How to configure CA PAM to rotate passwords on an f5 load balancer
search cancel

How to configure CA PAM to rotate passwords on an f5 load balancer


Article ID: 114579


Updated On:


CA Privileged Access Manager (PAM)


PAM can configure auto-login to your f5 web based configuration utility with privileged accounts. At this time, PAM cannot use the browser based utility to manage the passwords for these users but the f5 can enable access to a unix shell (ssh) for command line which does allow for PAM to automate the password manipulation. At this time f5 will require an administrator role to allow the user access with the Advanced shell (bash) so PAM will subsequently require the Administrator role as well.


Applies to any PAM release as of March 2023.



Configuring f5 to enable PAM to rotate passwords

1. Enable Advanced Shell console access in the f5 device (if not already configured)
2. Enable Advanced Shell console access for either a specific user or multiple users in f5.

Note: Please see f5 documentation concerning your release of f5 for further documentation on these steps.

If you want to use one account to update the password of other accounts (use case 2 below), make sure that this user can login to f5 and change its own passwd as well as another user's password using ssh.

The following interview shows how user "admin" changes the password of user "rotate".

[[email protected]:Active:Standalone] ~ # passwd rotate
Changing password for user rotate.
New BIG-IP password:
Retype new BIG-IP password:
[[email protected]:Active:Standalone] ~ #

Note that the password command does NOT ask the admin user for its own password. This is standard behavior for a UNIX or Linux root account. Accordingly below you will see that the admin account is configured with option "This account is a root account". See KB 123217 for details on how to set the correct privilege elevation option for UNIX target accounts.

Use case 1: Configure a PAM target account that can change its own password

1. Create or update a unix target application assigning it to your f5 device

2. Create or update a unix target account with ability to change its own password.



Use case 2: Configure a PAM target account that has its password changed by another account 

This use case requires that you have at least one account configured already following instructions in use case 1 above, and that this account has permissions to change the password of other user accounts on the F5 device.

1. Use the unix target application created in use case 1 (see above).
2. Create a unix target account that uses another account for the change process.

By utilizing a single administrator with Advanced Shell (bash) enabled and authorizing tmsh shell for other privileged accounts PAM can manage these account passwords.


1559050805639000114579_sktwi15okjw4363bu.jpeg get_app
1559050803858000114579_sktwi15okjw4363bt.jpeg get_app
1559050802012000114579_sktwi15okjw4363bs.jpeg get_app
1559050800008000114579_sktwi15okjw4363br.jpeg get_app
1559050798089000114579_sktwi15okjw4363bq.jpeg get_app
1559050794702000114579_sktwi15okjw4363bp.jpeg get_app
1559050792354000114579_sktwi15okjw4363bo.jpeg get_app
1559050790553000114579_sktwi15okjw4363bn.jpeg get_app
1559050788390000114579_sktwi15okjw4363bm.jpeg get_app