F5 BigIP Integration

Introduction

This section refers to the F5 BigIP integration with Horizon, used to enroll certificates used by F5 BigIP.

This integration involves at least two infrastructure components:

  • F5 BigIP

  • EverTrust Horizon

Horizon connects to the F5 BigIP using the iControl REST administration API in order to manage the lifecycle of certificates associated to Client SSL Profiles within the BigIP.

F5 Connector

This section details how to configure the F5 Connector.

Prerequisites

On the F5 BigIP side, you need to create a technical user for Horizon, and give it full administrator rights. This is required because only full admins have the right to upload certificates on an F5 BigIP.

After performing these steps, you will get the following information, required later:

  • the technical user login/username

  • the technical user password

How to configure F5 Connector

1. Log in to Horizon Administration Interface.

2. Access F5 Connectors from the drawer or card: Third Parties > F5 > Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

General

  • Name* (string input):
    Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector.

  • F5 BigIP hostname* (string input):
    Enter the F5 BigIP hostname (DNS or IP address).

  • F5 BigIP username* (string input):
    Username created for Horizon in the F5 BigIP. Must have administrator rights.

  • F5 BigIP password* (string input):
    Password associated with aforementioned username.

  • Proxy (select):
    The HTTP/HTTPS proxy to use.

  • Timeout (finite duration):
    Set by default at 10 seconds. Must be a valid finite duration*.

  • Max stored certificates per holder (int):
    When specified, define the maximum number of certificates stored in the third party for a given holder.

Assets identification

  • Partition (string input):
    F5 BigIP partition to manage. Common by default.

  • SSL parent (string input):
    Name of the parent Client SSL Profile. Common by default.

  • Prefix (string input):
    Used to filter the certificates managed by Horizon in the specified F5 Client. hrz- by default.

  • Cipher group (string input):
    Name of the Cipher group. None by default.

Actors and renewal management

These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.

  • Throttle duration* (finite duration):
    Set by default at 3 seconds. Must be in valid finite duration*.

  • Throttle parallelism* (int):
    Set by default at 3.

  • Renewal period* (finite duration):
    Must be a valid finite duration*.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the F5 Connector.

You will not be able to delete an F5 Connector if it is referenced in any other configuration element.

F5 Trigger

This section details how to configure the Triggers that will be used by WebRA Profiles to push or delete certificates to/from F5 BigIP.

Prerequisites

F5 Connector

How to configure F5 Trigger

1. Log in to Horizon Administration Interface.

2. Access F5 Triggers from the drawer or card: Third Parties > F5 > Triggers.

3. Click on Add Connector.

4. Fill the mandatory fields.

  • Name* (string input):
    Enter a meaningful trigger name. It must be unique for each trigger. Horizon use the name to identify the trigger.

  • F5 Connector* (select):
    Select a connector F5 previously created.

  • Retries in case of error (int):
    Number of times to retry to push the change on the F5 BigIP repository in case of error. Must be an integer between 1 and 15.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the F5 Trigger.

Integration of the third party to the WebRA

When having configured the connector, it is possible to automate its elements' lifecycle using the WebRA.

Automation using triggers

Triggers are a functionality of WebRA that allows to push lifecycle events into a third party whenever they occur on a WebRA profile.

1. Refer to the trigger documentation to create a trigger.

2. Create or modify the WebRA profile you wish to use the triggers on.

3. Go to the Triggers tab, then on Certificate lifecycle triggers

4. Chose which lifecycle events you wish to use triggers upon (enrollment, revocation, expiration)

5. Select one or more existing triggers from the menu (if several are selected, they will all be called whenever the selected event occurs)

6. Click on the Save button.

From now on, whenever a selected lifecycle event will occur on the configured WebRA profile, the trigger will be called and the and the certificate will be pushed into or removed from the third party container.

Automation using scheduled tasks

Scheduled tasks are a functionality of WebRA that allows to synchronize automatic renewal or revocation events with a third party periodically with what occurs on a WebRA profile. To be more specific, it will periodically check whether the certificate has entered the "renewal period" that was defined in the connector’s configuration, and renew it automatically if necessary.

1. Refer to the third party connector documentation to create a third party connector.

2. Ensure you have an existing WebRA profile : renewal will be automated on the selected profile.

3. Follow the documentation of the WebRA scheduled tasks section to properly configure a scheduled task.