You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+3Lines changed: 3 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -1,3 +1,6 @@
1
+
v1.8.1
2
+
- Documentation changes including highlighting lack of HA support as well as a correction to the proper StorePath value for F5-CA-REST stores.
3
+
1
4
v1.8.0
2
5
- Add new custom field - Remove Chain on Add - to allow the removal of the certificate chain before adding/replacing a certificate on the F5 device. Default = false.
3
6
- Apply store password when replacing a certificate as well as adding (extension to change made in v1.6.0)
Copy file name to clipboardExpand all lines: README.md
+31-43Lines changed: 31 additions & 43 deletions
Original file line number
Diff line number
Diff line change
@@ -31,24 +31,16 @@
31
31
32
32
## Overview
33
33
34
-
The F5 Orchestrator supports three different types of certificates stores with the capabilities for each below:
35
-
36
-
- CA Bundles
37
-
- Discovery
38
-
- Inventory*
39
-
- Management (Add and Remove)
40
-
- Web Server Device Certificates
41
-
- Inventory*
42
-
- Management (Add, but replacement/renewal of existing certificate only)
43
-
- SSL Certificates
44
-
- Discovery
45
-
- Inventory*
46
-
- Management (Add and Remove)
47
-
48
-
*Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores.
34
+
The f5-rest-orchestrator orchestrator extension manages various types of certificates on a F5 Big IP device (version 15 or later). TLS certificates, CA bundles, and the TLS certificate bound to the administrative website can all be managed with this integration within the scope described in the sections below. One important note, this integration DOES NOT manage high availability (HA) failover between primary and secondary nodes. If syncing between primary and secondary nodes is desired, this must either be handled within your F5 Big IP instance itself, or you can set up a Keyfactor Command certificate store for each node (primary and secondary) and manage each separately.
49
35
50
36
The F5 Universal Orchestrator extension implements 3 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.
51
37
38
+
-[F5 SSL Profiles REST](#F5-SL-REST)
39
+
40
+
-[F5 WS Profiles REST](#F5-WS-REST)
41
+
42
+
-[F5 CA Profiles REST](#F5-CA-REST)
43
+
52
44
53
45
## Compatibility
54
46
@@ -69,16 +61,18 @@ An administrator account must be set up in F5 to be used with this orchestrator
69
61
70
62
## Certificate Store Types
71
63
72
-
To use the F5 Universal Orchestrator extension, you **must** create the Certificate Store Types required for your usecase. This only needs to happen _once_ per Keyfactor Command instance.
64
+
To use the F5 Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance.
73
65
74
66
The F5 Universal Orchestrator extension implements 3 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types.
75
67
76
68
### F5-SL-REST
77
69
78
-
79
70
<details><summary>Click to expand details</summary>
80
71
81
72
73
+
The F5-SL-REST certificate store type manages F5 Big IP TLS certificates. Renewals of bound certificates is supported, but adding new bindings for new or replacement certificates is not.
74
+
75
+
82
76
83
77
84
78
#### Supported Operations
@@ -94,7 +88,7 @@ The F5 Universal Orchestrator extension implements 3 Certificate Store Types. De
94
88
#### Store Type Creation
95
89
96
90
##### Using kfutil:
97
-
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types.
91
+
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
98
92
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
99
93
<details><summary>Click to expand F5-SL-REST kfutil details</summary>
100
94
@@ -176,16 +170,17 @@ the Keyfactor Command Portal
<details><summary>Click to expand details</summary>
187
179
188
180
181
+
The F5-WS-REST certificate store type manages the TLS certificate bound to the F5 administration website. While replacing the existing website certificate is supported, adding a new certificate if one is not already present is not due to F5 limitations.
182
+
183
+
189
184
190
185
191
186
#### Supported Operations
@@ -201,7 +196,7 @@ the Keyfactor Command Portal
201
196
#### Store Type Creation
202
197
203
198
##### Using kfutil:
204
-
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types.
199
+
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
205
200
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
206
201
<details><summary>Click to expand F5-WS-REST kfutil details</summary>
207
202
@@ -282,16 +277,17 @@ the Keyfactor Command Portal
<details><summary>Click to expand details</summary>
293
286
294
287
288
+
The F5-CA-REST certificate store type manages F5 Big IP CA certificate bundles. Only custom CA bundles are supported by this integration. The default bundle "ca-bundle" under the "Common" partition is **not** supported, as F5's REST API endpoints will not return certificates from this bundle.
289
+
290
+
295
291
296
292
297
293
#### Supported Operations
@@ -307,7 +303,7 @@ the Keyfactor Command Portal
307
303
#### Store Type Creation
308
304
309
305
##### Using kfutil:
310
-
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types.
306
+
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
311
307
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
312
308
<details><summary>Click to expand F5-CA-REST kfutil details</summary>
| Category | Select "F5 SSL Profiles REST" or the customized certificate store name from the previous step. |
466
461
| Container | Optional container to associate certificate store with. |
467
462
| Client Machine | The server name or IP Address for the F5 device. |
468
463
| Store Path | Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", |
464
+
| Store Password | Check "No Password" if you wish the private key of any added certificate to be set to Key Security Type "Normal". Enter a value (either a password or pointer to an installed PAM provider key for the password) to be used to encrypt the private key of any added certificate for Key Security Type of "Password". |
469
465
| Orchestrator | Select an approved orchestrator capable of managing `F5-SL-REST` certificates. Specifically, one with the `F5-SL-REST` capability. |
470
466
| PrimaryNode | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
471
467
| PrimaryNodeCheckRetryWaitSecs | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
@@ -501,6 +497,7 @@ The F5 Universal Orchestrator extension implements 3 Certificate Store Types, ea
501
497
| Container | Optional container to associate certificate store with. |
502
498
| Client Machine | The server name or IP Address for the F5 device. |
503
499
| Store Path | Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", |
500
+
| Store Password | Check "No Password"if you wish the private key of any added certificate to be set to Key Security Type "Normal". Enter a value (either a password or pointer to an installed PAM provider key for the password) to be used to encrypt the private key of any added certificate for Key Security Type of "Password". |
504
501
| Orchestrator | Select an approved orchestrator capable of managing `F5-SL-REST` certificates. Specifically, one with the `F5-SL-REST` capability. |
505
502
| Properties.PrimaryNode | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
506
503
| Properties.PrimaryNodeCheckRetryWaitSecs | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
@@ -531,20 +528,17 @@ If a PAM provider was installed _on the Universal Orchestrator_ in the [Installa
531
528
| --------- | ----------- |
532
529
| ServerUsername | Login credential for the F5 device. MUST be an Admin account. |
533
530
| ServerPassword | Login password for the F5 device. |
534
-
| StorePassword | Passwordto use when reading/writing to store |
531
+
| StorePassword | Check "No Password" if you wish the private key of any added certificate to be set to Key Security Type "Normal". Enter a value (either a password or pointer to an installed PAM provider key for the password) to be used to encrypt the private key of any added certificate for Key Security Type of "Password". |
535
532
536
533
Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
537
534
> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
538
535
539
536
</details>
540
537
541
538
542
-
543
539
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
| Category | Select "F5 WS Profiles REST" or the customized certificate store name from the previous step. |
570
564
| Container | Optional container to associate certificate store with. |
571
565
| Client Machine | The server name or IP Address for the F5 device. |
@@ -640,12 +634,9 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
640
634
</details>
641
635
642
636
643
-
644
637
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
645
638
646
639
647
-
648
-
649
640
</details>
650
641
651
642
<details><summary>F5 CA Profiles REST (F5-CA-REST)</summary>
@@ -665,12 +656,12 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
665
656
666
657
Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
| Category | Select "F5 CA Profiles REST" or the customized certificate store name from the previous step. |
671
662
| Container | Optional container to associate certificate store with. |
672
663
| Client Machine | The server name or IP Address for the F5 device. |
673
-
| Store Path | Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", |
664
+
| Store Path | Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is "Common/BundleName", it must be entered as "Common/BundleName" and not "common/bundlename", |
674
665
| Orchestrator | Select an approved orchestrator capable of managing `F5-CA-REST` certificates. Specifically, one with the `F5-CA-REST` capability. |
675
666
| PrimaryNode | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
676
667
| PrimaryNodeCheckRetryWaitSecs | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
@@ -704,7 +695,7 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
704
695
| Category | Select "F5 CA Profiles REST" or the customized certificate store name from the previous step. |
705
696
| Container | Optional container to associate certificate store with. |
706
697
| Client Machine | The server name or IP Address for the F5 device. |
707
-
| Store Path | Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", |
698
+
| Store Path | Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is "Common/BundleName", it must be entered as "Common/BundleName" and not "common/bundlename", |
708
699
| Orchestrator | Select an approved orchestrator capable of managing `F5-CA-REST` certificates. Specifically, one with the `F5-CA-REST` capability. |
709
700
| Properties.PrimaryNode | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
710
701
| Properties.PrimaryNodeCheckRetryWaitSecs | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
@@ -741,12 +732,9 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
741
732
</details>
742
733
743
734
744
-
745
735
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
746
736
747
737
748
-
749
-
750
738
</details>
751
739
752
740
## Discovering Certificate Stores with the Discovery Job
Copy file name to clipboardExpand all lines: docsource/content.md
+1-16Lines changed: 1 addition & 16 deletions
Original file line number
Diff line number
Diff line change
@@ -1,21 +1,6 @@
1
1
## Overview
2
2
3
-
The F5 Orchestrator supports three different types of certificates stores with the capabilities for each below:
4
-
5
-
- CA Bundles
6
-
- Discovery
7
-
- Inventory*
8
-
- Management (Add and Remove)
9
-
- Web Server Device Certificates
10
-
- Inventory*
11
-
- Management (Add, but replacement/renewal of existing certificate only)
12
-
- SSL Certificates
13
-
- Discovery
14
-
- Inventory*
15
-
- Management (Add and Remove)
16
-
17
-
*Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores.
18
-
3
+
The f5-rest-orchestrator orchestrator extension manages various types of certificates on a F5 Big IP device (version 15 or later). TLS certificates, CA bundles, and the TLS certificate bound to the administrative website can all be managed with this integration within the scope described in the sections below. One important note, this integration DOES NOT manage high availability (HA) failover between primary and secondary nodes. If syncing between primary and secondary nodes is desired, this must either be handled within your F5 Big IP instance itself, or you can set up a Keyfactor Command certificate store for each node (primary and secondary) and manage each separately.
The F5-CA-REST certificate store type manages F5 Big IP CA certificate bundles. Only custom CA bundles are supported by this integration. The default bundle "ca-bundle" under the "Common" partition is **not** supported, as F5's REST API endpoints will not return certificates from this bundle.
The F5-SL-REST certificate store type manages F5 Big IP TLS certificates. Renewals of bound certificates is supported, but adding new bindings for new or replacement certificates is not.
The F5-WS-REST certificate store type manages the TLS certificate bound to the F5 administration website. While replacing the existing website certificate is supported, adding a new certificate if one is not already present is not due to F5 limitations.
0 commit comments