on
12-Nov-2018
05:00
- edited on
05-Jun-2023
21:53
by
JimmyPackets
October 2018 Rev:D
Some network designs may disallow BIG-IQ from reaching BIG-IP VE instances over the network due to network design, network partitioning, security reasons... you get the idea. BIG-IQ’s usual operation requires BIG-IQ to connect to port 443 on the BIG-IP VE’s management IP address. However, when the networks are partitioned in a way that does not allow the BIG-IQ to connect to the BIG-IP, a system outside of BIG-IQ is required to:
And later, when the BIG-IP VE is no longer operational, revoking the license from BIG-IQ.
This document explains how to manage licenses on BIG-IP VEs in this network design.
In order to successfully license BIG-IP VE, BIG-IQ needs specific information from the BIG-IP VE to be licensed.
# get_dossier -b TBD -c
Example:
[root@biq1-yabba-dabba-do:Active:Standalone] config # get_dossier -b d -c F5_BIOS_ID=Phoenix Technologies LTD 6.00 04/05/2016 VMware Virtual Platform None F5_MAC=00:50:56:bf:02:02 F5_PROBES=0x01000013 F5_SYS_UUID=543ff2ec-1c2f-844a-23d0-1e226b90678e F5_KEY=d F5_VERSION=BIG-IQ 6.0.1 0.0.469
For this step, you need to have the following information:
We’ll walk you through each one.
The name of the pool comes from your BIG-IQ centralized management console. To get the name of the pool:
Here you will see your license pools – the pool names are shown in the red rectangle in the example screen shot below. In this case, there are two pools “Engineering-Pool” and “IT-Pool”
The next one we’ll discuss is the offering (service catalog) name, this will become important when we form the JSON request for the post.
It looks as shown in the following diagram, highlighted by the red rectangle:
The BIG-IQ API allows you to specify one or two “search keywords” to be used for matching the offering you wish to assign to your BIG-IP VE instance. For example, the first search keyword could be the feature level you’d like and the second the throughput, such as “LTM” and “10G”. Or, you can just specify the entire offering name as the only search keyword for an exact patch, such as “F5-BIG-MSP-LTM-5G-LIC-DEV”.
Once you have the information available, form your JSON request, here is an example you can start with, we’ll take you through each part:
{ "licensePoolName": "Engineering-Pool", "command": "assign", "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34", "hypervisor": "vmware", "unitOfMeasure": "yearly", "skuKeyword1": "LTM", "skuKeyword2": "10G" }
Elements | Description |
---|---|
licensePoolName | Name of your pool as previously discussed in this article |
command | The request to BIG-IQ to assign/allocate a license for this instance of BIG-IP VE |
address | IP of your BIG-IQ (use the management IP) |
assignmentType | must be 'unreachable': this instructs BIG-IQ to avoid trying to POST the license to the BIG-IP VE |
macAddress | The MAC addressed obtained using method previously discussed |
hypervisor | Underlying hypervisor hosting the BIG_IP VE you wish to license. Valid values are "aws","azure","gce","vmware","hyperv","kvm", and "xen". |
unitOfMeasure | Must be "yearly" when you are using a license pool as part of the F5 subscription license or Enterprise Licensing Agreement (ELA) programs. |
skuKeyword1 | Is the first search keyword |
skuKeyword2 | Is the second search keyword |
The search keywords are optional; if none are specified, you’ll get the first license pool BIG-IQ matches on. If only one is specified, you’ll get the first license pool finds matching the search string. Here is an example with a single search keyword:
{ "licensePoolName": "Engineering-Pool", "command": "assign", "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34", "hypervisor": "vmware", "unitOfMeasure": "yearly", "skuKeyword1": "F5-BIG-MSP-LTM-3G-LIC-DEV" }
Next, you need to POST your JSON body to BIG-IQ. You’ll need to enable basic authentication on BIG-IQ in order to use username and password authentication, the default is to use token- based authentication. To enable basic authentication, log into BIG-IQ console as “root” and enter “set-basic-auth on”.
For the example below, we’ll use CURL – the JSON body is stored in a file named “getlicense.txt”.
# curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X POST -T getlicense.txt "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member-management"
In this case, the BIG-IQ is at 10.255.65.16 and we’re using the admin login account on BIG-IQ with password “admin”. Your POST must go to “/mgmt/cm/device/tasks/licensing/pool/member- management”
This results in the following return, if BIG-IQ has accepted your request:
{ "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "command": "assign", "generation": 1, "hypervisor": "vmware", "id": "64100009-e20c-4add-9d3f-6cf4ed6fde31", "identityReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admin" } ], "kind": "cm:device:tasks:licensing:pool:member-management:devicelicensingassignmenttaskstate", "lastUpdateMicros": 1531492957761866, "licensePoolName": "Engineering-Pool", "macAddress": "FA:16:3E:1B:6D:34", "ownerMachineId": "9890115d-3e0b-4e7f-a9a0-ebb22c5747e4", "selfLink": "https://localhost/mgmt/cm/device/tasks/licensing/pool/member-management/64100009-e20c-4add-9d3f-6cf4ed6fde31", "skuKeyword1": "F5-BIG-MSP-LTM-3G-LIC-DEV", "status": "STARTED", "taskWorkerGeneration": 1, "unitOfMeasure": "yearly", "userReference": { "link": "https://localhost/mgmt/shared/authz/users/admin" } }
IG-IQ is an asynchronous, task-based design, as such, the license is not returned when the POST completes, but rather, the acceptance of your request to BIG-IQ. To get the license, you must poll the “selfLink” (highlighted above).
# curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X GET "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member-management/64100009-e20c- 4add-9d3f-6cf4ed6fde31"
If successful, this GET will return the license for the BIG-IP VE instance described in the JSON request in the “licenseText” field of the JSON body. For brevity, it is omitted.
If there was an error encountered, the error text is returned in the “errorMessage” field of the JSON return body.
To complete the licensing operation, you’ll need to extract the license from the “licenseText” element in the returned JSON.
You’ll need to login to the BIG-IP VE instance as “root” and do the following:
/config/bigip.license
bigstart restart
At this point, your BIG-IP VE is licensed.
When your BIG-IP VE instance is no longer needed, it is time to return the license to the pool. This is called a revoke operation.
You’ll need to gather the following information:
Please see the information in the “Step 1” section on how to obtain and gather this information.
The JSON body is then formed, here is an example:
{ "licensePoolName": "load7afterfix", "command": "revoke", "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34" }
The “command” must be “revoke” to return the license to the pool. Here is the example CURL command to the revoke, the JSON body is stored in a file called “revokelicense.txt”:
# curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X POST -T revokelicense.txt "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member- management"
If successful, this request will return a JSON body similar to the following:
{ "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "command": "revoke", "generation": 1, "id": "c7348b6a-6973-4372-9b66-f07c40bd0fd5", "identityReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admin" } ], "kind": "cm:device:tasks:licensing:pool:member-management:devicelicensingassignmenttaskstate", "lastUpdateMicros": 1531490803422235, "licensePoolName": "load7afterfix", "macAddress": "FA:16:3E:1B:6D:34", "ownerMachineId": "9890115d-3e0b-4e7f-a9a0-ebb22c5747e4", "selfLink":"https://locahost/mgmt/cm/device/tasks/licensing/pool/member-management/c7348b6a-6973-4321-8f66-f07e41bf0ed4", "status": "STARTED", "taskWorkerGeneration": 1, "userReference": { "link": "https://localhost/mgmt/shared/authz/users/admin" } }
Similar to the licensing operation, you can poll the selfLink using a GET operation to monitor BIG-IQ’s progress in finishing up the revoke.
Hey Chase!
A splendid article.
Just provisioned my first isolated BIG-IP with these instructions.
Does the bigip.license accept the response in this format?
The line breaks ( \n ) in the JSON license response appeared to cause problem while licensing the BIG-IP.
I overcame the problem with some sed magic, as I copied the licenses part to json-license.json file:
sed 's/\[tn]/\
/g' json-license.json
A little licensing tool I wrote to save you the curl and json parsing.
https://github.com/snowblind-/bigiqlic