F5 LTM Advanced application object

Defines the data necessary for Trust Protection Platform to provision certificates to current F5 Local Traffic Manager (LTM) Big-IP devices.

F5 LTM Advanced attributes

Attribute

Description

Advanced Settings Bundle Name

UI: NA
Required: No

Policy Definable: No. Default: NA

The name of the bundle file that Trust Protection Platform will provision to the F5 appliance when configured to perform mutual authentication settings.

Advertised CA

UI: Advertised CA File
Required: No

Policy Definable: Yes. Default: NA

The name of the file containing CA certificates that the system advertises to clients as being trusted by the profile. This value is automatically generated and assigned by Trust Protection Platform.

Archive Location

UI: NA
Required: No

Policy Definable: No. Default: /var/local/ucs

The path where the previous certificate and key will be archived prior to provisioning the new assets.

Associate SSL Profile To
UI: Associate SSL Profile To
Required: No

Policy Definable: Yes. Default: NA

The setting to determine whether to associate an SSL profile to Virtual Server:

  • Monitor: The server will associated to an existing Monitor. The F5 monitor type must be HTTPS or HTTP2 v15.1 or greater. Works only with BIG IP versions greater than 13.1.0. Requires a Monitor Name.

  • Virtual Server: The SSL profile will be associated to an existing Virtual Server.

  • No Association: The SSL profile will not be associated to a Virtual Server or Monitor.

Authentication Frequency

UI: Frequency
Required: No

Policy Definable: Yes. Default: Once

The frequency of authentication for an SSL/TLS session. By default the system authenticates the client (or server depending on the SSL Profile Type) once for an SSL/TLS session. It can also be configured to authenticate every time the session is reused. Valid values are: Once and Always.

Build

UI: NA
Required: No

Policy Definable: No. Default: NA

An informational attribute set only by Trust Protection Platform. The build number of the iControl software retrieved from the F5 appliance the last time Trust Protection Platform successfully connected to it.

Bundle Certificate

UI: Bundle Certificates
Required: No

Policy Definable: Yes. Default: NA

A value of 1 specifies that Trust Protection Platform should bundle applicable root and intermediate certificates with the end-entity certificate file when it is installed on the F5 appliance.

Bundle Certificate Collection

UI: Certificate Bundle
Required: No

Policy Definable: Yes. Default: NA

Only required if Use Advanced Settings = 1. The Trust Protection Platform distinguished name of an F5 Authentication Bundle object.

Certificate Chain Name

UI: CA Chain File
Required: Yes

Policy Definable: Yes. Default: NA

The filename of the chain file to be provisioned and associated with the SSL profile. This value is required when the Install Chain File” is 1.

Certificate Name

UI: Certificate and Key File
Required: No

Policy Definable: No. Default: NA

An informational attribute set only by Trust Protection Platform. Read-only. The filename (without the extension) of the certificate and private keys. The driver automatically generates the name.

Chain Traversal Depth

UI: Chain Traversal Depth
Required: No

Policy Definable: Yes. Default: 9

The maximum number of certificates to be traversed in a client certificate chain.

Client Authentication Certificate

UI: Client Certificate
Required: No

Policy Definable: Yes. Default: Ignore

The method used by the system for handling client certificates. Valid values are: Ignore, Require, and Request.

Config Sync

UI: Config Sync
Required: No

Policy Definable: Yes. Default: 0

A value of 1 specifies that Trust Protection Platform will synchronize the configuration between high availability peers after the certificate and private key are installed on an F5 appliance operating in HA mode.

Connection Attempts

UI: NA
Required: No

Policy Definable: No. Default: NA

For internal use.

CRL

UI: NA
Required: No

Policy Definable: No. Default: NA

An informational attribute set only by Trust Protection Platform. Not used.

Delete Previous Cert and Key

UI: Delete Previous Cert and Key
Required: No

Policy Definable: Yes. Default: 0

A value of 1 specifies that Trust Protection Platform should delete the previous certificate and private key if they exist and if they are not associated with another SSL profile on the F5 LTM application.

Device Certificate

UI: Device Certificate
Required: No

Policy Definable: No. Default: 0

A value of 1 specifies that Trust Protection Platform is provisioning the F5 iControl and console management certificate.

File Validation Disabled

UI: Disable File Validation
Required: No

Policy Definable: Yes. Default: 0

The setting for certificate file validation:

  • 0 = Validate. Authenticate to the managed device using assigned credentials.
  • 1 = Disable validation.

Fips Key

UI: Use FIPS
Required: No

Policy Definable: Yes. Default: 0

The way to generate and install the certificate and private key. The F5 appliance requires the Federal Information Processing Standard (FIPS) module.

  • 1 = Use FIPS standards
  • 2 = Use an external HSM (NetHSM)

Force Profile Update

UI: Force Profile Update
Required: No

Policy Definable: No. Default: 0

When the password changed since the last certificate provision:

  • 0 Default. Generate an error.

  • 1 Continue provisioning which includes after a brief service interruption.

Install Chain File

UI: Install Chain
Required: No

Policy Definable: Yes. Default: 0

A value of 1 specifies that Trust Protection Platform will install the chain onto the F5 appliance.

Last Used Host

UI: NA
Required: No

Policy Definable: No. Default: NA

An informational attribute set only by Trust Protection Platform. Not used.

Monitor Name
UI: Monitor
Required: Yes

Policy Definable: No. Default: NA

Required when Associate SSL Profile To is Monitor. The name of an existing F5 LTM Monitor that uses the SSL Profile.

Monitor Partition
UI: Monitor Partition
Required: Yes

Policy Definable: No. Default: NA

Required when Associate SSL Profile To is Monitor. The partition name. The default is the Common.

Network Validation Disabled

UI: Disable Network Validation
Required: No

Policy Definable: Yes. Default: 0

The setting for network validation:

  • 0 = Validate by making an SSL/TLS connection to the managed device.
  • 1 = Disable network validation.

Overwrite Certificate

UI: Overwrite Certificate and Key
Required: No

Policy Definable: Yes. Default: 0

A value of 1 specifies that Trust Protection Platform should overwrite the existing certificate and private key files when it provisions a certificate and private key to the F5 appliance.

Overwrite Existing Chain

UI: Overwrite Chain File
Required: No

Policy Definable: Yes. Default: 0

A value of 1 specifies that Trust Protection Platform will overwrite the existing certificate chain file when it provisions a certificate to the F5 appliance.

If this value is not 1, Trust Protection Platform cannot provision certificates if there is an existing chain file on the F5 appliance.

Parent SSL Profile Name

UI: Parent SSL Profile
Required: No

Policy Definable: Yes. Default: NA

The name of the F5 LTM parent profile that this profile will inherit default settings from. If no value is specified, the F5 LTM Default profile will be used clientssl for Client SSL profiles and serverssl for Server SSL profiles.

Partition

UI: SSL Partition
Required: No

Policy Definable: Yes. Default: Common

The name of the partition in which the SSL profile and certificate exist. If not assigned the Common partition is used.

Previous Certificate

UI: NA
Required: No

Policy Definable: No. Default: NA

An informational attribute set only by Trust Protection Platform. Not used.

Previous Key

UI: NA
Required: No

Policy Definable: No. Default: NA

An informational attribute set only by Trust Protection Platform. Not used.

Provisioning To

UI: Provisioning To
Required: No

Policy Definable: Yes. Default: Standalone

The High Availability (HA) state that the F5 LTM must be in, in order for Trust Protection Platform to provision to it. Valid values are: Standalone, Active, Standby, and Ignore Failover State. If the application is not in the configured state at the time provisioning is started, processing will fail and an error will be logged.

Server Authentication Certificate

UI: Server Certificate
Required: No

Policy Definable: Yes. Default: Require

The manner in which the server SSL profile handles server certificates. Valid values are: Ignore and Require.

Server Authentication Name

UI: Authenticate Name
Required: No

Policy Definable: Yes. Default: NA

The Common Name (CN) that is embedded in the server certificate. The F5 appliance authenticates a server based on the specified CN.

SNI Default

UI: SNI Default
Required: No

Policy Definable: No. Default: 0

  • 0: No Server Name Indication (SNI) Server Name.

  • 1: Use the SNI Server Name. If there is no match for the server name, or the client does not support or use SNI, use the SSL Profile Name instead.

SNI Server Name

UI: SNI Server Name
Required: No

Policy Definable: No. Default: NA

Works when SSL Profile Type is Client. The SNI Server name.

SSH Port

UI: SSH Port
Required: No

Policy Definable: Yes. Default: 22

The TCP port that Trust Protection Platform uses to communicate with the F5 appliance for operations that require an SSH connection. Port 22 is the recommended port.

SSL Profile Name

UI: SSL Profile
Required: Yes

Policy Definable: No. Default: NA

Only required if Use Advanced Settings = 1. The name of the SSL profile the certificate and private key should be associated with. Trust Protection Platform will create the profile if it does not already exist.

SSL Profile Type

UI: SSL Profile Type
Required: No

Policy Definable: No. Default: Client

The SSL profile type. Valid values are: Server and Client.

System Id

UI: NA
Required: No

Policy Definable: No. Default: NA

The system information GUID returned by the F5 appliance the last time Trust Protection Platform successfully connected to it.

Trusted CA

UI: Trusted CA File
Required: No

Policy Definable: Yes. Default: NA

The name of the bundle file containing CA certificates that the system trusts. This value is automatically generated and assigned by Trust Protection Platform.

Use Advanced Settings

UI: Use Advanced Settings
Required: No

Policy Definable: Yes. Default: 0

A value of 1 specifies that Trust Protection Platform should provision and configure items related to mutual authentication. Also requires Bundle Certificate Collection.

Use Basic Provisioning

UI: Use Basic Provisioning
Required: No

Policy Definable: Yes. Default: 0

A value of 1 specifies that Trust Protection Platform should limit its operations to simply provisioning certificate, private key, and chain. No advanced management will be performed.

Use REST API

UI:NA
Required: No

Policy Definable: Yes. Default: 1

Instructs the F5 LTM Advanced driver:

  • 0: F5 LTM application driver provisions via the older iControl SOAP API.

  • 1: F5 LTM application driver provisions via the F5 iControl REST API.

Version

UI: iControl Version
Required: No

Policy Definable: No. Default: NA

An informational attribute set only by Trust Protection Platform. The version of the iControl software running on the F5 appliance. This value is assigned automatically by the driver when it successfully connects to the F5 appliance.

Virtual Server Name

UI: Virtual Server
Required: Yes

Policy Definable: Yes. Default: NA

Required when Associate SSL Profile To is Virtual Server. The name of an existing F5 LTM Virtual Server that uses the SSL Profile.

Virtual Server Partition

UI: Virtual Server Partition
Required: No

Policy Definable: Yes. Default: Common

The name of the partition in which the virtual server associated with the SSL profile exists. If not assigned the Common partition is used.