Skip to content

Keyfactor/f5-bigiq-rest-orchestrator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

16 Commits
.github/workflows
.github/workflows
Β 
Β 
F5BigIQ
F5BigIQ
Β 
Β 
docsource
docsource
Β 
Β 
.gitignore
.gitignore
Β 
Β 
CHANGELOG.md
CHANGELOG.md
Β 
Β 
F5BigIQ.sln
F5BigIQ.sln
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
integration-manifest.json
integration-manifest.json
Β 
Β 

Repository files navigation

F5 BigIQ Universal Orchestrator Extension

Integration Status: production Release Issues GitHub Downloads (all assets, all releases)

Support Β· Installation Β· License Β· Related Integrations

Overview

The F5 Big IQ Orchestrator Extension supports the following use cases:

  • Inventories an existing F5 Big IQ device to import SSL certificates into Keyfactor Command for management
  • Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device not already on that device.
  • Remove a certificate and private key from an existing F5 Big IQ device.
  • Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device already on that device. Optionally (based on the DeployCertificateOnRenewal setting on the certificate store), the newly renewed/replaced certificate will be deployed to any linked F5 Big IP device.
  • Reenrollment (On Device Key Generation) of a new or existing certificate on the F5 Big IQ device. In this use case, the key pair and CSR will be created on the F5 Big IQ device, Keyfactor Command will enroll the certificate, and the certificate will then be installed on the device. If the DeployCertificateOnRenewal option is set, the certificate will be deployed to any linked F5 Big IP devices.

Use cases NOT supported by the F5 Big IQ Orchestrator Extension:

  • Creating new binding relationships between F5 Big IQ and any linked F5 Big IP devices.
  • Storing binding relationships in Keyfactor Command during Inventory.

Compatibility

This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later.

Support

The F5 BigIQ Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.

If you want to contribute bug fixes or additional enhancements, use the Pull requests tab.

Requirements & Prerequisites

Before installing the F5 BigIQ Universal Orchestrator extension, we recommend that you install kfutil. Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.

When creating a Keyfactor Command Certificate Store, you will be asked to enter server credentials. These credentials will serve two purposes:

  1. They will be used to authenticate to the F5 Big IQ instance when accessing API endpoints. Please make sure these credentials have Admin authority on F5 Big IQ.
  2. When Inventorying and Adding/Replacing certificates it will be necessary for certificate files to be transferred to and from the F5 device. The F5 Big IQ Orchestrator Extension uses SCP (Secure Copy Protocol) to perform these functions. Please make sure your F5 Big IQ device is set up to allow SCP to transfer files to /var/config/rest/downloads (a reserved F5 Big IQ folder used for file transfers) and from /var/config/rest/fileobject (the certificate file location path) and all subfolders. Other configuration tasks may be necessary in your environment to enable this feature.

F5-BigIQ Certificate Store Type

To use the F5 BigIQ Universal Orchestrator extension, you must create the F5-BigIQ Certificate Store Type. This only needs to happen once per Keyfactor Command instance.

Supported Operations

Operation Is Supported
Add βœ… Checked
Remove βœ… Checked
Discovery πŸ”² Unchecked
Reenrollment βœ… Checked
Create πŸ”² Unchecked

Store Type Creation

Using kfutil:

kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. For more information on kfutil check out the docs

Click to expand F5-BigIQ kfutil details
Using online definition from GitHub:

This will reach out to GitHub and pull the latest store-type definition

# F5 Big IQ
kfutil store-types create F5-BigIQ
Offline creation using integration-manifest file:

If required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.

kfutil store-types create --from-file integration-manifest.json

Manual Creation

Below are instructions on how to create the F5-BigIQ store type manually in the Keyfactor Command Portal

Click to expand manual F5-BigIQ details

Create a store type called F5-BigIQ with the attributes in the tables below:

Basic Tab
Attribute Value Description
Name F5 Big IQ Display name for the store type (may be customized)
Short Name F5-BigIQ Short display name for the store type
Capability F5-BigIQ Store type name orchestrator will register with. Check the box to allow entry of value
Supports Add βœ… Checked Check the box. Indicates that the Store Type supports Management Add
Supports Remove βœ… Checked Check the box. Indicates that the Store Type supports Management Remove
Supports Discovery πŸ”² Unchecked Indicates that the Store Type supports Discovery
Supports Reenrollment βœ… Checked Indicates that the Store Type supports Reenrollment
Supports Create πŸ”² Unchecked Indicates that the Store Type supports store creation
Needs Server βœ… Checked Determines if a target server name is required when creating store
Blueprint Allowed βœ… Checked Determines if store type may be included in an Orchestrator blueprint
Uses PowerShell πŸ”² Unchecked Determines if underlying implementation is PowerShell
Requires Store Password πŸ”² Unchecked Enables users to optionally specify a store password when defining a Certificate Store.
Supports Entry Password πŸ”² Unchecked Determines if an individual entry within a store can have a password.

The Basic tab should look like this:

F5-BigIQ Basic Tab

Advanced Tab
Attribute Value Description
Supports Custom Alias Required Determines if an individual entry within a store can have a custom Alias.
Private Key Handling Required This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid.
PFX Password Style Default 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.)

The Advanced tab should look like this:

F5-BigIQ Advanced Tab

For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.

Custom Fields Tab

Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:

Name Display Name Description Type Default Value/Options Required
DeployCertificateOnRenewal Deploy Certificate to Linked Big IP on Renewal This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. Bool false πŸ”² Unchecked
IgnoreSSLWarning Ignore SSL Warning If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. Bool false πŸ”² Unchecked
UseTokenAuth Use Token Authentication If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. Bool false πŸ”² Unchecked
LoginProviderName Authentication Provider Name If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. String πŸ”² Unchecked
ServerUsername Server Username Login credential for the F5 Big IQ device. MUST be an Admin account. Secret πŸ”² Unchecked
ServerPassword Server Password Login password for the F5 Big IQ device. Secret πŸ”² Unchecked

The Custom Fields tab should look like this:

F5-BigIQ Custom Fields Tab

Entry Parameters Tab
Name Display Name Description Type Default Value Entry has a private key Adding an entry Removing an entry Reenrolling an entry
Alias Alias (Reenrollment only) The name F5 Big IQ uses to identify the certificate String πŸ”² Unchecked πŸ”² Unchecked πŸ”² Unchecked βœ… Checked
Overwrite Overwrite (Reenrollment only) Allow overwriting an existing certificate when reenrolling? Bool False πŸ”² Unchecked πŸ”² Unchecked πŸ”² Unchecked βœ… Checked
SANs SANs (Reenrollment only) External SANs for the requested certificate. Each SAN must be prefixed with the type (DNS: or IP:) and multiple SANs must be delimitted by an ampersand (&). Example: DNS:server.domain.com&IP:127.0.0.1&DNS:server2.domain.com. This is an optional field. String πŸ”² Unchecked πŸ”² Unchecked πŸ”² Unchecked πŸ”² Unchecked

The Entry Parameters tab should look like this:

F5-BigIQ Entry Parameters Tab

Installation

  1. Download the latest F5 BigIQ Universal Orchestrator extension from GitHub.

    Navigate to the F5 BigIQ Universal Orchestrator extension GitHub version page. Refer to the compatibility matrix below to determine whether the net6.0 or net8.0 asset should be downloaded. Then, click the corresponding asset to download the zip archive.

    Universal Orchestrator Version Latest .NET version installed on the Universal Orchestrator server rollForward condition in Orchestrator.runtimeconfig.json f5-bigiq-rest-orchestrator .NET version to download
    Older than 11.0.0 net6.0
    Between 11.0.0 and 11.5.1 (inclusive) net6.0 net6.0
    Between 11.0.0 and 11.5.1 (inclusive) net8.0 Disable net6.0
    Between 11.0.0 and 11.5.1 (inclusive) net8.0 LatestMajor net8.0
    11.6 and newer net8.0 net8.0

    Unzip the archive containing extension assemblies to a known location.

    Note If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for net6.0.

  2. Locate the Universal Orchestrator extensions directory.

    • Default on Windows - C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions
    • Default on Linux - /opt/keyfactor/orchestrator/extensions

  3. Create a new directory for the F5 BigIQ Universal Orchestrator extension inside the extensions directory.

    Create a new directory called f5-bigiq-rest-orchestrator.

    The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.

  4. Copy the contents of the downloaded and unzipped assemblies from step 2 to the f5-bigiq-rest-orchestrator directory.

  5. Restart the Universal Orchestrator service.

    Refer to Starting/Restarting the Universal Orchestrator service.

  6. (optional) PAM Integration

    The F5 BigIQ Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.

    To configure a PAM provider, reference the Keyfactor Integration Catalog to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).

The above installation steps can be supplemented by the official Command documentation.

Defining Certificate Stores

Store Creation

Manually with the Command UI

Click to expand details

  1. Navigate to the Certificate Stores page in Keyfactor Command.

    Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.

  2. Add a Certificate Store.

    Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.

    Attribute Description
    Category Select "F5 Big IQ" or the customized certificate store name from the previous step.
    Container Optional container to associate certificate store with.
    Client Machine
    Store Path
    Orchestrator Select an approved orchestrator capable of managing F5-BigIQ certificates. Specifically, one with the F5-BigIQ capability.
    DeployCertificateOnRenewal This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device.
    IgnoreSSLWarning If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store.
    UseTokenAuth If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls.
    LoginProviderName If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used.
    ServerUsername Login credential for the F5 Big IQ device. MUST be an Admin account.
    ServerPassword Login password for the F5 Big IQ device.

Using kfutil CLI

Click to expand details

  1. Generate a CSV template for the F5-BigIQ certificate store

    kfutil stores import generate-template --store-type-name F5-BigIQ --outpath F5-BigIQ.csv

  2. Populate the generated CSV file

    Open the CSV file, and reference the table below to populate parameters for each Attribute.

    Attribute Description
    Category Select "F5 Big IQ" or the customized certificate store name from the previous step.
    Container Optional container to associate certificate store with.
    Client Machine
    Store Path
    Orchestrator Select an approved orchestrator capable of managing F5-BigIQ certificates. Specifically, one with the F5-BigIQ capability.
    Properties.DeployCertificateOnRenewal This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device.
    Properties.IgnoreSSLWarning If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store.
    Properties.UseTokenAuth If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls.
    Properties.LoginProviderName If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used.
    Properties.ServerUsername Login credential for the F5 Big IQ device. MUST be an Admin account.
    Properties.ServerPassword Login password for the F5 Big IQ device.

  3. Import the CSV file to create the certificate stores

    kfutil stores import csv --store-type-name F5-BigIQ --file F5-BigIQ.csv

PAM Provider Eligible Fields

Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator

If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.

Attribute Description
ServerUsername Login credential for the F5 Big IQ device. MUST be an Admin account.
ServerPassword Login password for the F5 Big IQ device.

Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.

Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.

The content in this section can be supplemented by the official Command documentation.

License

Apache License 2.0, see LICENSE.

Related Integrations

See all Keyfactor Universal Orchestrator extensions.

About

The F5 Big IQ Orchestrator allows for the remote management of F5 Big IQ certificate stores

Topics

keyfactor-universal-orchestrator

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 38

1.2.1 Latest
Oct 9, 2025
+ 37 releases

Contributors 5

Languages