>
@@ -539,12 +534,9 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
539
534
</details>
540
535
541
536
542
-
543
537
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
@@ -640,12 +632,9 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
640
632
</details>
641
633
642
634
643
-
644
635
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
645
636
646
637
647
-
648
-
649
638
</details>
650
639
651
640
<details><summary>F5 CA Profiles REST (F5-CA-REST)</summary>
@@ -670,7 +659,7 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
670
659
| Category | Select "F5 CA Profiles REST" or the customized certificate store name from the previous step. |
671
660
| Container | Optional container to associate certificate store with. |
672
661
| Client Machine | The server name or IP Address for the F5 device. |
673
-
| Store Path | Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", |
662
+
| Store Path | Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is "Common/BundleName", it must be entered as "Common/BundleName" and not "common/bundlename", |
674
663
| Orchestrator | Select an approved orchestrator capable of managing `F5-CA-REST` certificates. Specifically, one with the `F5-CA-REST` capability. |
675
664
| PrimaryNode | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
676
665
| PrimaryNodeCheckRetryWaitSecs | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
@@ -704,7 +693,7 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
704
693
| Category | Select "F5 CA Profiles REST" or the customized certificate store name from the previous step. |
705
694
| Container | Optional container to associate certificate store with. |
706
695
| Client Machine | The server name or IP Address for the F5 device. |
707
-
| Store Path | Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", |
696
+
| Store Path | Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is "Common/BundleName", it must be entered as "Common/BundleName" and not "common/bundlename", |
708
697
| Orchestrator | Select an approved orchestrator capable of managing `F5-CA-REST` certificates. Specifically, one with the `F5-CA-REST` capability. |
709
698
| Properties.PrimaryNode | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
710
699
| Properties.PrimaryNodeCheckRetryWaitSecs | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
@@ -741,12 +730,9 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
741
730
</details>
742
731
743
732
744
-
745
733
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
746
734
747
735
748
-
749
-
750
736
</details>
751
737
752
738
## Discovering Certificate Stores with the Discovery Job
Copy file name to clipboardExpand all lines: docsource/content.md
+1-16Lines changed: 1 addition & 16 deletions
Original file line number
Diff line number
Diff line change
@@ -1,21 +1,6 @@
1
1
## Overview
2
2
3
-
The F5 Orchestrator supports three different types of certificates stores with the capabilities for each below:
4
-
5
-
- CA Bundles
6
-
- Discovery
7
-
- Inventory*
8
-
- Management (Add and Remove)
9
-
- Web Server Device Certificates
10
-
- Inventory*
11
-
- Management (Add, but replacement/renewal of existing certificate only)
12
-
- SSL Certificates
13
-
- Discovery
14
-
- Inventory*
15
-
- Management (Add and Remove)
16
-
17
-
*Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores.
18
-
3
+
The f5-rest-orchestrator orchestrator extension manages various types of certificates on a F5 Big IP device (version 15 or later). TLS certificates, CA bundles, and the TLS certificate bound to the administrative website can all be managed with this integration within the scope described in the sections below. One important note, this integration DOES NOT manage high availability (HA) failover between primary and secondary nodes. If syncing between primary and secondary nodes is desired, this must either be handled within your F5 Big IP instance itself, or you can set up a Keyfactor Command certificate store for each node (primary and secondary) and manage each separately.
The F5-CA-REST certificate store type manages F5 Big IP CA certificate bundles. Only custom CA bundles are supported by this integration. The default bundle "ca-bundle" under the "Common" partition is **not** supported, as F5's REST API endpoints will not return certificates from this bundle.
The F5-SL-REST certificate store type manages F5 Big IP TLS certificates. Renewals of bound certificates is supported, but adding new bindings for new or replacement certificates is not.
The F5-WS-REST certificate store type manages the TLS certificate bound to the F5 administration website. While replacing the existing website certificate is supported, adding a new certificate if one is not already present is not due to F5 limitations.
Copy file name to clipboardExpand all lines: integration-manifest.json
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -254,7 +254,7 @@
254
254
"Capability": "F5-CA-REST",
255
255
"ServerRequired": true,
256
256
"ClientMachineDescription": "The server name or IP Address for the F5 device.",
257
-
"StorePathDescription": "Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is \"Common\", it must be entered as \"Common\" and not \"common\",",
257
+
"StorePathDescription": "Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is \"Common/BundleName\", it must be entered as \"Common/BundleName\" and not \"common/bundlename\",",
0 commit comments