rsa pub key authentication when AAA is enabled
Hello, we usually log in to our BIG IP with TACACs, working fine, now we'd like to have a special user, who should authenticate with rsa pub key. question: when I create a user, I can not define a password, I guess because of the AAA-Config, right? So I fear, this would only work, if we disable TACACS. If we configure the root-user with rsa pub key, there's still asking for Password. has anyone such a combination?303Views0likes2CommentsHelp with creating script
Currently we are using the google authenticator with our F5 implementation. We provide our users with a shared secret key and store the same key in our Active Directory for later reference. So basically we add a sample key like this to one of our AD fields: GVUEYVDJMNSFIMD2 So basically i have a ton of users with this setup in their AD fields. One of the issues i have with our setup is the fact the key we store in Active Directory is too visible to others in my organization. So a friend point this link to me and I think it will fix my concerns: https://devcentral.f5.com/questions/apm-active-directory-authention-with-google-auth So we add the following code to the google authenticator generator page: append ga_secret_http_resp "key (secret): $secret_b32\n \n " set key "3658F2C8C5C2017839B2B1761F713F8B" set iv "DC4F6A9A1C6D12C15FEC43179660C78B" set enc_ga_secret [b64encode [CRYPTO::encrypt -alg aes-128-cbc -keyhex $key -ivhex $iv $secret_b32]] append ga_secret_http_resp "encrypted secret: $enc_ga_secret\n" append ga_secret_http_resp "\n" Users are provide the key GVUEYVDJMNSFIMD2 and we now add this encrypted key 3qqb/Yr1gSblF99F8/XkgJVFG5vs9KG5OwflwLHkU9I= to AD. The F5 can then decrypt the key and it works great. However, I now need to create a script that will take the remain shared key we have in everybody account and encrypt it. I was hoping someone knew a little power shell or some other scripting language that could help me out of this jam!177Views0likes0CommentsHow to install a cert and a key through Python SDK
I am trying to install a cert and a key through Python SDK. BIG-IP Version: 12.1.2 First.. I had no problem with uploading certs and keys to F5's /var/config/rest/downloads/ folder. Now when I tried the following python code to install cert and key, I didn't see any error. key = bitip.tm.sys.file.ssl_keys.ssl_key.create(name='test', partition='Common', sourcePath='file:/var/config/rest/downloads/test.key') cert = bitip.tm.sys.file.ssl_certs.ssl_cert.create(name='test', partition='Common', sourcePath='file:/var/config/rest/downloads/test.crt') However when I logged on BIG-IP device and clicked a cert or key to see their actual content, I couldn't see any content. "No certificate" under certificate tab and an error message of "An error has occurred while trying to process your request." under Key tab. Does any one know what is causing this problem? Or is there any way I can troubleshoot this issue? Thank you.1KViews1like4CommentsBIG-IQ and certificate management - why certificates are not imported
Hi, I am quite new to BIG-IQ so maybe this is very obvious question. Anyway I am quite surprised that BIG-IQ is not importing actual certificate files form BIG-IP. All test done on BIG-IQ 5.2.0 and BIG-IPs VE 13.0.0HF2. After BIG-IP import all certificates are marked as Unmanaged. Only way I can find to make certificates managed is to manually export certificates, keys and chain files from BIG-IP device and import into BIG-IQ. That is a lot of work :-( Are there any automation tools for that? Assuming that BIG-IQ have both REST API access (ober HTTPS) and SSH access to BIG-IP there should not be problem with transferring actual files from BIG-IP. I can understand security and technical issues with key files - those are most sensitive data and can/should be protected with passwords - so transfer could not be possible. But in case of just certificates or chain files there is no security/password, so there should be option to import those from BIG-IPs. Am I missing something here? I will as well appreciate any clue how this process can be automated. Piotr797Views0likes2CommentsConvert to pkcs 12 format
Hi All, I created a csr and have received the certs from CA. I will be using those on the F5. But the server team needs the cert and key in pkcs12 format. I have the below: certificate file -> server.crt key file -> server.key (this is already in the F5, downloaded it from the BIGIP) root CA -> CACert.csr How can I convert it to pkcs in F5? I tried the below but does not work openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CACert.crt Can anyone please help on this? Thanks, Aditya348Views0likes1CommentCannot deploy or export SSL keys from Big IQ
We have not been able to deploy any configurations from Big IQ (V 5.3) to existing LTM (12.1.2) Virtual Servers if they are not natively created on Big IQ. However, we were hopeful that we could manage SSL certificates from Big IQ. So we created keys, CSR's and imported the associated certificates successfully on the Big IQ natively. The hope was we could deploy them to each LTM that required them. There should be no object conflict since these are net new objects being introduced to the LTM. We tried deploying as a partial with just the key to a single LTM. The Big IQ stated the evaluation and deployment was successful but this was in error as the LTM had no such object. This was not unexpected as we have not been successful with others. What was unexpected is the inability to export the private keys so we may import them on the LTM's. I have not been able to identify what directory these keys may be in or find any information on this subject. Any help useful!385Views0likes1CommentImporting RSA Certificate & key
Hi, I'm browsing SSL certificate list, and there are different types of Contents. I'm particularly in "RSA Certificate & key" since this is the method I'd like to import two of the newly received CA certificates. The problem is I have no idea how. I can easily import certificate and key in separate entries, but this seems to clutter the list. I'm also having difficulties in finding a proper instruction on the web. Please help or direct me to one, that just assumes me being a F5 first-timer :) thanks1KViews0likes2CommentsiRule Table keys - case sensitive?
Have an issue which I'll resolve with making everything lower case. But noted that I can create a key "A" and a key "a", and it seems to look-up the first key when retrieving data for "a". I need to investigate it closer to be sure this is what is happening, but is the case sensitivity of keys documented anywhere?203Views0likes1CommentiControl and Powershell - key import and certificate import
I am attempting to script out importing a SSL crt/key pair into a new F5 running 11.3. I'm using iControl within Powershell. I've successfully used iControl and Powershell for other tasks on this new F5. Below is my sample code which doesn't seem to be working. Any ideas/suggestions? $SSLDir = Path to folder containing crt and key files on my machine $url = "www.myurl.com" $crtfilename = $url + ".crt" $keyfilename = $url + ".key" $keyfile = $SSLDir + "\" + $keyfilename $crtfile = $SSLDir + "\" + $crtfilename (Get-F5.iControl).ManagementPartition.Set_active_partition("Common") (Get-F5.iControl).ManagementKeyCertificate.key_import_from_file(0,$url,$keyfile,$false) (Get-F5.iControl).ManagementKeyCertificate.certificate_import_from_file(0,$url,$crtfile,$false)624Views0likes16Comments