How To: TPP Onboard Discovery of F5 Certificates using Remote Authentication


Venafi Trust Protection Platform can perform a remote F5 Onboard Discovery of certificates in use by using the F5 iControlREST API. This is the easiest way to import certificates and SSL Profiles in use on the F5 LTM appliance. The method below will work on all versions of F5 BigIP LTM that support the iControlREST API. This KB documents how to configure the F5 and TPP to use OnBoard Discovery.



  • Version – 11.5.4 and above
  • Local F5 account that is in the Administrator role*

*As described below, it is possible to authenticate the F5 user with a remote identity provider such as AD, TACACS+ or RADIUS, but this always requires a locally created user account.

Venafi Trust Protection Platform

  • Version – 15.2 and above
  • F5 Account credential created
  • F5 Device created
  • Policy folder for discovered F5 certificates

Note: This KB describes configuring a Remote Identity Provider (TACACS+) in F5, however the role provided by the identity provider is ignored by F5 as the local role takes precedence.

F5 Configuration Instructions:

For general configuration instructions for F5 Remote User Authentication and Authorization please see the following F5 KB article:

  1. On the Main tab, click System > Users > Authentication
  2. Click Change
  3. From the User Directory list, select Remote - TACACS+
  4. For the Servers setting, type an IP address for the remote TACACS+ server
  5. Click Add. The IP address for the remote TACACS+ server appears in the Servers list
  6. In the Secret field, type the password for access to the TACACS+ server
  7. In the Confirm Secret field, re-type the TACACS+ secret
  8. From the Encryption list, select Enabled
  9. In the Service Name field, type ppp as the name of the service that the user is requesting to be authenticated to
  10. In the Protocol Name field, type ip as the name of the protocol associated with the value specified in the Service Name field
  11. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server
  12. From the Partition Access list, select All as the default administrative partition that remotely-authenticated BIG-IP system user accounts can access
  13. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts
  14. Click Finished


Configuring access control for remote role-based user groups

Although remote role-based groups can be configured, as the role sent by the remote server is ignored, it is not needed for this configuration to work. 

More information:

Information on authentication with the F5 REST API (Venafi TPP uses only Basic authentication)

Venafi Trust Protect Platform Configuration Instructions:

For general configuration instructions please see the following document on the Venafi TPP Help website:

  1. Open the Policy tree
  2. Create a username credential for the F5 device (Administration – Credentials)
  3. Create the F5 device policy folder in the Policy tree (Installations – Network Zone – F5 Devices)
  4. Create the F5 device in the policy folder (Add – Devices – Device)
  5. Create the F5 certificate policy folder in the Policy tree (Certificates – _Discovered – F5 Certificates)
  6. Open the Discovery tree
  7. Click Add > Onboard Discovery
  8. In the Discovery Name field, type a name for your new Onboard Discovery object
  9. From the Application Type list, select the application for which you're creating the new Onboard Discovery object (F5 LTM Advanced)
  10. In the Devices to Scan field, select the F5 device created above
  11. Select In this folder and select the policy folder created above where Trust Protection Platform should place all newly discovered certificates
  12. Select Extract private keys with certificates when possible to extract private keys from the device along with certificates and store them with the certificate object
  13. Click Save


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request