BIG-IQ Reporting for Subscriptions and ELA - How to Generate and Revoke Licenses for Isolated BIG-IP VE Instances

October 2018 Rev:D

Scenario

Some network designs may disallow BIG-IQ from reaching BIG-IP VE instances over the network due to network design, network partitioning, security reasons... you get the idea. BIG-IQ’s usual operation requires BIG-IQ to connect to port 443 on the BIG-IP VE’s management IP address. However, when the networks are partitioned in a way that does not allow the BIG-IQ to connect to the BIG-IP, a system outside of BIG-IQ is required to:

  1. POST an operation to generate a license
  2. GET the license from BIG-IQ
  3. Copy the license to the target BIG-IP VE instance

And later, when the BIG-IP VE is no longer operational, revoking the license from BIG-IQ.

This document explains how to manage licenses on BIG-IP VEs in this network design.

Step 1: Gather your BIG-IP VE information for the licensing operation

In order to successfully license BIG-IP VE, BIG-IQ needs specific information from the BIG-IP VE to be licensed.

  1. Log into the BIG-IP VE instance using “root” credentials
  2. Execute the following command:
    # get_dossier -b TBD -c
  3. Record the MAC address.
  4. You will also need to know the hypervisor your BIG-IP VE is running on.

Example:

[root@biq1-yabba-dabba-do:Active:Standalone] config # get_dossier -b d -c F5_BIOS_ID=Phoenix Technologies LTD 6.00 04/05/2016 VMware Virtual Platform None F5_MAC=00:50:56:bf:02:02
F5_PROBES=0x01000013
F5_SYS_UUID=543ff2ec-1c2f-844a-23d0-1e226b90678e
F5_KEY=d
F5_VERSION=BIG-IQ 6.0.1 0.0.469

Step 2: Requesting a License from BIG-IQ for your BIG-IP VE

For this step, you need to have the following information:

  1. The name of the license pool in BIG-IQ you want to license the BIG-IP VE from
  2. The IP address of the BIG-IP VE device
  3. The MAC address (from step 1)
  4. The hypervisor type
  5. The offering name you wish to assign to the BIG-IP VE instance

We’ll walk you through each one.

The name of the pool comes from your BIG-IQ centralized management console. To get the name of the pool:

  • Log into BIG-IQ
  • Click the Devices tab
  • On the left navigation, open LICENSE MANAGEMENT
  • On the left navigation, click on Licenses

Here you will see your license pools – the pool names are shown in the red rectangle in the example screen shot below. In this case, there are two pools “Engineering-Pool” and “IT-Pool”

The next one we’ll discuss is the offering (service catalog) name, this will become important when we form the JSON request for the post.

  • Click on your pool name, this will open the properties of the pool

It looks as shown in the following diagram, highlighted by the red rectangle:

The BIG-IQ API allows you to specify one or two “search keywords” to be used for matching the offering you wish to assign to your BIG-IP VE instance. For example, the first search keyword could be the feature level you’d like and the second the throughput, such as “LTM” and “10G”. Or, you can just specify the entire offering name as the only search keyword for an exact patch, such as “F5-BIG-MSP-LTM-5G-LIC-DEV”.

Once you have the information available, form your JSON request, here is an example you can start with, we’ll take you through each part:

{
"licensePoolName": "Engineering-Pool", "command": "assign",
"address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34", "hypervisor": "vmware", "unitOfMeasure": "yearly", "skuKeyword1": "LTM",
"skuKeyword2": "10G"
}
ElementsDescription
licensePoolNameName of your pool as previously discussed in this article
commandThe request to BIG-IQ to assign/allocate a license for this instance of BIG-IP VE
addressIP of your BIG-IQ (use the management IP)
assignmentTypemust be 'unreachable': this instructs BIG-IQ to avoid trying to POST the license to the BIG-IP VE
macAddressThe MAC addressed obtained using method previously discussed
hypervisorUnderlying hypervisor hosting the BIG_IP VE you wish to license. Valid values are "aws","azure","gce","vmware","hyperv","kvm", and "xen".
unitOfMeasureMust be "yearly" when you are using a license pool as part of the F5 subscription license or Enterprise Licensing Agreement (ELA) programs.
skuKeyword1Is the first search keyword
skuKeyword2Is the second search keyword

The search keywords are optional; if none are specified, you’ll get the first license pool BIG-IQ matches on. If only one is specified, you’ll get the first license pool finds matching the search string. Here is an example with a single search keyword:

{
"licensePoolName": "Engineering-Pool", "command": "assign",
"address": "192.0.2.3",
"assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34", "hypervisor": "vmware",
"unitOfMeasure": "yearly",
"skuKeyword1": "F5-BIG-MSP-LTM-3G-LIC-DEV"
}

Next, you need to POST your JSON body to BIG-IQ. You’ll need to enable basic authentication on BIG-IQ in order to use username and password authentication, the default is to use token- based authentication. To enable basic authentication, log into BIG-IQ console as “root” and enter “set-basic-auth on”.

For the example below, we’ll use CURL – the JSON body is stored in a file named “getlicense.txt”.

# curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X POST -T getlicense.txt "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member-management"

In this case, the BIG-IQ is at 10.255.65.16 and we’re using the admin login account on BIG-IQ with password “admin”. Your POST must go to “/mgmt/cm/device/tasks/licensing/pool/member- management”

This results in the following return, if BIG-IQ has accepted your request:

{
 "address": "192.0.2.3",
"assignmentType": "UNREACHABLE", "command": "assign",
"generation": 1,
"hypervisor": "vmware",
"id": "64100009-e20c-4add-9d3f-6cf4ed6fde31", "identityReferences": [
  {
    "link": "https://localhost/mgmt/shared/authz/users/admin"
  } 
],
"kind": "cm:device:tasks:licensing:pool:member-management:devicelicensingassignmenttaskstate", "lastUpdateMicros": 1531492957761866,
"licensePoolName": "Engineering-Pool",
"macAddress": "FA:16:3E:1B:6D:34",
"ownerMachineId": "9890115d-3e0b-4e7f-a9a0-ebb22c5747e4",
"selfLink": "https://localhost/mgmt/cm/device/tasks/licensing/pool/member-management/64100009-e20c-4add-9d3f-6cf4ed6fde31",
"skuKeyword1": "F5-BIG-MSP-LTM-3G-LIC-DEV", "status": "STARTED",
"taskWorkerGeneration": 1,
"unitOfMeasure": "yearly",
"userReference": {
  "link": "https://localhost/mgmt/shared/authz/users/admin"
  }
}

IG-IQ is an asynchronous, task-based design, as such, the license is not returned when the POST completes, but rather, the acceptance of your request to BIG-IQ. To get the license, you must poll the “selfLink” (highlighted above).

# curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X GET "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member-management/64100009-e20c- 4add-9d3f-6cf4ed6fde31"

If successful, this GET will return the license for the BIG-IP VE instance described in the JSON request in the “licenseText” field of the JSON body. For brevity, it is omitted.

If there was an error encountered, the error text is returned in the “errorMessage” field of the JSON return body.

Step 2: Place the License on BIG-IP VE

To complete the licensing operation, you’ll need to extract the license from the “licenseText” element in the returned JSON.

You’ll need to login to the BIG-IP VE instance as “root” and do the following:

  1. Place the licenseText on the BIG-IP VE instance at the following location and file name:
    /config/bigip.license
  2. Restart BIG-IP VE services:
    bigstart restart

At this point, your BIG-IP VE is licensed.

Step 3: Revoking and Returning the License to BIG-IQ

When your BIG-IP VE instance is no longer needed, it is time to return the license to the pool. This is called a revoke operation.

You’ll need to gather the following information:

  1. The name of the license pool on BIG-IQ
  2. The IP address of the BIG-IP VE
  3. The MAC address of the BIG-IP VE

Please see the information in the “Step 1” section on how to obtain and gather this information.

The JSON body is then formed, here is an example:

{
"licensePoolName": "load7afterfix", "command": "revoke",
"address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34"
}

The “command” must be “revoke” to return the license to the pool. Here is the example CURL command to the revoke, the JSON body is stored in a file called “revokelicense.txt”:

# curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X POST -T revokelicense.txt "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member- management"

If successful, this request will return a JSON body similar to the following:

{
"address": "192.0.2.3",
"assignmentType": "UNREACHABLE", "command": "revoke",
"generation": 1,
"id": "c7348b6a-6973-4372-9b66-f07c40bd0fd5", "identityReferences": [
  {
    "link": "https://localhost/mgmt/shared/authz/users/admin"
  } 
],
"kind": "cm:device:tasks:licensing:pool:member-management:devicelicensingassignmenttaskstate", "lastUpdateMicros": 1531490803422235,
"licensePoolName": "load7afterfix",
"macAddress": "FA:16:3E:1B:6D:34",
"ownerMachineId": "9890115d-3e0b-4e7f-a9a0-ebb22c5747e4",
"selfLink":"https://locahost/mgmt/cm/device/tasks/licensing/pool/member-management/c7348b6a-6973-4321-8f66-f07e41bf0ed4",
"status": "STARTED",
"taskWorkerGeneration": 1, "userReference": {
  "link": "https://localhost/mgmt/shared/authz/users/admin" 
  }
}

Similar to the licensing operation, you can poll the selfLink using a GET operation to monitor BIG-IQ’s progress in finishing up the revoke.

Updated Jun 06, 2023
Version 2.0

Was this article helpful?

3 Comments

  • Hey Chase!

     

    A splendid article.

     

    Just provisioned my first isolated BIG-IP with these instructions.

     

    Does the bigip.license accept the response in this format?

     

    The line breaks ( \n ) in the JSON license response appeared to cause problem while licensing the BIG-IP.

     

    I overcame the problem with some sed magic, as I copied the licenses part to json-license.json file:

     

    sed 's/\[tn]/\

     

    /g' json-license.json