APPLIES TO: F5 Devices
This article covers the steps required to successfully bind and validate a certificate to an F5 device. When you are not binding a certificate to a VIP or an application on the device, but wanting to assign a certificate to the actual f5, you need to make sure you have a couple of things:
1. You must have the correct settings within tpp to connect to the device.
2. An applied workflow command injection to restart the httpd service on the f5 device after the certificate is pushed.
3. You must have specific "advanced shell" permissions for the same tpp user on the f5 device in order for the workflow command injection to be successful.
Prerequisites: You must have a current F5 Credential, an F5 device, an F5 application tied to that device and an available certificate to push to the device. You also need access to the F5 device to set the correct permissions for your tpp user.
The process follows these high-level steps. Details for each step are documented below.
- Setup your f5 credential and device object. Please see here for steps on setting up a device within TPP. https://docs.venafi.com/Docs/current/TopNav/Content/Drivers/t-drivers-DeviceObjects-creating.php?Highlight=device%20object
- Create a certificate object for the device. Please see below for instructions on creating a certificate object:https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/t-cert-objects-configuring.php?Highlight=certificate%20object
- Create an application object for the device. The application you will create will be the F5 LTM Advanced. Please refer to this document on creating an F5 application object: https://docs.venafi.com/Docs/current/TopNav/Content/Drivers/r-F5LTM-AppObjSettings-tpp.php?Highlight=application%20object
- *If you already have a certificate created for the device, you can associate it to the device during the device object creation step. You can associate the certificate later as well.
- Create a workflow object with these specific settings:
- Stage: 1100
- Application or trust store: F5 LTM Advanced
- Command Injection: tmsh restart sys service httpd
- Apply the workflow to the policy folder which holds the F5 LTM device (Or at any policy level required, Just make sure the workflow is applied to the device object.
- At this point we need to make sure our F5 permissions are set correctly. Navigate to yoru F5 device and login as an administrator.
- Navigate to System>Users>User List
- Create a new user for the tpp administrator account that has been used to configure the device object and workflow. **It is important that when creating this user, that they are given the role of administrator, and they have terminal access set to "Advanced Shell". Please refer to the screenshot below:
- Once you have configured the user on the F5 device, you are ready to push the certificate within TPP. Navigate back to Webadmin, locate the device object and subsequent application object, and select the push function at the top to push the certificate:
- As you watch the status, you will see that the certificate will install and the applied workflow will restart the application completing the binding of the certificate. Without this workflow command injection, the binding fails to happen and you will not see your certificate in use when you navigate to your F5. Because we have this command injection, the binding completes and validation succeeds. If you navigate to your F5 device via a browser, you will see your certificate in use:
- Certificate shows not trusted because full environment wasn't setup. Just shown for instructional purposes. Remember, this is for the actual F5 device certificate enrollment.