Summary:
Venafi Trust Protection Platform can perform a remote F5 Onboard Discovery of certificates in use by using the F5 iControlREST API. This is the easiest way to import certificates and SSL Profiles in use on the F5 LTM appliance. The method below will work on all versions of F5 BigIP LTM that support the iControlREST API. This KB documents how to configure the F5 and TPP to use OnBoard Discovery.
Requirements:
F5 BigIP LTM
- Version – 11.5.4 and above
- Local F5 account that is in the Administrator role*
*As described below, it is possible to authenticate the F5 user with a remote identity provider such as AD, TACACS+ or RADIUS, but this always requires a locally created user account.
Venafi Trust Protection Platform
- Version – 15.2 and above
- F5 Account credential created
- F5 Device created
- Policy folder for discovered F5 certificates
Note: This KB describes configuring a Remote Identity Provider (TACACS+) in F5, however the role provided by the identity provider is ignored by F5 as the local role takes precedence.
F5 Configuration Instructions:
For general configuration instructions for F5 Remote User Authentication and Authorization please see the following F5 KB article:
- On the Main tab, click System > Users > Authentication
- Click Change
- From the User Directory list, select Remote - TACACS+
- For the Servers setting, type an IP address for the remote TACACS+ server
- Click Add. The IP address for the remote TACACS+ server appears in the Servers list
- In the Secret field, type the password for access to the TACACS+ server
- In the Confirm Secret field, re-type the TACACS+ secret
- From the Encryption list, select Enabled
- In the Service Name field, type ppp as the name of the service that the user is requesting to be authenticated to
- In the Protocol Name field, type ip as the name of the protocol associated with the value specified in the Service Name field
- From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server
- From the Partition Access list, select All as the default administrative partition that remotely-authenticated BIG-IP system user accounts can access
- From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts
- Click Finished
Configuring access control for remote role-based user groups
Although remote role-based groups can be configured, as the role sent by the remote server is ignored, it is not needed for this configuration to work.
More information:
Information on authentication with the F5 REST API (Venafi TPP uses only Basic authentication)
https://devcentral.f5.com/wiki/iControl.Authentication_with_the_F5_REST_API.ashx
Venafi Trust Protect Platform Configuration Instructions (18.3 and before):
For general configuration instructions please see the following document on the Venafi TPP Help website:
https://docs.venafi.com/Docs/current/TopNav/Content/Drivers/c-F5-onboardDiscovery-about-tpp.php
- Open the Policy tree
- Create a username credential for the F5 device (Administration – Credentials)
- Create the F5 device policy folder in the Policy tree (Installations – Network Zone – F5 Devices)
- Create the F5 device in the policy folder (Add – Devices – Device)
- Create the F5 certificate policy folder in the Policy tree (Certificates – _Discovered – F5 Certificates)
- Open the Discovery tree
- Click Add > Onboard Discovery
- In the Discovery Name field, type a name for your new Onboard Discovery object
- From the Application Type list, select the application for which you're creating the new Onboard Discovery object (F5 LTM Advanced)
- In the Devices to Scan field, select the F5 device created above
- Select In this folder and select the policy folder created above where Trust Protection Platform should place all newly discovered certificates
- Select Extract private keys with certificates when possible to extract private keys from the device along with certificates and store them with the certificate object
- Click Save
Venafi Trust Protect Platform Configuration Instructions (18.4 and beyond - due to Discovery being moved to Aperture):
For general configuration instructions please see the following document on the Venafi TPP Help website:
https://docs.venafi.com/Docs/current/TopNav/Content/Drivers/c-F5-onboardDiscovery-about-tpp.php
- Open the Policy tree
- Create a username credential for the F5 device (Administration – Credentials)
- Create the F5 device policy folder in the Policy tree (Installations – Network Zone – F5 Devices)
- Create the F5 device in the policy folder (Add – Devices – Device)
- Create the F5 certificate policy folder in the Policy tree (Certificates – _Discovered – F5 Certificates)
- Open Aperture and navigate to Jobs
- Click + Create New Job, select Onboard Discovery, then click Start.
- Under Job Details:
- In the Name field, type a name for your new Onboard Discovery object
- Under Contacts, type names to select for the contacts of the job.
- On the Installation Type drop list, select the application for which you're creating the new Onboard Discovery object (F5 LTM Advanced)
- On the Certificates to Import drop list, select what types of certs you want to discover.
- Ensure the port is correct
- Mark the option to extracting private keys.
- Click NEXT.
- In the Devices to Scan field, select the F5 device created above
- Under "Scan All Devices Located in this folder", select the destination folder you would like for the keys discovered. Click Next.
- Under Placement Rules, select "In this Folder" and select the same folder you chose in step 10. Click Next
- Under Run Time, select how often you want the job, or leave it on Manually Run.
- Click Create Job
- Highlight the job you just created, then at the right, click "Run Now".
Comments