Update thundermgmt.md

Author: bhillkeyfactor

docsource/thundermgmt.md

@@ -18,13 +18,97 @@ When a user logs into the GUI via `https://<device_ip>`, the certificate present
 
 ## Requirements
 
-TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
 
-## Certificate Store Configuration
+### A10 Certificate Management Orchestrator Extension
 
-TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+This orchestrator extension automates the process of uploading, inventorying, and deploying SSL certificates from a Linux SCP server to an A10 vThunder device. Due to A10 API limitations, certificates must be pulled from the SCP server directly by the A10 device itself.
+
+---
+
+#### 📌 How It Works
+
+1. **The orchestrator** connects to a Linux server via SCP to inventory available certificates.
+2. It stores relevant metadata and pushes new certificates and keys to the SCP server.
+3. It then instructs the **A10 device** to retrieve the certificate and private key from the Linux server using API calls.
+4. The A10 device loads the certificate and key directly from the SCP server for use on its **management interface**.
+
+---
+
+#### ⚙️ Configuration Fields
+
+| Name              | Display Name                  | Description                                                  | Type   | Required |
+|-------------------|-------------------------------|--------------------------------------------------------------|--------|----------|
+| OrchToScpServerIp | Orch To Scp Server IP         | IP from the orchestrator to the SCP Linux server             | String | ✅        |
+| ScpPort           | Port Used For SCP             | Port used to connect to the SCP server                       | String | ✅        |
+| ScpUserName       | Username Used For SCP         | Username for SCP access on the Linux server                  | Secret | ✅        |
+| ScpPassword       | Password Used For SCP         | Password for SCP access on the Linux server                  | Secret | ✅        |
+| A10ToScpServerIp  | A10 Device To SCP Server IP   | IP used by the A10 device to reach the SCP server (can be private) | String | ✅   |
+| allowInvalidCert  | Allow Invalid Cert on A10 API | If true, allows self-signed/untrusted certs for A10 API access | Bool   | ✅ (default: true) |
+
+---
+
+#### 📡 API Call Example (From A10 Device)
+
+```http
+POST /axapi/v3/web-service/secure/certificate
+```
+
+**Payload:**
+```json
+{
+  "certificate": {
+    "load": 1,
+    "file-url": "scp://ec2-user:[email protected]:/home/ec2-user/26125.crt"
+  }
+}
+```
+
+> A similar call is made for loading the private key onto the A10 device using a separate AXAPI endpoint.
+
+- The A10 device **must have access** to the SCP server via the specified IP (`A10ToScpServerIp`).
+- Ensure the certificate and key file paths are correct and accessible to the SCP user.
+
+---
+
+#### 🔐 Linux Server Requirements
 
-## Global Store Type Section
+##### User Access
+- The SCP user (`ScpUserName`, e.g., `ec2-user`) must:
+  - Have SSH/SCP access.
+  - Authenticate with a password.
+  - Have **read and write** permissions in the SCP location.
 
-TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+> New certificates and **private keys** are generated by Keyfactor and uploaded to this location by the orchestrator. Therefore, write access is essential.
+
+##### SCP Directory Permissions
+- Ensure the directory (e.g., `/home/ec2-user/`) is:
+  - Writable by the orchestrator (to upload new certs/keys).
+  - Readable by both the orchestrator and the A10 device (via SCP).
+
+---
+
+#### 🔄 Alternate Design Consideration
+
+It may be possible to use the A10 device itself as the SCP target location if it supports read/write SCP operations **outside the CLI context**. However, A10 devices typically restrict file access through CLI or API mechanisms only, and not through standard SCP server operations. This limitation is why a separate Linux SCP server is currently required.
+
+---
+
+#### 🔓 Network and Port Requirements
+
+| Source             | Destination         | Port | Protocol | Purpose                       |
+|--------------------|---------------------|------|----------|-------------------------------|
+| Orchestrator       | Linux SCP Server    | 22   | TCP      | Inventory and upload via SCP  |
+| A10 Device         | Linux SCP Server    | 22   | TCP      | Cert and key retrieval via SCP|
+| Orchestrator/Admin | A10 Device (API)    | 443  | HTTPS    | API calls to load certificate |
+
+---
+
+#### ✅ Summary
+
+This extension coordinates certificate and private key delivery by using SCP as a bridge between orchestrator logic and A10's strict API requirements. It ensures secure and automated deployment for the management interface certificates with minimal manual intervention.
+
+
+## Certificate Store Configuration
+
+TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info