diff --git a/.github/workflows/keyfactor-bootstrap-workflow.yml b/.github/workflows/keyfactor-bootstrap-workflow.yml index a4649f2..8ec5771 100644 --- a/.github/workflows/keyfactor-bootstrap-workflow.yml +++ b/.github/workflows/keyfactor-bootstrap-workflow.yml @@ -11,10 +11,17 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2 + uses: keyfactor/actions/.github/workflows/starter.yml@v4 + with: + command_token_url: ${{ vars.COMMAND_TOKEN_URL }} # Only required for doctool generated screenshots + command_hostname: ${{ vars.COMMAND_HOSTNAME }} # Only required for doctool generated screenshots + command_base_api_path: ${{ vars.COMMAND_API_PATH }} # Only required for doctool generated screenshots secrets: - token: ${{ secrets.V2BUILDTOKEN}} - APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} - gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} - gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} - scan_token: ${{ secrets.SAST_TOKEN }} + token: ${{ secrets.V2BUILDTOKEN}} # REQUIRED + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} # Only required for golang builds + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} # Only required for golang builds + scan_token: ${{ secrets.SAST_TOKEN }} # REQUIRED + entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }} # Only required for doctool generated screenshots + entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} # Only required for doctool generated screenshots + command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} # Only required for doctool generated screenshots + command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} # Only required for doctool generated screenshots diff --git a/CHANGELOG.md b/CHANGELOG.md index cdcc231..5cddb97 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +v2.0.0 +- Modify ODKG (Reenrollment) functionality to make use of the Keyfactor Command/UO 25.3 functionality to support SANs, Alias, and Overwrite indicator. Entry parameters SANs, Alias, and Overwrite will no longer be supported. + v1.2.0 - Documentation updated to use doctool and dual build for .net6/8. diff --git a/F5BigIQ/F5BigIQ.csproj b/F5BigIQ/F5BigIQ.csproj index 5484e1b..8ba06a7 100644 --- a/F5BigIQ/F5BigIQ.csproj +++ b/F5BigIQ/F5BigIQ.csproj @@ -9,10 +9,14 @@ - + - + + + + External References\Keyfactor.Orchestrators.IOrchestratorJobExtensions.dll + Always diff --git a/F5BigIQ/Reenrollment.cs b/F5BigIQ/Reenrollment.cs index 0f0f66c..7bc352a 100644 --- a/F5BigIQ/Reenrollment.cs +++ b/F5BigIQ/Reenrollment.cs @@ -7,6 +7,7 @@ using System; using System.Collections.Generic; +using System.Net.NetworkInformation; using System.Security.Cryptography.X509Certificates; using Keyfactor.Logging; @@ -19,6 +20,8 @@ using Newtonsoft.Json; using Org.BouncyCastle.X509; using System.Text; +using Microsoft.Win32.SafeHandles; +using static Org.BouncyCastle.Math.EC.ECCurve; namespace Keyfactor.Extensions.Orchestrator.F5BigIQ { @@ -40,7 +43,7 @@ public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollm { logger.LogDebug($" {keyValue.Key}: {keyValue.Value}"); } - + dynamic properties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties); SetPAMSecrets(config.ServerUsername, config.ServerPassword, logger); @@ -53,27 +56,39 @@ public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollm string keyType = !config.JobProperties.ContainsKey("keyType") || config.JobProperties["keyType"] == null || string.IsNullOrEmpty(config.JobProperties["keyType"].ToString()) ? string.Empty : config.JobProperties["keyType"].ToString(); int? keySize = !config.JobProperties.ContainsKey("keySize") || config.JobProperties["keySize"] == null || string.IsNullOrEmpty(config.JobProperties["keySize"].ToString()) ? null : Convert.ToInt32(config.JobProperties["keySize"]); string subjectText = !config.JobProperties.ContainsKey("subjectText") || config.JobProperties["subjectText"] == null || config.JobProperties["subjectText"] == null || string.IsNullOrEmpty(config.JobProperties["subjectText"].ToString()) ? string.Empty : config.JobProperties["subjectText"].ToString(); - string sans = !config.JobProperties.ContainsKey("SANs") || config.JobProperties["SANs"] == null || string.IsNullOrEmpty(config.JobProperties["SANs"].ToString()) ? string.Empty : config.JobProperties["SANs"].ToString(); - if (!config.JobProperties.ContainsKey("Alias") || config.JobProperties["Alias"] == null || config.JobProperties["Alias"] == null || string.IsNullOrEmpty(config.JobProperties["Alias"].ToString())) + if (string.IsNullOrEmpty(config.Alias)) { - string errorMessage = "Error performing reenrollment. Alias blank or does not exist."; + string errorMessage = "Error performing reenrollment. Alias is required."; logger.LogError(errorMessage); return new JobResult() { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = config.JobHistoryId, FailureMessage = $"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {errorMessage}"}; } - string alias = config.JobProperties["Alias"].ToString(); - bool overwrite = !config.JobProperties.ContainsKey("Overwrite") || config.JobProperties["Overwrite"] == null || string.IsNullOrEmpty(config.JobProperties["Overwrite"].ToString()) ? false : Convert.ToBoolean(config.JobProperties["Overwrite"]); try { F5BigIQClient f5Client = new F5BigIQClient(config.CertificateStoreDetails.ClientMachine, config.CertificateStoreDetails.StorePath, ServerUserName, ServerPassword, loginProviderName, useTokenAuthentication, ignoreSSLWarning); - int totalKeys = f5Client.GetKeyByName(alias).TotalItems; - if (!overwrite && totalKeys > 0) + int totalKeys = f5Client.GetKeyByName(config.Alias).TotalItems; + if (!config.Overwrite && totalKeys > 0) + { + throw new Exception($"Alias {config.Alias} already exists, but Overwrite is set to False. Overwrite must be set to True if you wish to perform reenrollment on an existing alias."); + } + + string sans = string.Empty; + if (config.SANs.Count > 0) { - throw new Exception($"Alias {alias} already exists, but Overwrite is set to False. Overwrite must be set to True if you wish to perform reenrollment on an existing alias."); + foreach(KeyValuePair keyValue in config.SANs) + { + string key = keyValue.Key.Replace("ip4", "ip", StringComparison.OrdinalIgnoreCase).Replace("ip6", "ip", StringComparison.OrdinalIgnoreCase).Replace("upn", "uri", StringComparison.OrdinalIgnoreCase); + foreach (string value in keyValue.Value) + { + sans += (key + ":" + value + ","); + } + } + if (sans.Length > 0) + sans = sans.Substring(0, sans.Length - 1); } - string csr = f5Client.GenerateCSR(alias, totalKeys > 0, subjectText, keyType, keySize, sans); + string csr = f5Client.GenerateCSR(config.Alias, totalKeys > 0, subjectText, keyType, keySize, sans); X509Certificate2 cert = submitReenrollment.Invoke(csr); if (cert == null) @@ -87,8 +102,8 @@ public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollm try { - f5Client.AddReplaceBindCertificate(alias, Convert.ToBase64String(pemBytes), - string.Empty, overwrite, deployCertificateOnRenewal, F5BigIQClient.CERT_FILE_TYPE_TO_ADD.CERT); + f5Client.AddReplaceBindCertificate(config.Alias, Convert.ToBase64String(pemBytes), + string.Empty, config.Overwrite, deployCertificateOnRenewal, F5BigIQClient.CERT_FILE_TYPE_TO_ADD.CERT); } catch (F5BigIQException ex) { diff --git a/README.md b/README.md index fd957ff..ec1b989 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,15 @@ The F5 Big IQ Orchestrator Extension supports the following use cases: - Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device not already on that device. - Remove a certificate and private key from an existing F5 Big IQ device. - Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device already on that device. Optionally (based on the DeployCertificateOnRenewal setting on the certificate store), the newly renewed/replaced certificate will be deployed to any linked F5 Big IP device. -- Reenrollment (On Device Key Generation) of a new or existing certificate on the F5 Big IQ device. In this use case, the key pair and CSR will be created on the F5 Big IQ device, Keyfactor Command will enroll the certificate, and the certificate will then be installed on the device. If the DeployCertificateOnRenewal option is set, the certificate will be deployed to any linked F5 Big IP devices. +- On Device Key Generation (ODKG) of a new or existing certificate on the F5 Big IQ device. In this use case, the key pair and CSR will be created on the F5 Big IQ device, Keyfactor Command will enroll the certificate, and the certificate will then be installed on the device. If the DeployCertificateOnRenewal option is set, the certificate will be deployed to any linked F5 Big IP devices. Use cases NOT supported by the F5 Big IQ Orchestrator Extension: - Creating new binding relationships between F5 Big IQ and any linked F5 Big IP devices. - Storing binding relationships in Keyfactor Command during Inventory. +NOTE: Beginning with v2.0 of the F5 Big IQ Orchestrator Extension, there is a minimum requirement of Keyfactor Command 25.3 and Keyfactor Universal Orchestrator 25.3 for ODKG use cases. Pairing v2.0 or greater with earlier versions of Command and the Universal Orchestrator may lead to errors or unpredictable results using the ODKG functionality. + ## Compatibility @@ -51,9 +53,9 @@ Use cases NOT supported by the F5 Big IQ Orchestrator Extension: This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later. ## Support -The F5 BigIQ Universal Orchestrator extension is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. - -> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. +The F5 BigIQ Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com. + +> If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab. ## Requirements & Prerequisites @@ -65,102 +67,123 @@ When creating a Keyfactor Command Certificate Store, you will be asked to enter 2. When Inventorying and Adding/Replacing certificates it will be necessary for certificate files to be transferred to and from the F5 device. The F5 Big IQ Orchestrator Extension uses SCP (Secure Copy Protocol) to perform these functions. Please make sure your F5 Big IQ device is set up to allow SCP to transfer files *to* /var/config/rest/downloads (a reserved F5 Big IQ folder used for file transfers) and *from* /var/config/rest/fileobject (the certificate file location path) and all subfolders. Other configuration tasks may be necessary in your environment to enable this feature. -## Create the F5-BigIQ Certificate Store Type +## F5-BigIQ Certificate Store Type To use the F5 BigIQ Universal Orchestrator extension, you **must** create the F5-BigIQ Certificate Store Type. This only needs to happen _once_ per Keyfactor Command instance. -* **Create F5-BigIQ using kfutil**: - ```shell - # F5 Big IQ - kfutil store-types create F5-BigIQ - ``` -* **Create F5-BigIQ manually in the Command UI**: -
Create F5-BigIQ manually in the Command UI - Create a store type called `F5-BigIQ` with the attributes in the tables below: - #### Basic Tab - | Attribute | Value | Description | - | --------- | ----- | ----- | - | Name | F5 Big IQ | Display name for the store type (may be customized) | - | Short Name | F5-BigIQ | Short display name for the store type | - | Capability | F5-BigIQ | Store type name orchestrator will register with. Check the box to allow entry of value | - | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | - | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | - | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery | - | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment | - | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | - | Needs Server | ✅ Checked | Determines if a target server name is required when creating store | - | Blueprint Allowed | ✅ Checked | Determines if store type may be included in an Orchestrator blueprint | - | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell | - | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. | - | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. | - The Basic tab should look like this: +#### Supported Operations - ![F5-BigIQ Basic Tab](docsource/images/F5-BigIQ-basic-store-type-dialog.png) +| Operation | Is Supported | +|--------------|------------------------------------------------------------------------------------------------------------------------| +| Add | ✅ Checked | +| Remove | ✅ Checked | +| Discovery | 🔲 Unchecked | +| Reenrollment | ✅ Checked | +| Create | 🔲 Unchecked | - #### Advanced Tab - | Attribute | Value | Description | - | --------- | ----- | ----- | - | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | - | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | - | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | +#### Store Type Creation - The Advanced tab should look like this: +##### Using kfutil: +`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. +For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) +
Click to expand F5-BigIQ kfutil details - ![F5-BigIQ Advanced Tab](docsource/images/F5-BigIQ-advanced-store-type-dialog.png) + ##### Using online definition from GitHub: + This will reach out to GitHub and pull the latest store-type definition + ```shell + # F5 Big IQ + kfutil store-types create F5-BigIQ + ``` - #### Custom Fields Tab - Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + ##### Offline creation using integration-manifest file: + If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo. + You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command + in your offline environment. + ```shell + kfutil store-types create --from-file integration-manifest.json + ``` +
- | Name | Display Name | Description | Type | Default Value/Options | Required | - | ---- | ------------ | ---- | --------------------- | -------- | ----------- | - | DeployCertificateOnRenewal | Deploy Certificate to Linked Big IP on Renewal | This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. | Bool | false | 🔲 Unchecked | - | IgnoreSSLWarning | Ignore SSL Warning | If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. | Bool | false | 🔲 Unchecked | - | UseTokenAuth | Use Token Authentication | If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. | Bool | false | 🔲 Unchecked | - | LoginProviderName | Authentication Provider Name | If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. | String | | 🔲 Unchecked | - | ServerUsername | Server Username | Login credential for the F5 Big IQ device. MUST be an Admin account. | Secret | | 🔲 Unchecked | - | ServerPassword | Server Password | Login password for the F5 Big IQ device. | Secret | | 🔲 Unchecked | - The Custom Fields tab should look like this: +#### Manual Creation +Below are instructions on how to create the F5-BigIQ store type manually in +the Keyfactor Command Portal +
Click to expand manual F5-BigIQ details - ![F5-BigIQ Custom Fields Tab](docsource/images/F5-BigIQ-custom-fields-store-type-dialog.png) + Create a store type called `F5-BigIQ` with the attributes in the tables below: + ##### Basic Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Name | F5 Big IQ | Display name for the store type (may be customized) | + | Short Name | F5-BigIQ | Short display name for the store type | + | Capability | F5-BigIQ | Store type name orchestrator will register with. Check the box to allow entry of value | + | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | + | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | + | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment | + | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | + | Needs Server | ✅ Checked | Determines if a target server name is required when creating store | + | Blueprint Allowed | ✅ Checked | Determines if store type may be included in an Orchestrator blueprint | + | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell | + | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. | + | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. | + The Basic tab should look like this: - #### Entry Parameters Tab + ![F5-BigIQ Basic Tab](docsource/images/F5-BigIQ-basic-store-type-dialog.png) - | Name | Display Name | Description | Type | Default Value | Entry has a private key | Adding an entry | Removing an entry | Reenrolling an entry | - | ---- | ------------ | ---- | ------------- | ----------------------- | ---------------- | ----------------- | ------------------- | ----------- | - | Alias | Alias (Reenrollment only) | The name F5 Big IQ uses to identify the certificate | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | ✅ Checked | - | Overwrite | Overwrite (Reenrollment only) | Allow overwriting an existing certificate when reenrolling? | Bool | False | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | ✅ Checked | - | SANs | SANs (Reenrollment only) | External SANs for the requested certificate. Each SAN must be prefixed with the type (DNS: or IP:) and multiple SANs must be delimitted by an ampersand (&). Example: DNS:server.domain.com&IP:127.0.0.1&DNS:server2.domain.com. This is an optional field. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | + ##### Advanced Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | + | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | - The Entry Parameters tab should look like this: + The Advanced tab should look like this: - ![F5-BigIQ Entry Parameters Tab](docsource/images/F5-BigIQ-entry-parameters-store-type-dialog.png) + ![F5-BigIQ Advanced Tab](docsource/images/F5-BigIQ-advanced-store-type-dialog.png) + > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. + ##### Custom Fields Tab + Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: -
+ | Name | Display Name | Description | Type | Default Value/Options | Required | + | ---- | ------------ | ---- | --------------------- | -------- | ----------- | + | DeployCertificateOnRenewal | Deploy Certificate to Linked Big IP on Renewal | This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. | Bool | false | 🔲 Unchecked | + | IgnoreSSLWarning | Ignore SSL Warning | If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. | Bool | false | 🔲 Unchecked | + | UseTokenAuth | Use Token Authentication | If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. | Bool | false | 🔲 Unchecked | + | LoginProviderName | Authentication Provider Name | If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. | String | | 🔲 Unchecked | + | ServerUsername | Server Username | Login credential for the F5 Big IQ device. MUST be an Admin account. | Secret | | 🔲 Unchecked | + | ServerPassword | Server Password | Login password for the F5 Big IQ device. | Secret | | 🔲 Unchecked | + + The Custom Fields tab should look like this: + + ![F5-BigIQ Custom Fields Tab](docsource/images/F5-BigIQ-custom-fields-store-type-dialog.png) + +
## Installation -1. **Download the latest F5 BigIQ Universal Orchestrator extension from GitHub.** +1. **Download the latest F5 BigIQ Universal Orchestrator extension from GitHub.** Navigate to the [F5 BigIQ Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/f5-bigiq-rest-orchestrator/releases/latest). Refer to the compatibility matrix below to determine whether the `net6.0` or `net8.0` asset should be downloaded. Then, click the corresponding asset to download the zip archive. - | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `f5-bigiq-rest-orchestrator` .NET version to download | - | --------- | ----------- | ----------- | ----------- | - | Older than `11.0.0` | | | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | - | `11.6` _and_ newer | `net8.0` | | `net8.0` | + + | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `f5-bigiq-rest-orchestrator` .NET version to download | + | --------- | ----------- | ----------- | ----------- | + | Older than `11.0.0` | | | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | + | `11.6` _and_ newer | `net8.0` | | `net8.0` | Unzip the archive containing extension assemblies to a known location. @@ -170,9 +193,9 @@ To use the F5 BigIQ Universal Orchestrator extension, you **must** create the F5 * **Default on Windows** - `C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions` * **Default on Linux** - `/opt/keyfactor/orchestrator/extensions` - + 3. **Create a new directory for the F5 BigIQ Universal Orchestrator extension inside the extensions directory.** - + Create a new directory called `f5-bigiq-rest-orchestrator`. > The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory. @@ -183,14 +206,14 @@ To use the F5 BigIQ Universal Orchestrator extension, you **must** create the F5 Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm). -6. **(optional) PAM Integration** +6. **(optional) PAM Integration** The F5 BigIQ Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider. - To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension, and follow the associated instructions to install it on the Universal Orchestrator (remote). + To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote). -> The above installation steps can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions). +> The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions). @@ -198,101 +221,91 @@ To use the F5 BigIQ Universal Orchestrator extension, you **must** create the F5 -* **Manually with the Command UI** +### Store Creation -
Create Certificate Stores manually in the UI +#### Manually with the Command UI - 1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.** +
Click to expand details - Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_. +1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.** - 2. **Add a Certificate Store.** + Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_. - Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - | Attribute | Description | - | --------- | ----------- | - | Category | Select "F5 Big IQ" or the customized certificate store name from the previous step. | - | Container | Optional container to associate certificate store with. | - | Client Machine | | - | Store Path | | - | Orchestrator | Select an approved orchestrator capable of managing `F5-BigIQ` certificates. Specifically, one with the `F5-BigIQ` capability. | - | DeployCertificateOnRenewal | This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. | - | IgnoreSSLWarning | If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. | - | UseTokenAuth | If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. | - | LoginProviderName | If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. | - | ServerUsername | Login credential for the F5 Big IQ device. MUST be an Admin account. | - | ServerPassword | Login password for the F5 Big IQ device. | +2. **Add a Certificate Store.** + Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - + | Attribute | Description | + | --------- |---------------------------------------------------------| + | Category | Select "F5 Big IQ" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | | + | Store Path | | + | Orchestrator | Select an approved orchestrator capable of managing `F5-BigIQ` certificates. Specifically, one with the `F5-BigIQ` capability. | + | DeployCertificateOnRenewal | This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. | + | IgnoreSSLWarning | If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. | + | UseTokenAuth | If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. | + | LoginProviderName | If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. | + | ServerUsername | Login credential for the F5 Big IQ device. MUST be an Admin account. | + | ServerPassword | Login password for the F5 Big IQ device. | -
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator +
- If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_. - | Attribute | Description | - | --------- | ----------- | - | ServerUsername | Login credential for the F5 Big IQ device. MUST be an Admin account. | - | ServerPassword | Login password for the F5 Big IQ device. | - Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side. +#### Using kfutil CLI - > Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself. -
- +
Click to expand details -
+1. **Generate a CSV template for the F5-BigIQ certificate store** -* **Using kfutil** - -
Create Certificate Stores with kfutil - - 1. **Generate a CSV template for the F5-BigIQ certificate store** - - ```shell - kfutil stores import generate-template --store-type-name F5-BigIQ --outpath F5-BigIQ.csv - ``` - 2. **Populate the generated CSV file** + ```shell + kfutil stores import generate-template --store-type-name F5-BigIQ --outpath F5-BigIQ.csv + ``` +2. **Populate the generated CSV file** + + Open the CSV file, and reference the table below to populate parameters for each **Attribute**. + + | Attribute | Description | + | --------- | ----------- | + | Category | Select "F5 Big IQ" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | | + | Store Path | | + | Orchestrator | Select an approved orchestrator capable of managing `F5-BigIQ` certificates. Specifically, one with the `F5-BigIQ` capability. | + | Properties.DeployCertificateOnRenewal | This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. | + | Properties.IgnoreSSLWarning | If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. | + | Properties.UseTokenAuth | If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. | + | Properties.LoginProviderName | If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. | + | Properties.ServerUsername | Login credential for the F5 Big IQ device. MUST be an Admin account. | + | Properties.ServerPassword | Login password for the F5 Big IQ device. | + +3. **Import the CSV file to create the certificate stores** - Open the CSV file, and reference the table below to populate parameters for each **Attribute**. - | Attribute | Description | - | --------- | ----------- | - | Category | Select "F5 Big IQ" or the customized certificate store name from the previous step. | - | Container | Optional container to associate certificate store with. | - | Client Machine | | - | Store Path | | - | Orchestrator | Select an approved orchestrator capable of managing `F5-BigIQ` certificates. Specifically, one with the `F5-BigIQ` capability. | - | DeployCertificateOnRenewal | This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. | - | IgnoreSSLWarning | If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. | - | UseTokenAuth | If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. | - | LoginProviderName | If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. | - | ServerUsername | Login credential for the F5 Big IQ device. MUST be an Admin account. | - | ServerPassword | Login password for the F5 Big IQ device. | + ```shell + kfutil stores import csv --store-type-name F5-BigIQ --file F5-BigIQ.csv + ``` +
- -
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator +#### PAM Provider Eligible Fields +
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator - If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_. - | Attribute | Description | - | --------- | ----------- | - | ServerUsername | Login credential for the F5 Big IQ device. MUST be an Admin account. | - | ServerPassword | Login password for the F5 Big IQ device. | +If a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_. + | Attribute | Description | + | --------- | ----------- | + | ServerUsername | Login credential for the F5 Big IQ device. MUST be an Admin account. | + | ServerPassword | Login password for the F5 Big IQ device. | - > Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself. -
- +Please refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side. +> Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself. - 3. **Import the CSV file to create the certificate stores** +
- ```shell - kfutil stores import csv --store-type-name F5-BigIQ --file F5-BigIQ.csv - ``` -
-> The content in this section can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). +> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). diff --git a/docsource/content.md b/docsource/content.md index 1aec2d0..b569ede 100644 --- a/docsource/content.md +++ b/docsource/content.md @@ -6,13 +6,15 @@ The F5 Big IQ Orchestrator Extension supports the following use cases: - Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device not already on that device. - Remove a certificate and private key from an existing F5 Big IQ device. - Add an existing or newly enrolled certificate and private key to an existing F5 Big IQ device already on that device. Optionally (based on the DeployCertificateOnRenewal setting on the certificate store), the newly renewed/replaced certificate will be deployed to any linked F5 Big IP device. -- Reenrollment (On Device Key Generation) of a new or existing certificate on the F5 Big IQ device. In this use case, the key pair and CSR will be created on the F5 Big IQ device, Keyfactor Command will enroll the certificate, and the certificate will then be installed on the device. If the DeployCertificateOnRenewal option is set, the certificate will be deployed to any linked F5 Big IP devices. +- On Device Key Generation (ODKG) of a new or existing certificate on the F5 Big IQ device. In this use case, the key pair and CSR will be created on the F5 Big IQ device, Keyfactor Command will enroll the certificate, and the certificate will then be installed on the device. If the DeployCertificateOnRenewal option is set, the certificate will be deployed to any linked F5 Big IP devices. Use cases NOT supported by the F5 Big IQ Orchestrator Extension: - Creating new binding relationships between F5 Big IQ and any linked F5 Big IP devices. - Storing binding relationships in Keyfactor Command during Inventory. +NOTE: Beginning with v2.0 of the F5 Big IQ Orchestrator Extension, there is a minimum requirement of Keyfactor Command 25.3 and Keyfactor Universal Orchestrator 25.3 for ODKG use cases. Pairing v2.0 or greater with earlier versions of Command and the Universal Orchestrator may lead to errors or unpredictable results using the ODKG functionality. + ## Requirements diff --git a/integration-manifest.json b/integration-manifest.json index 9703d43..2c75092 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -94,53 +94,7 @@ "Description": "Login password for the F5 Big IQ device." } ], - "EntryParameters": [ - { - "Name": "Alias", - "DisplayName": "Alias (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "The name F5 Big IQ uses to identify the certificate" - }, - { - "Name": "Overwrite", - "DisplayName": "Overwrite (Reenrollment only)", - "Type": "Bool", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "False", - "Options": "", - "Description": "Allow overwriting an existing certificate when reenrolling?" - }, - { - "Name": "SANs", - "DisplayName": "SANs (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "External SANs for the requested certificate. Each SAN must be prefixed with the type (DNS: or IP:) and multiple SANs must be delimitted by an ampersand (&). Example: DNS:server.domain.com&IP:127.0.0.1&DNS:server2.domain.com. This is an optional field." - } - ] + "EntryParameters": [] } ] }