F5 BIG-IP LTM

With an F5 BIG-IP LTM connector, you can use DigiCert® Trust Lifecycle Manager to discover and manage certificates on an F5 BIG-IP Local Traffic Manager (LTM) network appliance.

The connector uses an on-premises DigiCert sensor within your network to help securely manage the F5 appliance.

When you add the connector, Trust Lifecycle Manager discovers existing certificates on the F5 appliance and adds them to your centralized inventory. From there, you can manage and automate certificate lifecycles on the appliance to ensure it always has valid certificates installed.

Supported F5 appliances

Trust Lifecycle Manager supports integration with F5 BIG-IP LTM appliance versions 12.1.0 and later. DigiCert has officially tested the following F5 appliance versions.

Network appliance	Versions¹
F5 BIG-IP LTM	12.1.0, 13.0.0, 13.1.1, 13.1.5, 14.0.0, 14.1.2, 15.0.0, 15.1.0, 16.1.2, 17.0.2
_{1. Version numbers listed here have been officially tested by DigiCert. Revisions of the same version (for example, F5 BIG-IP LTM 16.1.2.x) have not been officially tested, but are expected to work.}

Before you begin

F5 requirements

To configure the F5 connector in Trust Lifecycle Manager, you will need:

The management IP address and port number for the F5 appliance.
Let op
For high availability (HA) configurations, you can use either the floating IP or the management IP of one of the load balancers. Trust Lifecycle Manager will automatically detect the HA peer configuration.
Account credentials for a user with the full Administrator role on the F5 appliance.
The F5 user must have the Terminal Access property set to Advanced shell. To verify this setting:
1. Log into the BIG-IP Configuration Utility.
2. From the System tab, select the option for Users or User Management.
3. Select the applicable user to view the account properties.
4. Locate the Terminal Access property toward the bottom. Make sure Advanced shell is selected in the dropdown here.

DigiCert requirements

The F5 connector requires at least one DigiCert® sensor installed on your network that can connect to both the F5 appliance and Trust Lifecycle Manager. To learn more, see Deploy and manage sensors.
To configure the F5 connector and manage the integration, you need the Manager user role for Trust Lifecycle Manager.

Add the F5 connector

To add the F5 BIG-IP LTM connector in Trust Lifecycle Manager:

From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
In the Appliances section, select the option for F5 BIG-IP LTM.
Complete the Add connector form as described in the following steps.
Enter a friendly Name for this connector.
Select a Business unit for this connector. Only users assigned to this business unit can manage the connector.
For the Managing sensor, select an active DigiCert sensor to use to manage this connector.
To enable fault-tolerant connectivity, you can select multiple sensors here. If one of the sensors fails, Trust Lifecycle Manager will automatically fail over and use one of the other sensors.
Enter the Management IP address and Management Port number for the F5 appliance.
For high availability (HA) configurations, enter either the floating IP or the management IP of one of the load balancers. Trust Lifecycle Manager will automatically detect the HA peer configuration.
Enter a Username and Password for a user account on the F5 that has the Administrator role and the Terminal Access property set to Advanced shell under account properties.
Under Additional settings, select options for how Trust Lifecycle Manager should install certificates and keys on the F5 appliance:
- Private key storage location: Select an option for where to store private keys when installing certificates on the F5 appliance:
  - F5 Big-IP filesystem: Store key files in the standard storage location on the built-in F5 drive. This is the default option and does not require additional F5 hardware modules.
  - FIPS module: Store key files in a Federal Information Processing Standards (FIPS) hardware security module (HSM) on the F5. This option ensures compliance with U.S. government security requirements.
  - NetHSM: Store private key files in a network hardware security module (NetHSM) on the F5. This option enables centralized management of cryptographic keys across multiple devices.
- Update existing Client SSL profile for new certificates: Enable this option to update the existing Client SSL profile instead of creating a new Client SSL profile (derived from the existing one) each time a new certificate is installed.
- Always save intermediate CA certificate files: Enable this option to always save a fresh copy of the CA certificates when installing a new end-entity certificate, even if those CA certificates are already present on the F5.
- Use custom filename format: Enable this option to specify a custom filename format (not including the file extension) to use when adding certificate, key, and profile files to the F5. The default filename format is {{commonname}}_{{DDMMYYYY}}_{{randomstring}}, where:
  - {{commonname}}: Common name of the applicable certificate.
  - {{DDMMYYYY}}: File creation date in DDMMYYYY format.
  - {{randomstring}}: A random string to help uniquely identify the certificate.
  You can customize the filename format in the following ways:
  - Filename prefix: Add a standard prefix to all files installed to the F5 by Trust Lifecycle Manager.
  - Date format: Select a file creation date format other than DDMMYYYY.
- Recover Previous Settings: Enable this option if you had a previous connector to the same F5 BIG-IP LTM appliance and want to recover the certificate auto-renewal and lifecycle event settings from it. If enabled, Trust Lifecycle Manager obtains the automation schedule from the most recent deleted connector for this same F5 appliance and applies any scheduled auto-renewal or automation events to the matching certificates on the new connector. This setting only gets applied once, when you first add the new F5 connector.
Select the Add button at bottom to create the connector with the configured settings.

View the F5 connector details

After adding the connector, Trust Lifecycle Manager discovers details about the F5 appliance including the version, partitions, virtual IPs (VIPs), and existing certificates on it.

To see the F5 appliance details in Trust Lifecycle Manager:

From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Locate the F5 connector in the table and select the connector Name to load the details for it.
Tip
To only list F5 connectors in the table, open the filter next to the Provider column header and select F5 BIG-IP LTM.
The connector details page has the following sections:
- Top summary: Basic status and properties for the F5 connector.
- Assets found on this connector: Number of certificates and endpoints Trust Lifecycle Manager discovered on the F5 appliance.
- Details: Information about the connected F5 appliance including the version, management IP/port, partitions, and more.

What's next

Discovery

Trust Lifecycle Manager adds the discovered certificates and virtual IPs from the F5 appliance to your Inventory so you can view and manage them.
On the connector details page, the links in the Assets found section provide a shortcut method to view those assets in your inventory.
Belangrijk
On network appliance virtual IPs, certificates must be stored in X.509 format for Trust Lifecycle Manager to discover and automate them. Password-protected PFX certificates are not supported.

Automation

To automate management of certificates on a connected F5 appliance, set up certificate lifecycle automation.
Select the DigiCert sensor enrollment method in any certificate automation profiles you create for managing certificates on F5 appliances.
For a comprehensive guide about how to integrate with and manage F5 BIG-IP LTM appliances from Trust Lifecycle Manager, refer to the F5 integration guide.

In deze sectie: