Automatically update security packages
To enable automatic downloads, NGINX Instance Manager must authenticate with the NGINX repository. Upload the repository certificate and private key provided with your F5 WAF for NGINX subscription. After you upload these files, NGINX Instance Manager can securely download the latest attack signature, bot signature, and threat campaign packages.
Follow these steps to get and upload the certificate and key:
-
Log in to MyF5.
-
Go to My Products and Plans > Subscriptions.
-
Download these files from your F5 WAF for NGINX subscription:
nginx-repo.crt(certificate)nginx-repo.key(private key)
-
Create a JSON file that contains both files. Replace each newline (
\n) in the certificate and key with a literal\nso the formatting is correct inside the JSON file.Example request:
json { "name": "nginx-repo", "nginxResourceType": "NginxRepo", "certPEMDetails": { "caCerts": [], "password": "", "privateKey": "-----BEGIN PRIVATE KEY-----\n[content snipped]\n-----END PRIVATE KEY-----\n", "publicCert": "-----BEGIN CERTIFICATE-----\n[content snipped]\n-----END CERTIFICATE-----", "type": "PEM" } } -
Upload the file to NGINX Instance Manager using the REST API:
curl -X POST 'https://{{NIM_FQDN}}/api/platform/v1/certs' --header "Authorization: Bearer <access token>" --header "Content-Type: application/json" -d @nginx-repo-certs.json -
If successful, you’ll see a response similar to this:
Example response:
json { "certAssignmentDetails": [], "certMetadata": [ { "authorityKeyIdentifier": "<fingerprint>", "commonName": "<subscription name>", "expired": false, "expiry": 59789838, "issuer": "C=US, ST=Washington, L=Seattle, Inc., O=F5 Networks\\, OU=Certificate Authority, CN=F5 PRD Issuing Certificate Authority TEEM V1", "publicKeyType": "RSA (2048 bit)", "serialNumber": "<serial number>", "signatureAlgorithm": "SHA256-RSA", "subject": "CN=<subscription name>", "subjectAlternativeName": "", "subjectKeyIdentifier": "<fingerprint>", "thumbprint": "<thumbprint>", "thumbprintAlgorithm": "SHA256-RSA", "validFrom": "2021-12-21T16:57:55Z", "validTo": "2024-12-20T00:00:00Z", "version": 3 } ], "certPEMDetails": { "caCerts": [], "password": "**********", "privateKey": "**********", "publicCert": "[content snipped]", "type": "PEM" }, "created": "2023-01-27T23:42:41.587760092Z", "modified": "2023-01-27T23:42:41.587760092Z", "name": "nginx-repo", "serialNumber": "<serial number>", "uid": "d08d9f54-58dd-447a-a71d-6fa5aa0d880c", "validFrom": "2021-12-21T16:57:55Z", "validTo": "2024-12-20T00:00:00Z" }
NGINX Instance Manager can automatically download the latest attack signatures, bot signatures, and threat campaign versions. To enable automatic downloads:
-
Log in to the NGINX Instance Manager host using SSH.
-
Open the
/etc/nms/nms.conffile in a text editor. -
Adjust the
app_protect_security_updatesettings as shown in the example below:yaml integrations: # enable this for integrations on tcp # address: 127.0.0.1:8037 address: unix:/var/run/nms/integrations.sock dqlite: addr: 127.0.0.1:7892 app_protect_security_update: # enable this to automatically retrieve the latest attack signatures, bot signatures, and threat campaigns enable: true # how often, in hours, to check for updates; default is 6 interval: 6 # how many updates to download; default is 10, max is 20 number_of_updates: 10 -
Save the changes and close the file.
-
Restart the
nms-integrationsservice:sudo systemctl restart nms-integrations
If the F5 WAF for NGINX certificate or key is missing, invalid, or expired, you’ll see an error like this:
error when creating the nginx repo retriever - NGINX repo certificates not foundThis means NGINX Instance Manager can’t connect to the NGINX repository to retrieve packages. Re-upload a valid certificate and key to resolve the issue.