Getting Started with BIG-IP Next: Licensing Instances in Central Manager
This article assumes that the license was not applied during the initial instance setup and covers only the GUI process. For the API process or for disconnected mode, please reference the instructions for licensing on Clouddocs.
Download the JSON Web Token from MyF5
I don't have a paid license, so I'm going to use my trial license available at MyF5. Your mileage may vary here. Go to my products & plans, trials, and then in the my trials listing (assuming you've requested/received one) click BIG-IP Next.
Click downloads and licenses (note, however, the helpful list of resources down in guides and references).
You can just copy your JSON web token, but I chose to download.
Install the Token
Login to Central Manager and click manage instances.
Click on your new unlicensed instance.
In the left-hand menu at the bottom, click License.
Click activate license.
We already downloaded our token, so after reviewing the information, click next. Note that I made sure that my Central Manager has access to the licensing server and the steps covered in this article assume the same. If you've managed classic BIG-IP licenses, copying and pasting dossiers to get licenses should be a well-understood process.
On this screen, paste your token into the box, give it a name, and click activate.
After a brief interrogation of the licensing server, you should now have a healthy, licensed, BIG-IP Next Instance!
Resources
The licensing process is very opaque. Even with outbound access, and a working default route, I am still unable to license an F5 NEXT instance.
LICENSING-0011: InvalidToken: TokenExpiredOrInvalid
Are there any troubleshooting steps? Logs we can review?
Ok, so found there is a licensing k8s container running...
tail -f /var/log/containers/*-llm-*.log
Removing a lot of timestamp gibberish, here is what I get...
Start: verify token... token verification successful !, returning 200 Start: saving token... Certificates not available, using token for further processing failed, err: Post "https://product.apis.f5.com/ee/v1/certificates": dial tcp: lookup product.apis.f5.com on 100.75.0.10:53: server misbehaving, retry count: 1 failed, err: Post "https://product.apis.f5.com/ee/v1/certificates": dial tcp: lookup product.apis.f5.com on 100.75.0.10:53: server misbehaving, retry count: 2 failed, err: Post "https://product.apis.f5.com/ee/v1/certificates": dial tcp: lookup product.apis.f5.com on 100.75.0.10:53: server misbehaving, retry count: 3
Resolves just fine....
root@nextcm:/var/log/containers# ping product.apis.f5.com PING rgwe1rt100-0-routers.dn.apigee.net (35.199.173.84) 56(84) bytes of data.
Definitely think the article could benefit from some troubleshooting info. CANNOT find this anywhere within any KB :/ I may be blind though.
- JRahmAdmin
asking internally for additional info. Will keep you posted.
- Bob_RairighNimbostratus
So what are the ports and ip addresses that are needed opened thru the firewall? The disconnected method is not working. :(
- Charles_HardingEmployee
What is the address of the licensing server? as need to open the firewall to allow access.
Also what is the method to validate license where no Internat Acess is allowed?- JRahmAdmin
proxy methods are coming; I'm told there are methods with the API for disconnected mode, but I don't have details for that yet. Taking a wireshark capture, the process to connect to licensing server in DNS lookups:
CM -> product-s.apis.f5.com -> CNAME f5-prod-webdev-prod.apigree.net -> CNAME rgwe1rt100-0-routers.dn.apigee.net -> A 35.199.173.84
I'll update article after I have concrete details.
- JRahmAdmin
Hi Charles_Harding good questions, let me find those answers and a) get back to you and b) update the article, that's important information.
It has been 1 week and I still don't have a trial license approved.
"
Pending approval
Trial fulfillment on hold, pending approval from F5 Inc.
"
- JRahmAdmin
glad that got worked out, sorry it took as long as it did...