Automating ACMEv2 Certificate Management on BIG-IP
While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol describes a system for automating the renewal of PKI certificates. The ACME protocol can be used with public services like Let's Encrypt, but also with internal certificate management services. In this article we explore the more generic support of ACME (version 2) on the F5 BIG-IP.
My Journey to Passing the F5 402 Cloud Solution Specialist Exam: Tips & Guide
## My Journey to Passing the F5 402 Cloud Solution Specialist Exam: Tips & Guide Since study materials and comprehensive guidebooks for the F5 402 Cloud Solution Specialist exam are quite scarce, I wanted to share my personal experience and key takeaways to help those preparing for this certification. ### Prerequisites & Foundational Knowledge * **Mandatory Prerequisites:** You must have already passed the F5 301A+B (LTM) and 302 (GTM/DNS) exams. * **Cloud Background:** A solid understanding of Cloud architecture (at least at a foundational level) is highly recommended. ### Key Exam Topics to Focus On 1. **Deployment Topologies (1 vs. 3 vNICs):** Understand these deployment models thoroughly, especially in Auto Scaling scenarios. Know when to use each, and be aware of their limitations (such as bandwidth constraints). 2. **VE Licensing (Good, Better, Best):** This is heavily tested. Save time by focusing specifically on the modules that differentiate each tier. 3. **Accessing BIG-IP VE on Cloud:** Know the exact procedure for the initial setup—specifically the use of Key-Pairs and Port 8443. 4. **Automation & Templates:** CloudFormation Templates (CFT) and Kubernetes ConfigMaps appear frequently. 5. **Cloud Failover Extension (CFE):** Understand its core concepts, limitations, and practical use cases. 6. **Cloud High Availability (HA) Limitations:** Focus on why standard failover behaviors change in the cloud (e.g., cloud providers not accepting Gratuitous ARP [GARP], or handling multiple Traffic-Groups). 7. **HA Architecture:** Grasp the differences between Active-Standby and Active-Active deployments. 8. **Active-Active with ELB:** Understand why F5 recommends placing cloud-native Load Balancers (like AWS ALB/NLB) in front of an Active-Active F5 cluster. 9. **Cloud-Specific Terminology:** Be comfortable with cloud infrastructure jargon, especially AWS terminology (e.g., Amazon S3, ELB, VPC, AMI, etc.). 10. **AWS vs. Azure Ratio:** The exam leans heavily toward Amazon AWS over Microsoft Azure, roughly an 80:20 split. 11. **F5 Automation Toolchain:** Understand F5 extensions and their distinct use cases, such as iControl LX, iApp LX, and AS3. 12. **Declarative APIs:** Expect many questions regarding API calls used to provision and manage F5 objects. 13. **REST API Fundamentals:** Understand HTTP methods (GET, POST, PUT, PATCH, DELETE) deeply. For instance, know what happens to the configuration state if an API call fails mid-execution. 14. **API Syntax:** Some questions go deep into the exact command syntax. It is vital to look at real-world examples and memorize the syntax structure. 15. **BIG-IQ Integration:** Study the Knowledge Base (KB) articles regarding using BIG-IQ with AS3 as a proxy to create objects on BIG-IP. Pay attention to the initial setup requirements. 16. **Availability Zones (AZ) & Regions:** Understand the conceptual design of multi-AZ and multi-region setups, including their architectural pros and cons. 17. **AWS Auto Scaling Groups (ASG):** This is a major topic. Spend adequate time reading up on how ASG integrates with F5. 18. **Licensing Models (BYOL vs. PAYG):** You won't get straightforward definition questions. Instead, you will need to analyze scenarios to determine which model is the most cost-effective or appropriate. 19. **Traffic Direction Concepts:** Clearly differentiate between North-South (Vertical) and East-West (Horizontal) traffic patterns to analyze scenario-based questions. 20. **Microservices & Containers:** If you aren't familiar with containerization, brush up on it. There will be architectural diagrams involving Pods and NodePorts. 21. **F5 Container Ingress Services (CIS):** This is another heavily tested topic. 22. **Advanced Licensing:** Look into VLS (Volume Licensing Subscription) and CLP (Cloud Licensing Program). 23. **AWS Instance Types:** You don’t need to memorize instance specs by heart. The exam provides reference tables so you can map and choose the most optimal instance type for a given F5 license. 24. **License Bandwidth:** Understand the performance and throughput limits associated with different F5 licenses. 25. **Content Delivery Network (CDN):** Expect diagram-based questions requiring scenario analysis. 26. **F5 Distributed Cloud (XC) & Silverline:** During my attempt, F5 XC wasn't featured yet, but there were some questions regarding Silverline. (Note: This may vary as blueprints update). 27. **Hybrid Cloud Concepts:** Understand the architecture when bridging On-Premises data centers with Public Cloud environments. 28. **Cloud Migration:** Questions will test your analytical skills regarding migrating workloads from On-Prem to the Cloud, specifically around what factors are critical when shifting traffic. 29. **AWS 6 Rs of Migration:** Memorize the concepts (Rehost, Replatform, Refactor, etc.) as they are embedded in multiple situational questions. 30. **Cloud Models & Finance:** Understand the foundational differences between IaaS, PaaS, SaaS, as well as CapEx vs. OpEx. 31. **WILS (The Data Center API Compass Rose):** This framework does make an appearance on the exam. 32. **F5 APM Roles:** Expect a fair share of APM questions where you must identify whether the BIG-IP is acting as the Identity Provider (IdP) or the Service Provider (SP). 33. **Deployment Methods:** Know the nuances of deploying BIG-IP VE via the Cloud Marketplace versus using GitHub Deployment Scripts. 34. **Cloud Bursting & Monitoring:** This is a recurring theme, including how Active Monitors are used to detect load changes and trigger auto-deployments of instances. 35. **Log File Paths:** Know where to look for specific troubleshooting logs, such as iControl errors, authentication failures, and BIG-IQ restjavad logs. 36. **Authentication Protocol Concepts:** Protocols like OAuth and LDAP aren't questioned directly on syntax, but you must understand their architectural diagrams and exchange mechanisms (e.g., Tokens, SAML assertions). 37. **What did NOT appear (in my attempt):** There were no questions regarding AI, GWLB, Transit Gateway (TGW), F5 XC, or advanced Firewall Deployment Modes on Cloud. ### How to Approach F5 Module Review (Levels 3xx vs 4xx) If you already have strong, hands-on experience with F5 modules, you don't necessarily need to re-read all the 3xx-level materials from scratch. The 402 exam looks at them from a higher conceptual level: * **LTM:** Focuses on TMOS architecture, hardware models (like how vCMP operates), and licensing. It won't grill you on basic configurations like "which Load Balancing method to choose." * **GTM/DNS:** Purely conceptual. No deep iQuery troubleshooting, just GSLB terminology and straightforward Static Ratio configurations. * **ASM/AWAF/AFM:** Know which module fits the scenario. For example, choose AFM for L3/L4 DDoS protection, but opt for ASM for L7 DDoS, Behavioral DoS (BaDoS), and WAF capabilities. This ties back into knowing your Better vs. Best license bundles. * **APM:** Highly important. Review the different authentication types and firmly memorize the architectural flow diagrams for IdP and SP. ### Strategy & Exam Tips * **Analytical Focus:** Level 4xx exams test your ability to analyze complex scenarios. Pure theory isn't enough; real-world exposure or architectural thinking is key—especially regarding cloud environments for the 402. * **Time Management is Crucial:** Time is the biggest challenge here. As a non-native English speaker, I was allocated approximately 2 hours and 15 minutes, which felt incredibly tight for the amount of reading required. * **The "Flag" Button is Your Friend:** If you encounter a massive 2-page question with a huge diagram, flag it and skip it immediately. Secure the quick points by answering the shorter questions first. * **Read the Question and Choices First:** For long, diagram-heavy questions, read the actual prompt and the multiple-choice answers before diving into the diagram text. Often, the scenario description contains a lot of fluff ("noise"), and you can actually deduce the correct answer just by reading the options. * **Exam Comparison:** Having gone through the 301B, 401, and 402, I can safely say these exams demand immense mental stamina for analysis. However, 301B felt more exhausting. Once you "catch the rhythm" of the 4xx questions, it becomes manageable. * **Question Pool Size:** I took both the 401 and 402 twice before passing. I felt that the 402 had a much larger question pool. On my second attempt at the 402, I encountered a significant amount of brand-new questions, whereas the 401 retake had quite a lot of repeats. Best of luck to everyone preparing for the F5 402! I hope you get questions that align with your preparation. Use this guide as a reference point for your studies, and feel free to share your thoughts!Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ
The functionality to automate the import of SSL cert & key from BIG-IP to BIG-IQ is available in the product starting BIG-IQ 7.0 and above. This script should not be used on BIG-IQ 7.0+ as it has not been tested on those versions. This script will import all supported SSL Certificate, Key & CRL that exist as unmanaged objects on this BIG-IQ which can be found on the target BIG-IP. Steps performed by the script: Gather certificate and key metadata (including cache-path) from BIG-IPs Download certificate and key file data from BIG-IPs Upload certificate and key file data to BIG-IQ Prerequisite: Discover and import LTM services before using this script.The target BIG-IP will be accessed over ssh using the BIG-IP root account. Installation: The script must be installed in BIG-IQ under /shared/scripts: # mkdir /shared/scripts# chmod +x /shared/scripts/import-bigip-cert-key-crl.py Command example: # ./import-bigip-cert-key-crl.py <big-ip IP address> Enter the root user's password if prompted. Allowed command line options: -h show this help message and exit -l LOG_FILE, log to the given file name --log-level {debug,info,warning,error,critical}, set logging to the given level (default: info) -p PORT BIG-IP ssh port (default: 22) Result: Configuration > Certificate Management > Certificates & Keys Before running the script: After running the script: Location of the scripts on GitHub: https://github.com/f5devcentral/f5-big-iq-pm-team In case you BIG-IQ is running on Hardware: Step 1: Install packages using pip, targeting a location of your choice # mkdir py-modules# pip install --target py-modules requests argparse Step 2: Run using python2.7, adding py-modules to the python path # PYTHONPATH=py-modules python2.7 import-bigip-cert-key-crl.py <big-ip IP address>Implementing SSL Orchestrator - Certificate Considerations
Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on SSL certificates and everything you need to know about them. This article is divided into the following high level sections: Using OpenSSL Using Microsoft CA Importing a private key and certificate into SSL Orchestrator Manually Installing Certificates in browsers Creating a Certificate Signing Request (CSR) for Inbound Topology Using Group Policy Objects (GPO) to distribute certificates Please forgive me for using SSL and TLS interchangeably in this article. Software versions used in this article: BIG-IP Version: 14.1.2 SSL Orchestrator Version: 5.5 BIG-IQ Version: 7.0.1 Using OpenSSL OpenSSL can be used to sign a CSR. It can also be used to generate a self-signed certificate. When creating a CSR for production, you might need to use OpenSSL with a template in order to populate certain fields like the Digital Signature. This information is provided as a courtesy. OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available. OpenSSL can be used to create private keys, certificates and more. Here’s an example of the syntax used to create a self-signed certificate: openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt Full instructions about how to use OpenSSL are beyond the scope of this article. However, the links below contain excellent information on usage: OpenSSL - Command Line Utilities SSLShopper- Common OpenSSL Commands Note: If you want to create your own OpenSSL Certificate Authority the following Dev/Central Article is excellent: Building an OpenSSL Certificate Authority - Creating Your Root Certificate Using Microsoft Certificate Authority This method is generally preferred to using self-signed certificates. Rather than reinvent the wheel, the Virtually There Blog does an excellent job of explaining the process to sign a CSR with a local Certificate Authority. Click the link below to learn more: VirtuallyThere - Signing a CSR with your Microsoft Certificate Authority Note: If you’re looking for information about how to setup your own local Microsoft CA see this previous blog: VirtuallyThere - Building a Microsoft Certificate Authority for your lab Note: the blog author has given f5 permission to include the links above. Installing signed certificate into SSL Orchestrator From the Configuration Utility > SSL Orchestrator > Certificate Management > Traffic Certificate Management. Click on the certificate created earlier (my_certificate). Click Import. Click Choose File and select the signed certificate from the CA. Click OK/Open. Click Import. Note: Using Certificate Chains or Subordinate CAs If using Certificate Chains be sure to include all intermediate certificates in the chain. For more information on Certificate Chains, see this Microsoft article. Import private key and certificate into SSL Orchestrator Follow the steps below if you already have the private key and certificate you want to use for SSL decryption. From the BIG-IP Configuration Utility click SSL Orchestrator > Certificate Management > Certificates and Keys. On the far right, click Import. For Import Type click Select. Different types of import options are available. For this example, select Key. Give it a name, in this example SSL.key. You can upload the key from a local file or paste it in as text. Choose the method you prefer and click Import when done. The example below shows the local file method. Click the name of the Key you created. Click Import. You can upload the certificate from a local file or paste it in as text. Choose the method you prefer and click Import when done. The example below shows the local file method. You have successfully imported the private key and certificate. Note: most Enterprise customers will have their own local Certificate Authority (CA). Creating a Certificate Signing Request (CSR) for Inbound Topology If you are creating an Inbound Topology you can use this method to create a CSR. From the F5 Configuration Utility go to SSL Orchestrator > Certificate Management > Certificates and Keys. Click Create on the top right. Give the certificate a name. For Issuer select Certificate Authority. Fill in the rest of the form. Click Finished when done. The page should look like the following. Click Download my_certificate to download it as a file. You can optionally copy the text output to the Clipboard. Download the CSR so it can be signed by your Local Certificate Authority. Manually Installing Certificates in browsers Certificates generated by SSL Orchestrator need to be trusted by the client computers. If using a Microsoft Certificate Authority (CA) to sign the SSL certificates the clients will trust it automatically, assuming they are members of the same domain as the CA. If using Self-Signed certificates you need to install them in the Certificate store on all client computers. Most Enterprise customers won't do this in production but it's often used for testing or demos. Either way, it's important to know these procedures. Firefox has its own Certificate store. Click the icon on the top right then Preferences. Note: Firefox version 70.0.1 was used in the configuration below. Scroll to the bottom of the next screen. Under Security click View Certificates. Click Import. Find the Certificate on your computer. Select it and click Open. Select the option to Trust this CA to identify websites. Click OK. Internet Explorer/Edge and Chrome use the Windows Certificate store. Locate the Certificate on your computer and double click it. Click Install Certificate. Click Next at the Import Wizard. Select the option to Place all certificates in the following store. Click Browse. Select Trusted Root Certification Authorities then OK. Click Next. Click Finish. You should see a Security Warning like the following. Click Yes. Click OK to the Successful Import message. Using GPO to distribute certificates Microsoft has a variety of support articles and documentation for how to do this with GPO: Distribute Certificates to Client Computers by using Group Policy Summary In this article we covered the most common tasks associated with SSL certificates and how to use them with SSL decryption. Next Steps The next article in this series will cover the Guided Configuration component of SSL Orchestrator.
Support dynamic CRL check for clientSSL profile (BIG-IP 15.1)
Hi, Did anyone tested (dynamic) CRL validator object for client SSL profile? (BIG-IP v15.1): It should work in v 15.1 (fixed bug 743758 - https://cdn.f5.com/product/bugtracker/ID743758.html ) I'm getting following errors for all client certificates: err tmm1[21207]: 01a40008:3: Unable to build certificate trust chain for profile /clientssl_profile tmm1[21207]: 01260009:4: clientIP:62042 -> VIP:443: Connection error: ssl_hs_do_crl_validation:6014: alert(46) unknown certificate error With CRL File it works ok, but file does not automatically fetch, check, and cache CRL files… Kr, EPX
