Adding F5 Networks BIG-IP Systems

Overview

To manage F5 Networks BIG-IP accounts, you need to specify a valid local administrative account and password. See "Specifying a local administrative account" for more information. The account used must be an account in the F5 Networks BIG-IP Administrator role.

To manage the password of other users and root accounts, the administrative account must have the F5 Networks BIG-IP role Administrator. Although users with the User Manager role can change passwords for users that do not have the Administrator role, it cannot change the password for users in the Administrator role.

For additional information, see: https://www.f5.com/.

For any account you add, you can also choose whether or not you want Privileged Access Service to manage the account password. If you select Manage this credential, Privileged Access Service automatically resets the password after the account and system are added and each time the account is checked in.

For more information on managing F5 Networks BIG-IP systems, see the following topics:

• Adding F5 Networks BIG-IP Systems

  • Overview
  • Setting up Certificates for F5 Networks BIG-IP Systems
    • Verifying Certificate Configuration
  • Password Complexity Rules
  • Changing F5 Networks BIG-IP System Settings

Setting up Certificates for F5 Networks BIG-IP Systems

You must set up the device certificate on the F5 Networks BIG-IP system before you can connect using Privileged Access Service.

Once the F5 Networks BIG-IP system is configured, the same certificate must also be trusted in all Delinea Connector systems that are connected to the F5 Networks BIG-IP system. In most cases, F5 Networks BIG-IP systems should use a certificate obtained from an Enterprise Certificate Authority (CA), or a trusted external CA, like VeriSign. Since the certificate is trusted already, it simplifies the certificate setup on Delinea Connector systems. You can also export the certificate from the F5 Networks BIG-IP system and import it into all systems running the Delinea Connector. Self-signed certificates should not be used in production environments.

Verifying Certificate Configuration

To verify that the certificate is trusted in the Delinea Connector, connect to the F5 Networks BIG-IP Web UI ("https://<hostname/IP Address>:<management port>") using a browser and verify that the connection is secure. If the connection is secure, the SSL/TLS secure management channel is established.

If an error occurs while establishing the SSL connection, review the supported SSL/TLS protocol versions and cipher suites.

If an error occurs indicating that the server certificate cannot be validated, check the connector and target certificate settings, including root CA, subject names, and validity.

For more information about password and system management for F5 Networks BIG-IP systems, see the following topics:

• Adding F5 Networks BIG-IP Systems

  • Overview
  • Setting up Certificates for F5 Networks BIG-IP Systems
    • Verifying Certificate Configuration
  • Password Complexity Rules
  • Changing F5 Networks BIG-IP System Settings

Password Complexity Rules

All managed passwords generated by the Privileged Access Service consist of at least one upper case letter, one lower case letter, one number, one special character, and allow consecutive repeated characters regardless of the system type. In the Admin Portal > Settings >Resources>Password Profiles, the default password profile for F5 Networks BIG-IP restricts password length to a maximum of 31 characters. The following additional password rules apply:

• Minimum password length: 12 characters.
• Maximum password length: 31 characters.
• Supported special characters: @#%*+,-./:=?[]^_~

You should not use the following special characters in passwords that you define for F5 Networks BIG-IP user accounts: ( ) ; ! | $ < > & ' " ` \ { }

You should keep in mind that only Privileged Access Service will know the managed password being generated and stored. You should not select this option if you don’t want Privileged Access Service to manage the password for the account.

For additional information on F5 Networks BIG-IP system password requirements, see the following reference:

https://support.f5.com/csp/article/K2873

Changing F5 Networks BIG-IP System Settings

In addition to the common system settings you can change for any type of system, there are a few F5 Networks BIG-IP system settings. For example, you can use System Settings to update the following types of information after adding a system:

• Change the session type or port number for remote connections

You can manually select secure shell or remote desktop and change the port number for remote sessions. If you don’t specify a session type and port, the secure shell client and port 22 are used by default.

• Select a system time zone

You can manually select the time zone you want to use for any system. If you don’t specify a time zone, the local time zone of the system is used by default.

• Account Management Settings

For password management, HTTPS port 8443 is used. If you changed the port assignment used for password management, you need to manually set the Management Port field to match the setting of the F5 Network BIG-IP system. Contact F5 Networks BIG-IP Support if you want to change the port setting.