Configuring an F5 LTM Advanced application object

To enable Trust Protection Platform to manage PEM files installed on BIG-IP F5 LTM network appliances using the iControl API, you must configure the F5 LTM Advanced application object. This object provides the information Trust Protection Platform needs to monitor, enroll, or provision PEM files on associated network appliances.

BEST PRACTICE  Consider managing object settings using a policy. For more information, see Managing applications using policies.

To see a list of supported provisioning drivers, see TrustForce: certificate installation (provisioning) driver support.

Limitations of Trust Protection Platform and the F5 LTM Advanced driver

Overwrite Certificate and Key

Assets that are in use cannot be overwritten and replaced.

Delete Previous Cert and Key

Does not use generational management.

Password-encrypted private keys

Onboard Discovery cannot import this type of key.

Certificate Partition

Profile and certificate can exist in different partitions; but this configuration is not supported for provisioning and will result in Onboard Validation failures.

Onboard Validation

Does not validate the virtual server and profile associations of the certificate

SNI

SNI (Server Name Indication) profiles are supported by Trust Protection Platform and the F5 LTM Advanced driver.

NOTE  You can use the Venafi driver to introduce SNI configurations even if they do not yet exist on F5, provided that they do not affect existing F5 settings. Also, you cannot overwrite existing F5 settings.

DID YOU KNOW?  When you add an installation to a certificate, you'll have the option of defining (and editing) this object during that process, which means that you don't have to log in to Policy Tree as the following procedure describes. And because the settings are the same, you can use this topic for information about each setting.

For more information, see Creating a certificate installation.

To create and configure an F5 LTM Advanced application object

  1. From the TLS Protect menu bar, click Policy tree.

  2. In the Policy tree, select the device object to which you want to add the new application object, and then click Add > Application, and then select F5LTM .
  3. When the new application object page appears, then under Status, clear the Processing Disabled checkbox.

    When checked, this option disables provisioning of the certificates installed on the current application. This means that Trust Protection Platform does not attempt to install, renew, process, or validate certificates on the application.

  4. (Optional) In the Device Certificate box, click to select and associate a certificate with the new application.

    NOTE  If you don't have a certificate ready, you can do this later or you can do it on the certificate's Association tab.

    To associate a certificate with the current application, you must have write permissions to the application object and either write or associate permissions to the certificate object.

    For detailed information on associating a certificate with an application, see Associating a certificate with an application object.

  5. Under General, do the following:

    1. In the Application Name field, type a name for the new application.
    2. (Optional) In the Description field, type a description for the purpose of the application.

      A strong description can help to provide context for other administrators who might need to manage the new application.

    3. In the Contacts field, select user or group identities you want assigned to this application object (or choose the Use policy value to configure contacts using a policy).

      Default system notifications are sent to the contact identities. The default contact is the master administrator.

      TIP  If the Identity Selector dialog is not populated when it first opens, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store, then return the list of requested users or groups. If you want to display all user or group entries, enter the wildcard character (*).

      Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups.

    4. In the Approvers field, select user or group Identities you want to assign to approve workflows (certificate approval or injection command) for the new application.

      The default approver is the master administrator. For more information on defining workflow objects, see Implementing certificate workflow management.

    5. (Conditional) If your application (or certificate) object is affected by a defined workflow and you want users to use a console other than Policy Tree, click Managed By and select which administration console to use as part of the workflow.

      You only need to configure this if you are using workflows and expect users to perform a task using a particular administration console. The default setting is Policy Tree.

      For more information, see Specify folders and certificates to be managed by TLS Protect .

  6. Under Application Information, do the following:

    1. Click next to Application Credential to browse for the credential object that you want to use to authenticate with the application.

      DID YOU KNOW?  Credential objects store the credentials Trust Protection Platform uses to authenticate with devices, applications, and CAs. The stored credential might be a user name or private key credential; some drivers—such as F5, which is not SSH-based—can only use the user name credential for authentication.

      NOTE  The user account you select must have Read and Write access to the Temporary, Private Key, and Certificate directories.

      For more information, see Working with system credentials.

      DID YOU KNOW?  The Connection Method is the protocol that Trust Protection Platform uses to connect to the server and manage the certificates installed on that server. In an application object's settings, this field is typically read-only.

    2. (Read Only) The iControl Version field shows the last detected version of iControl when the driver was connected to the F5 host device/application.
    3. Click the Connection Method list, click the protocol to use—HTTPS or SSH—and then in the Port field, specify the associated port number.
    4. In the HTTPS Port field, type the port that Trust Protection Platform should use to communicate with your appliance.

      DID YOU KNOW?  By default, all communication between the F5 LTM Advanced driver and F5 (iControl) is done using port 443 except for Workflow command injection, which uses port 22 (SSH) by default. However, workflow command injection isn’t commonly used with F5 for several reasons, including the following:

      • The F5 driver is robust enough that it typically does not require additional functionality
      • Would require elevated permissions
      • Would also require command line access
    5. (Conditional) In the SSH Port field, specify the port number that Trust Protection Platform should use to communicate with the appliance via an SSH connection.

      The default SSH port assignment is 22.

  1. Complete the F5 F5 LTM Advanced Advanced application settings by referring to the following table:

    Field

    Policy

    Description

    Certificate & Key Settings

     

    The following are server-specific certificate settings. They are referenced only when you associate a certificate with subordinate BIG-IP F5 LTM Application objects.

    Device Certificate

     

    Select this option if you wish to provision the F5 F5 LTM Advanced's iControl console management certificate.

    Provisioning Mode

    This setting overrides all provisioning settings except for Certificate & Key Settings. It provisions the PEM file that contains a certificate, private key, and (optional) chain bundle to the F5 Big IP LTM keystore. This setting requires the TLS Protect user role on the LTM.

    If you want encryption, be sure to configure the Private Key Credential. Otherwise, the private key is non-encrypted. Choose the Provisioning Mode:

    • Advanced: This is the default and it not only provisions the certificate, private key, and (optionally) chain bundle, it binds those assets to an SSL profile and, if the SSL profile doesn’t already exist, it creates the profile and assigns it to a virtual server
    • Basic with configurable Certificate Name: This only provisions the certificate, private key, and (optionally) chain bundle and it allows for the user to specify their own name for the certificate. If an existing certificate is found with the requested name then a numeric suffix will be appended to the name until uniqueness is achieved.
    • Basic with automatic Certificate Name: This only provisions the certificate, private key, and (optionally) chain bundle and uses the same automatic naming convention used by Advanced to ensure the certificate name is unique.

      The naming convention is: <Common Name>-<Expiration Date as DDMMMYY>-<Serial Number>

      If the Common Name results in a name that would exceed the character limit of the F5, characters are trimmed from the end of the common name until an allowable length is achieved.

    Certificate & Key File

     

    This read-only field displays the filename of the certificate associated with the current F5 LTM Application object once it is provisioned. If it has not yet been provisioned there will be no value in this field. This setting applies when Provisioning Mode is Advanced or Basic.

    Private Key Credential

     

    The password that encrypts the private key.

    Force Profile Update

     

    Used to handle situations where the password has changed between generations of the certificate.

    When set to No—which is the default setting—then Trust Protection Platform displays an error stating that provisioning could not be done because the password has changed since the last time it was provisioned.

    When set to Yes, then Trust Protection Platform continues with provisioning; however, there will be a brief service interruption during provisioning.

    Install Chain

    Option to install the chain on the F5 LTM application.

    Bundle Certificates

    Option to bundle the root and intermediate root certificates with the certificate file installed on the current BIG-IP F5 LTM appliance.

    Overwrite Chain File

    Overwrites the existing certificate chain file when it provisions a certificate on the BIG-IP F5 LTM appliance.

    If you do not select this option, Trust Protection Platform cannot provision certificates if there is an existing certificate on this network appliance.

    CA Chain File

     

    Filename of the chain file associated with the current BIG-IP F5 LTM Application object.

    Key Security Type

    Creates the certificate and private key in accordance with the Federal Information Processing Standard (FIPS) or stored on an external HSM (NetHSM). This setting ensures the certificate that is installed on the current BIG-IP F5 LTM appliance meets FIPS requirements or the private key is created and stored on an external HSM (the associated certificate must set "Generate Key/CSR on Application" to "Yes").

    On the F5, FIPS and NetHSM require configuration. See the F5 documentation.

    NOTE  Advanced Key Protect must be Enabled to use the NetHSM (external HSM) option.

    Overwrite Certificate and Key

    Overwrites the existing certificate and key file when it provisions a certificate and non-encrypted private key on the BIG-IP F5 LTM appliance.

    Delete Previous Cert and Key

    This option allows you to choose if you want to attempt to delete the previous certificate and key if they exists and if they are not associated with another SSL profile on the F5 LTM application.

    High Availability Settings

     

    The following settings let you configure options for F5 LTM applications running in high availability (HA) pairs or clusters.

    DID YOU KNOW?  These options provide a work-around to the more common (and often recommended) floating IP configuration for F5s running in HA mode. If using a Floating IP is not an option, then these HA options can help you to provision your F5s that are configured for failover.

    Provisioning To

    Venafi recommends that you provision to the floating management IP of the F5 Big-IP, in which case you'll always be provisioning to an active node. However, if for some reason you can't (or choose not to) provision to the floating IP, then you must provision directly to each appliance. In this case, you'll need to decide if you want Trust Protection Platform to update the Active node, Standby node, or both (Ignore Failover State).

    You can select between Standalone, Active, Standby or Ignore modes.

    • Standalone: use when you have only one server.
    • Active: use when you want Trust Protection Platform to provision only to active F5 appliances.
    • Standby: use when you want Trust Protection Platform to provision only to F5 appliances that are in stand by mode.
    • Ignore: use when you want Trust Protection Platform to provision to F5 appliances regardless of whether or not they're in active or stand-by modes.

      When selected, the Ignore option bypasses logic in the provisioning steps where Trust Protection Platform checks the state of the F5 Big IP node it's provisioning to where there is a pair or cluster. This meets a use-case where the F5 Big IP LTM pair or cluster is not configured with a floating IP address and you do not want the state to be checked or considered when provisioning the certificate to the defined host because it may change over time.

    Keep the following in mind when considering provisioning directly to each F5 appliance:

    • Provisioning directly requires twice the number of F5 application objects: one set for the first appliance and a duplicate set for the second.
    • If you choose Active or Standby, then provisioning to half of those F5 apps is going to fail because the appliance isn't in the HA state required for Trust Protection Platform to provision to it; this also means that after provisioning is complete, you'll have to perform additional work to clear errors.

      TIP  You can automate the additional work using Adaptable Log Channel or Adaptable Workflow.

    • If you choose Ignore Failover State, then both appliances are updated; however, about half of the work that the F5 driver does will be lost; this is because the Config Sync will overwrite the updates made to the target of the sync.

    Config Sync

    This option allows you to choose the if you would like the driver to execute a config synchronization after the certificate and key is installed on the F5 LTM application running in HA mode.

    SSL Profile Settings

    The following settings allow you to configure the SSL Profile name, type, parent profile, virtual server and partition with which the certificate will be associated on the F5 LTM application.

    SSL Profile

    NA

    Specify the name of the F5 LTM SSL Profile you wish to create (if it does not exists) or with which to associate the certificate.

    SSL Profile Type

     

    Use to select the F5 LTM profile type: Server or Client.

    Parent SSL Profile

    Specify the name of the F5 LTM Parent SSL Profile that the SSL Profile will use to inherit its settings from. If no value is specified here, the F5 LTM Default SSL Profile is used.

    SSL Partition

    Specify the name of the F5 LTM Partition that the Certificate and SSL Profile will be installed in. If no value is specified, the default partition is used.

    SNI Server Name

     

    Type the name of the SNI server to enable provisioning of certificates that are being used in SNI configurations.

    This field is only enabled when you specify Client as the SSL Profile Type.

    SNI Default

     

    When set, this SSL profile is used as the default profile when there is no match for the server name, or when the client does not support or use SNI.

    For a single virtual server with multiple client/server SSL profiles, this setting can be enabled for one client and one server SSL profile only.

    DID YOU KNOW?  So what's the use case for this option? Suppose you have one web server that is hosting ten different websites where all of their domains resolve to the same IP address. But you want to have SSL certificates for each one of those sites. Before SNI, you could accomplish this using one of three methods:

    • Configure each site to run on different ports from the default SSL port (443): https://site1.net (running on 443) and https://site2.net:8080 and https://site3.org:8081. But this solution forces users to specify the port number for sites 2 and 3 for all HTTPS connections.
    • Set dedicated IP addresses for each website (using the default port since each site has it's own address).
    • Set a server-wide SSL certificate; however, when users visit https://site1.net, they would receive a certificate validation error because the presented certificate would be issued for server-name.net, the root server. This error would occur for all web sites on that server.

    SNI removes the requirement for a dedicated IP or a different port because it lets you use one certificate with multiple DNS SANs (one for each site). Therefore, when users visit https://site1.net or https://site2.net, they're presented with a valid certificate.

    SSL Profile Association

     

    The following settings require information to associate a server SSL profile to an F5 monitor or an existing virtual server.

    Associate SSL Profile To

     

    You can select between Monitor, Virtual Server, or No Association.

    • Monitor: Use to associate an SSL profile to an F5 monitor. Associating monitor to SSL Profile will work only with BIG IP versions greater than 13.1.0.
      The F5 monitor type must be https or http2.
      http2 monitors supported are from versions V15.1 or greater.

    • Virtual Server: Use when you have an existing virtual server that is running on an F5 LTM. Always set up your virtual server prior to creating this F5 LTM application.

    • No Association: Use to provision without associating to any virtual server or monitor.

    Virtual Server

    This field only applies when Virtual Server is selected to associated the SSL profile to. Specify the name of an existing F5 LTM Virtual Server that the SSL Profile will be associated with. This is a required field.

    Virtual Server Partition

    This field only applies when Virtual server is selected to associated the SSL profile to. Specify the name of an existing F5 LTM Partition that runs the virtual server. If no value is specified the default partition will be used.

    Monitor

     

    This field only applies when Monitor is selected to associated the SSL profile to. Specify the name of the monitor that the SSL profile with be associated with . This is a required field.

    Monitor Partition

     

    This field only applies when Monitor is selected to associated the SSL profile to. (Optional) Specify the monitor partition. If no value is specified, the common partition will be used.

    Advanced Settings

     

    The following settings allow you to configure advanced settings for the SSL profile related to Mutual Authentication and truststore bundle provisioning.

    Use Advanced Settings

    This field and all of the others (except the last two display fields) can be controlled with policy. This checkbox turns on or off all the fields in the Advanced Settings section. If you are not using Mutual Authentication on your F5 LTMs, it can help the driver to be less complicated for your Trust Protection Platform users who are setting up F5 Big IP LTM application.

    Client Certificate

    This field is only available if you choose 'Client' in the SSL Profile Type field in the SSL section in the F5 LTM Advanced driver settings. For a Client SSL Profile type the choices are "ignore", "require", "request" or "auto". This setting specifies the way the system handles client certificates. The default is Ignore.

    Ignore: Specifies that the system ignores certificates from client systems. Server & Client Profiles

    Require: Specifies that the system requires a client to present a valid certificate. Server & Client Profile

    Auto: Specifies that the system ignores a client certificate until an authentication module requests one. Client Only

    Request: Specifies that the system requests a valid certificate from a client but always authenticate the client. Client Only

    Server Certificate

    This field is only available if you choose 'Server' in the SSL Profile Type field in the SSL section in the F5 LTM Advanced driver settings. For a Server SSL Profile type, the choices in this drop-down are "ignore" or "require",

    Ignore: Specifies that the system ignores certificates from client systems. Server & Client Profiles

    Require: Specifies that the system requires a client to present a valid certificate. Server & Client Profile

    Frequency

    For both Server and Client SSL Profiles, the choices here are "Once" or "Always". This value defines the frequency of client authentication for an SSL session. The default is Once, which specifies that the system authenticates the client once for an SSL session. Always specifies that the system authenticates the client once for an SSL session and also upon reuse of that session.

    Chain Traversal Depth

    You can choose a number from 1 to 9, with 9 being the default depth value. Specifies the maximum number of certificates to be traversed in a client certificate chain.

    Certificate Bundle

    This field lets you select an F5 Authentication bundle for one or more certificates that will be provisioned to the F5 and associated with the profile as the authentication bundle used for mutual authentication. Click to make your selection from the Policy tree.

    If there are no bundles listed, you must first create one. For more information about creating an authentication bundle, see About managing an F5 authentication bundle.

    Authentication Name

    This field only applies to Server SSL Profiles and will not be selectable when a Client SSL Profile type if selected. This field specifies a Common Name (CN) that is embedded in a server certificate. The system authenticates a server based on the specified CN. The CN name must be a valid fully qualified domain name (FQDN), and hence the authenticate name specified must also be a FQDN. Note that the Domain Name System (DNS) does not allow the underscore ( _) character in CN names, although it does allow the dash ( -) character.

    IMPORTANT  If you select Require in Server Certificate, make sure to specify a value in Authenticate Name as well. A blank Authenticate Name field means that everyone is authenticated, even though you have specified Require as the Server Certificate setting.

    Trusted CA File

     

    This field is for display purposes only, as Trust Protection Platform controls the name of the certificate file and truststore bundle file. For a Server SSL Profile this could be a single self-signed certificate or one or more certificates in a truststore bundle.

    Advertised CA File

     

    This field is for display purposes only and only applies to Server SSL Profile types.

  2. When you are finished, click Save.

What's next?

After you've created an application object, here are other things you can do to manage the new application:

  • On the application's Settings sub-tab:

    • Click to push a certificate to its associated application.

      For more information, see Pushing a certificate and private key to an application .

    • Click Reset to stop processing the application and reset the status and stage.
    • Click to reattempt installation of the certificate to its associated application, .
    • Click Validate Now to validate the applications associated certificate.

      Validation requests are placed into a queue. When your validation runs, the application and its associated certificate are scanned according to the settings configured in the application object’s Validation tab.

      For more information, see About certificate and application validation.

  • On the application object's Validation tab, you can configure validation settings for the application object.

  • On an object's General tab:

    • Click the Log sub-tab to view any events that are triggered by the template object.

    • Click the Permissions sub-tab to configure the users or groups to whom you want to grant permissions to the new object. For more information, see Permissions overview.

Related Topics Link IconRelated Topics