F5 Synthesis: Keeping the licensing creep out of expanding software options
(Editors note: the LineRate product has been discontinued for several years. 09/2023) --- One of the funny things about infrastructure moving toward a mix of hardware and software (virtual or traditional) is that the issues that plague software come with it. Oh, maybe not right away, but eventually they crawl out of the deep recesses of the data center like a Creeper in Minecraft and explode on the unsuspecting adventurer, er, professional. While licensing network infrastructure has never been painless, it's never been as complicated or difficult as its software counterparts simply due to the sheer magnitude of difference between the number of network boxes under management and the number of software applications and infrastructure under management. That is changing. Rapidly. Whether it's because of expanding cloud footprints or a need to support microservices and highly virtualized environments, the reality is that the volume of software-based infrastructure is increasing. Like its application counterparts, that means licensing challenges are increasing too. That means We (that's the corporate F5 "we") have to change, too. As we continue to expand the software offerings available for F5 Synthesis beyond cloud and virtualization, we need to also adjust licensing options. That means staying true to the Synthesis tenet of Simplified Business Models. That's why we're making not one but two announcements at the same time. The first is the expansion of existing software options for F5 Synthesis. In addition to cloud-native and virtual editions of BIG-IP, we're making available a lightweight, load balancing service - LineRate Point. LineRate Point complements existing Synthesis services by supporting more directly the needs of application and operations teams for agile, programmable application-affine services in the data center or in the cloud, on- and off-premise. This is a missing component as the data center architecture bifurcates into a shared, core network and an app specific (business) network. Whether it's a focus on moving toward Network Service Virtualization or a need to deploy on a per-app / per-service basis thanks to microservices or increasing mobile application development, LineRate Point offers the scale and security necessary without compromising on the agility or programmability required to fit into the more volatile environment of the growing application network. But a sudden explosion of LineRate Point (or any service, really) anyway across the potential deployment spectrum would create the same kind of tracking and management headaches experienced by software infrastructure and applications. Licensing becomes a nightmare, particularly when instances might be provisioned and terminated on a more frequent basis than is typical for most network-deployed services. So along with the introduction of LineRate Point we're also bringing to F5 Synthesis Volume License Subscriptions (VLS). VLS holds true to the tenet of simplified business models both by offering F5 Synthesis software options (VE, cloud and LineRate Point) with a licensing model that fits the more expansive use of these services to support microservices, cloud and virtualization. VLS brings to F5 Synthesis the ability to support the migration of service infrastructure closer to the applications it is supporting without sacrificing the need for management and licensing. VLS also simplifies a virtual-based Synthesis High Performance Service Fabric by centralizing licensing of large numbers of virtual BIG-IP instances (VE) and simplifying the process. According to a 2014 InformationWeek survey on software licensing, nearly 40% of organizations have a dedicated resource who spends more than 50% of their time managing licenses and subscriptions. Moving to a more software-focused approach for infrastructure services will eventually do the same if it's not carefully managed from the start. By taking advantage of F5 Synthesis Simplified Business Models and its VLS offering, organizations can avoid the inevitable by bringing a simplified licensing strategy along with their software-based service infrastructure. You can learn more about F5 Synthesis Simplified Business Models by following Alex Rublowsky, Senior Director of Licensing Business Models, here on DevCentral as he shares more insight into the growing licensing options available for F5's expanding software portfolio.Configuring Unified Bot Defense with BIG-IQ Centralized Management
While estimates vary, it is believed that more than half of the Internet traffic is being generated by bots, out of which unwanted or malicious ones (like spam or malware bots) account for more than half of the traffic, the remaining traffic being generated by “good” bots (like crawlers or feed fetcher bots). It is therefore important to differentiate between different classes of bots and treat them according to site-specific security policies. The Unified Bot Defense profiles, first released in TMOS version 14.1, package bot protection features like Bot Signatures and Proactive Bot Defense previously found in L7 DoS profiles and Web Scraping protection found in ASM policies. Configuring Unified Bot Defense profiles through BIG-IQ ensures configuration consistency over the centralized managed BIG-IP estate and enhanced reporting capabilities. This article will guide you through the configuration of Unified Bot Defense profiles using BIG-IQ CM User Interface. It is assumed that the BIG-IP device where the Bot Defense profile will be deployed is currently managed by the BIG-IQ cluster, at least one BIG-IQ Logging Node / Data Collection Device is available and the Virtual Server to be protected is already configured (in the example below, VS_12BOX) - the configuration of these elements will not be part of this article. This article covers: configuring the Shared Security / Application Security Event Logging Profile configuring the Bot Defense profile monitoring the Bot Defense profiles Configuration of the Security Log Profile 1. Go to Configuration->LOCAL TRAFFIC->Pools, click Create and fill in the settings: -Name: Pool_DCD -Device: select the BIG-IP device -Health monitors: gateway_icmp -New member: - Select "New Node" - Address: Type the Log Node / DCD IP address - Port: 8514 (this is the port that Web Application Security Service is listening on the Logging Node / DCD) Note: Ensure that the Logging Node / Data Collection Device has the Web Application Security Service activated and the managed BIG-IP has LTM, SSM and ASM services Discovered/Imported. 2. Go to Configuration->LOCAL TRAFFIC->Logs ->Log Destination, click Create and fill in the settings: - Name: Log_dst_HSL_DCD - Type: Remote High-Speed - Device: select the BIG-IP device - Pool: select /Common/Pool_DCD 3. Go to Configuration->LOCAL TRAFFIC->Logs ->Log Destination, click Create and fill in the settings: - Name: Log_dst_Splunk_DCD - Type: SPLUNK - Forward to: select /Common/Log_dst_HSL_DCD 4. Go to Configuration->LOCAL TRAFFIC->Logs ->Log Publishers, click Create and fill in the settings: - Name: Log_pub_DCD - Log destinations: select /Common/Log_dst_Splunk_DCD 5. Go to Configuration->LOCAL TRAFFIC->Pinning Policies and select the BIG-IP device - Filter the available Local Traffic Manager (LTM) objects by selecting Log Publishers from the dropdown menu - Check Log_pub_DCD and click Add Selected button 6. Go to Configuration->SECURITY->Shared Security ->Logging Profiles, click Create and fill in the settings: -Name: Log_bot_protect_demo -Bot Defense: -Status: Enabled -Local Publisher: Enabled -Remote Publisher: /Common/Log_pub_DCD Attach the Log_bot_protect_demo log profile to the protected Virtual Server (in this example, VS_12BOX VS) 1. Go to Configuration->SECURITY->Shared Security->Virtual Servers and click on VS_12BOX VS 2. Select the Log_bot_protect_demo log profile for Logging profiles Deploy the configuration to the BIG-IP 1.Go to Deployment->EVALUATE & DEPLOY-> Local Traffic & Network, create a new Deployment. Once the evaluation has finished, click on Deploy. 2. Go to Deployment->EVALUATE & DEPLOY-> Shared Security, create a new Deployment. Once the evaluation has finished, click on Deploy. Configuration of the Bot Defense Profile Go to Configuration->SECURITY->Shared Security ->Bot Defense-> Bot Profiles, click Create and fill in the settings: -Name: bot_defense_demo -Enforcement Mode: Blocking -Profile Template: Strict -Browser Verification: -Browser Access: Allowed -Browser Verification: Verify After Access (Blocking) Note: As per K42323285: Overview of the unified Bot Defense profile the available options for the configuration elements used in this examples are: Enforcement Mode: Select one of the following modes, depending on the readiness of your application environment and requirements: Transparent—The system logs traffic mitigation and verification actions, according to your logging profile settings, but does not provide the following: JavaScript-based verification. Device ID collection. CAPTCHA challenge. Blocking—The system performs traffic mitigation and verification, and logsthem according to yourlogging profile settings. Profile Template: The template you select determines the default values for mitigation and verification settings. However, you can customize these settings to meet your application security requirements. After the system saves the profile, you can't change this setting. The following list contains descriptions of the available templates: Relaxed—Performs basic verification of browsers and blocks malicious bots based on bot signatures. Balanced—This is the default selection. Performs advanced verification of browsers,including: CAPTCHA challenges for suspicious browsers. Anomaly detection algorithms and bot signatures todetectand blockmalicious bots. Limitingthe total request rate for unknown bots. Strict—This is the strictest policy; it has settings that: Only allowbrowsers access if they pass proactive verification. Blockall bots except trusted ones. Browser Verification: Specifies what and when the system sends challenges. None—The system does not perform JavaScript and header-based verification. However, some anomaly detection (such as Session Opening) still occurs. Challenge-Free Verification—The default value when Profile Template is set to Relaxed. The system performs header-based verification but does not perform JavaScript verification. Verify Before Access—The default value when Profile Template is set to Strict. The system sends a white page with JavaScript to challenge the client. If the client fails the challenge, the system performs the configured mitigation action and reports the anomaly. If the client passes the challenge, the system forwards the request to the server. Verify After Access (Blocking)—The default value when Profile Template is set to Balanced. The system injects a JavaScript challenge in the server response prior to sending the response to the client. If the client fails the challenge, the systemperforms the configured mitigation action and reports the anomaly. If the client passes the challenge, the system forwards the request to the server. Verify After Access (Detection Only)—The system injects JavaScript challenge in the server response prior to sending the response to the client. If the client fails the challenge, the system only reports the anomaly but does not perform any mitigation action. If the client passes the challenge, the system forwards the request to the server. Device ID Mode: A unique identifier that BIG-IP ASM creates by sending JavaScript to get information about the client device. The default value for this setting is determined by your selection inProfile Template (under General Settings). F5 recommends you use the default values set by the Profile Template you selected unless you have specific application requirements. None—The default value when Profile Template is set to Relaxed. The system does not send JavaScript to collect the device ID. Generate After Access—The default value when Profile Template is set to Balanced. The system injects the JavaScript in the server response before forwarding to the client. This is less intrusive and has less of a latency impact. Generate Before Access—The default value when Profile Template is set to Strict. The system sends the JavaScript challenge to the client before forwarding the client request to the server. This guarantees that every request that reaches the server has a device ID. This has more of a latency impact compared to the previous option. The system blocks bots that attempt to present themselves asbrowsers but are unable to execute the JavaScript challenge. Attach the bot_defense_demo bot protect profile to the VS_12BOX VS 1. Go to Configuration->SECURITY->Shared Security->Virtual Servers and click on VS_12BOX VS 2. Select the bot_defense_demo profile for Bot Defense profile Deploy the Bot Defense profile to the BIG-IP Go to Deployment->EVALUATE & DEPLOY-> Shared Security, create a new Deployment. Once the evaluation has finished, click on Deploy Monitoring Bot Defense Profiles To monitor Bot Protection operation, check the Monitoring->DASHBOARDS->Bot Traffic Dashboard and Monitoring->EVENTS->Bot->Bot requests logs
BIG-IQ Central Management API automation and programmability - Workflow - Python
Summary In conjunction with the announcement of BIG-IQ 5.0 we are excited to bring the field greater flexibility when centrally managing BIG-IP devices utilizing well defined workflows and the BIG-IQ iControl REST API. We understand that automation and programmability is becoming more the norm these days as the network is evolving into a software defined application aware environment. This article will provide a basic example for first establishing trust while adding a device to inventory, second importing device configuration into BIG-IQ's configuration database and finally adding device to a license pool all utilizing the BIG-IQ rest api uri provided by the interface. Response is parsed in JSON format so there are dependencies required. This is intended to be an introduction to leveraging the API directly. We are in the process of developing a python object abstraction for the BIG-IQ CM REST API to provide even greater simplicity when leveraging automation for central management programmability. But we thought this level of detail may be appropriate to get the ball rolling. The BIG-IQ CM SDK will be structured similar to version 0.1.7 BIG-IP iControl REST API described here: BIGIP SDK - https://devcentral.f5.com/s/articles/f5-friday-python-sdk-for-big-ip-18233 BIGIP SDK Docs - https://f5-sdk.readthedocs.io/en/v0.1.7/ Let's get started ... READY ... SET ... GO ... Here are the API URIs' used as reference for both Python and Perl examples below: Trust:https://'bigiq-ip'/mgmt/cm/global/tasks/device-trust Discovery:https://'bigiq-ip'/mgmt/cm/global/tasks/device-discovery Import: ADC - https://'bigiq-ip'/mgmt/cm/adc-core/tasks/declare-mgmt-authority Import: Firewall - https://'bigiq-ip'/mgmt/cm/firewall/tasks/declare-mgmt-authority License: Pools - https://'bigiq-ip'/mgmt/cm/shared/licensing/pools License: Members: - https://'bigiq-ip'/mgmt/cm/shared/licensing/pools/'member_uuid'/members Using a python class abstraction (libraries can be located in /lib/) for Discovery, Import and Licensing, these tasks are a single call from one place which will provide the flexibility to create scripts defined by workflow. For example, lets - 1. Negotiate trust certificates for a newly deployed BIGIP. 2. Discover the BIGIP device and add to inventory. 3. Import ADC configuration and resolve all differences to BIGIQ’s management database. 4. Import Firewall configuration and resolve all differences to BIGIQ’s management database. 5. Add this newly discovered BIGIP to a provisioned license pool using the base-registration-key as a filter. Using the following python libraries, we can accomplish these tasks defined as methods in each class definition: ## Discovery ../lib/discovery.py: class Discover(object) def device_trust(dev_id): def ltm_discover(modules adc_core, firewall, asm, apm etc..): ## Import ../lib/import.py: class Import(object) def import_ltm(dev_id): def import_security(dev_id, afm=True): ## License ../lib/license.py : class License(object) def license_pool(config): Now it’s just a matter of putting the puzzle together in a script that will accomplish the workflow described above. BIG-IQ and BIG-IP device address and credentials are read in from a configuration file (../config/..) the script first and passed into def workflow for processing. Each method is called with argument <config> dictionary to perform the task required. After completion each will return True or False depending on result from rest response code and some evaluation. ## Import libraries to leverage methods described above from discovery import Discover from import_module import Import from license import License ## main def "workflow" def workflow (Discover, License, Import, config): ## Trust "establish certificate exchange" result_trust = Discover.device_trust(config) ## Discover "add a BIGIP to inventory" result = Discover.ltm_discover(config, result_trust) ## Import ADC "import adc configuration into database" result = Import.import_ltm(config, result_trust) ## Import AFM, ASM, APM "import module configuration into database" result = Import.import_sec(config, result_trust, afm=True) ## Add BIGIP member to license pool result = License.license_pool(config) ## Python main body if __name__ == '__main__': # read config file from ../config/.. config = {} with open (file) as infile: config[str(key)] = val.strip('\n') ## create an instance of each imported class defined in the libraries Discover = Discover(config) Import = Import(config) License = License(config) ## call the main program method "workflow" workflow (Discover, Import, License, config) If you are interested in this code for collaboration or solution, search on key words "bigiq" "api" "python" in code share section on dev central or you can refer to the reference link: Device trust, discovery and import using python requests - supported in Python version 2.7.9 and greater. https://devcentral.f5.com/s/articles/big-iq-trust-discovery-and-import-of-big-ip-using-rest-api-python-oo-973 Grants a license to a BIG-IP from an already-activated purchaced pool. https://devcentral.f5.com/s/articles/big-iq-licensing-of-big-ip-using-rest-api-python-oo-974 We will also be adding to github and will update this article once completed. So please come back and visit us soon and often for additional content.BIG-IQ Central Management API automation and programmability - BULK Discovery, Import and Re Import - Perl
Summary In conjunction with the announcement of BIG-IQ 5.0 we are excited to bring the field greater flexibility when centrally managing BIG-IP devices utilizing well defined workflows and the BIG-IQ iControl REST API. We understand that automation and programmability is becoming more the norm these days as the network is evolving into a software defined application aware environment. This article is an addendum to “BIG-IQ Central Management API automation and programmability – Python” and will demonstrate bulk device trust, discovery to populate resolver groups and import bigip configuration of many BIG-IP device as defined in a csv configuration file. This automation can be run as a standalone utilities that will run directly in the BIG-IQ shell for adding devices to inventory in a sequential yet automated fashion. API Reference Trust: https://'bigiq-ip'/mgmt/cm/global/tasks/device-trust Discovery: https://'bigiq-ip'/mgmt/cm/global/tasks/device-discovey Import: ADC - https://'bigiq-ip'/mgmt/cm/adc-core/tasks/declare-mgmt-authority Import: Firewall - https://'bigiq-ip'/mgmt/cm/firewall/tasks/declare-mgmt-authority Let’s get started – When using the BIG-IQ it is suggested to make a directory called scripts under /shared and securely copy this distribution into /shared/scripts/. Contents: ../config/bulk_discovery.csv ../src/perl/bulkDiscovery.pl ../src/perl/bulkReImport.pl Everything is predicated by a main loop which will invoke each task by calling supporting perl subroutines self-contained in the script. All rest calls, using curl (https://curl.haxx.se/), made are highlighted below. Establishment of device trust is completed in the main loop while the process of discovery and import configurations are completed in subroutine blocks within the script. #====================================================== # Main loop # Process trust, discovery, and imports #====================================================== for $bigip (@bigips) { my %postBodyHash = ("address"=>$bigiq, "userName"=>$user, "password"=>$pw,"clusterName"=>"", "useBigiqSync"=>"false", "name"=>"trust_$mip"); my $postBody = encode_json(\%postBodyHash); my $trustCmd = "curl -s -k -u $bigiqCreds -H \"$contType\" -X POST -d \'$postBody\' https://localhost/mgmt/cm/global/tasks/device-trust"; if (discoverModules($bigiq, $machineId)) { if (importModules($bigiq)) { } } # upgrade the framework if nessasary if (handleFrameworkUpdade ($trustTask, $bigip)) { } } end of all devices #====================================================== # Discover specified modules. #====================================================== sub discoverModules { my %postBodyHash = ("moduleList" => \@moduleList, "status" => "STARTED"); # POST a new discovery task $postBodyHash{"deviceReference"}{"link"} = "cm/system/machineid-resolver/$machineId"; my $newDiscoverTaskCmd = "curl -s -k -u $bigiqCreds -H \"$contType\" -X POST -d \'$postBodyJson\' \"https://localhost/mgmt/cm/global/tasks/device-discovery\""; } end of discoverModules #====================================================== # A subroutine for importing individual module. #====================================================== sub importModule { # POST a new import task $postBodyHash{"deviceReference"}{"link"} = "cm/system/machineid-resolver/$machineId"; my $postBody = encode_json(\%postBodyHash); my $newImportTaskCmd = "curl -s -k -u $bigiqCreds -H \"$contType\" -X POST -d \'$postBodyJson\' \"$dmaUrl\""; # if we ecounter conflicts, we mark them to use BigIQ, patch the task back to started, and poll again if (($currentStep eq "PENDING_CONFLICTS") or ($currentStep eq "PENDING_CHILD_CONFLICTS")) if (resolveConflicts($mip, $module, $currentStep, $importSelfLink, @conflicts)) } # end of importModule #========================================================== # sub routine calling importModule to colocate all modules #========================================================== sub importModules { $ltmSuccess = importModule($mip, "ltm", "https://localhost/mgmt/cm/adc-core/tasks/declare-mgmt-authority", %postBodyHash); $asmSuccess = importModule($mip, "asm", "https://localhost/mgmt/cm/asm/tasks/declare-mgmt-authority", %postBodyHash); } And last but not least Re Import of BIGIP configuration objects for greater than one BIGIP device. This script can be run periodically based on Linux cron to ensure your device configurations managed by BIGIQ are up to date. On occasion other Element Management Systems could modify BIGIP object base and BIGIQ should be aware of these changes. If you refer to the below main loop, the discovery and import call's are the same. So two things actually happen that differs from inital bulk discovery and import. 1. Trust establishment is removed as it already contains mutaul certificate trust. 2. We test if the discovery and import tasks exists, if they do we can just PATCH discovery and import tasks to enforce a re import. That's about it. Refer to the code snippet below. #====================================================== # Main loop # Process Re Discovery, and Imports #====================================================== for $bigip (@bigips) { ## get the device properties my $deviceCmd = "curl -s -k -u $bigiqCreds -H \"$contType\" -X GET https://localhost/mgmt/shared/resolver/device-groups/cm-bigip-allBigIpDevices/devices"; ## call disc routine using ip and machine id. if (discoverModules($bigiq, $machineId)) { ## call import routine using up and machine id. if (importModules($bigiq, $machineId)) } } } # end for devices Just to re iterate the above the discovery and import routines used for Re Import just PATCH the existing task created during inital discovery and import. Here are the PATCH requests. #====================================================== # Discover specified modules. #====================================================== sub discoverModules { ## get the discovery task based on the machineId my $findDiscoverTaskCmd = "curl -s -k -u $bigiqCreds -H \"$contType\" -X GET \"https://localhost/mgmt/cm/global/tasks/device-discovery?\\\$filter=deviceReference/link+eq+\'*$machineId*\'+and+status+eq+\'FINISHED\'\""; ## If it exists PATCH the task if (defined $discoveryTask->{"items"}[0]) { # PATCH the existing discovery task my $discoveryTaskSelfLink = $discoveryTask->{"items"}[0]->{"selfLink"}; $postBodyJson = encode_json(\%postBodyHash); my $discoverCmd = "curl -s -k -u $bigiqCreds -H \"$contType\" -X PATCH -d \'$postBodyJson\' $discoveryTaskSelfLink"; } #====================================================== # A subroutine for importing individual module. #====================================================== sub importModule { ## get import task based on the machineid my $findImportTaskCmd = "curl -s -k -u $bigiqCreds -H \"$contType\" -X GET \"$dmaUrl?\\\$filter=deviceReference/link+eq+\'*$machineId*\'\""; ## If exists PATCH the task if (defined $findImportTask->{"items"}[0]) { # PATCH the existing import task $importTaskLink = $findImportTask->{"items"}[0]->{"selfLink"}; my $importCmd = "curl -s -k -u $bigiqCreds -H \"$contType\" -X PATCH -d \'$postBodyJson\' $importTaskLink"; } #======================================== # sub routine for calling importModule to collocate all modules. #======================================== sub importModules { $ltmSuccess = importModule($mip, $machineId, "ltm", "https://localhost/mgmt/cm/adc-core/tasks/declare-mgmt-authority", %postBodyHash); $asmSuccess = importModule($mip, machineId, "asm", "https://localhost/mgmt/cm/asm/tasks/declare-mgmt-authority", %postBodyHash); } If you are interested in this code for collaboration or solution, seach on key words "bigiq" "api" "python" or "perl" in code share section on dev central or here is the reference link: https://devcentral.f5.com/s/articles/big-iq-big-ip-rest-api-bulk-device-discovery-perl-972 We will also create a repository on github for easy accessability. Please visit us soon and often for periodic updates.BIG-IQ Central Management API automation and programmability - Licensing
Summary In conjunction with the announcement of BIG-IQ 5.0 we are excited to bring the field greater flexibility when centrally managing BIG-IP devices utilizing well defined workflows and the BIG-IQ iControl REST API. We understand that automation and programmability is becoming more the norm these days as the network is evolving into a software defined application aware environment. This article is an addendum to “BIG-IQ Central Management API automation and programmability – Discovery, Import and Re Import” and will demonstrate licensing using a Purchased License Pool. There are two approaches used in these examples. The first is a Python OO example that abstracts the actual licensing work.The second is a self-contained script intended to be used as standalone utility that will run directly on the BIG-IQ for adding devices to inventory in a sequential yet automated fashion. As in the Python versions of this code the API referenced Uri’s are the same. API Reference - License Pools: GET - https://'bigiq-ip'/mgmt/cm/shared/licensing/pools License Pool Member: POST - https://'bigiq-ip'/mgmt/cm/shared/licensing/pools/'member_uuid'/members Let’s get started – Python - Contents: ../config/license.config ../src/pyhton/licensePool.py ../lib/license.py The python code will initially read a configuration file used to define bigiq / bigip credentials as well as the base registration key used to identify the correct license pool you want to add this device too. Once the License.license_pool() method is called in licensePool.py will GET the license pool uuid: uri = 'https://' + iq + '/mgmt/cm/shared/licensing/pools' response = requests.get(uri, auth=(username, password), verify=False) Using the license pool uuid retrieved from the GET above a POST is made to REST end point (license pool member) resulting in adding the BIGIP to the pool. BIGIQ will invoke the POST to BIGIP licensing the device. uri = 'https://' + iq + '/mgmt/cm/shared/licensing/pools/' + member_uuid + '/members' lic_json = {"deviceAddress": ip,"username": username,"password": password} response = requests.post(uri, data=str(lic_json), auth=(username, password), verify=False) Perl - Contents: ../config/bulk_license.csv ../src/perl/licensePool.pl When using the BIG-IQ it is suggested to make a directory called scripts under /shared and securely copy this distribution into /shared/scripts/. Everything is predicated by a main loop which will invoke each task by calling supporting Perl subroutines self-contained in the script. All rest calls, using curl (https://curl.haxx.se/), made are highlighted below. In this case for all devices listed in ../config/*.csv this loop calls a perl routine called licenseDevice(). if (licenseDevice($mip, $user, $pw, $base_reg_key)) { Like the python script we get member id (uuid) of purchased license pool. curl -s -k -u $bigiqCreds -H \"$contType\" -X GET \"https://localhost/mgmt/cm/shared/licensing/pools\ Then POST to pool members REST end point using uuid retrieved. my $licenseCmd = "curl -s -k -u $bigiqCreds -H \"$contType\" -X POST -d \'$postBodyJson\' \"https://localhost/mgmt/cm/shared/licensing/pools/$member_uuid/members\""; If you are interested in this code for collaboration or solution, search on key words "bigiq" "api" "python" or "perl" in code share section on dev central or here is the reference link: https://devcentral.f5.com/s/articles/big-iq-big-ip-rest-api-licensing-932 - bulk (Able to run in BIGIQ shell, licensing of > 1 device defined in a csv) https://devcentral.f5.com/s/articles/big-iq-big-ip-rest-api-device-licensing-httplib-970 - httplib (Able to run in BIGIQ shell) https://devcentral.f5.com/s/articles/big-iq-licensing-of-big-ip-using-rest-api-python-oo-974 - requests (python oo version)Generation of Utility Billing Report using BIG-IQ's API
This script generate the utility billing report based of a list of regKey.This script only applies to utility-type licenses used for F5's subscription and/or ELA programs. The regkey listed in the csv file or in the command line are the registration key associated with the license pool you wish to report on. Reports can be automatically submitted to F5 or manually created. /!\ This feature will be included with BIG-IQ 6.1 /!\ Automatic report submission requires BIG-IQ to access api.f5.com. BIG-IQ makes a REST call over SSL to api.f5.com to upload the report. Manual report submission is used in cases where BIG-IQ cannot reach api.f5.com. In this workflow, the customer generates the report, extracts it, then emails it to F5 (/shared/scripts/F5_Billing_License_Report.<date>.json). Pre-Requisist: Make sure you can access api.f5.com port 443 if automatic reporting is chosen (nslookup api.f5.com, ping api.f5.com, telnet api.f5.com 443). The script has to be executed locally from the BIG-IQ. Installation: The script mustbe installed in BIG-IQ under /shared/scripts: # mkdir /shared/scripts # chmod +x /shared/scripts/licenseUtilityReport.pl Allowed command line options: -h Help -c Path to CSV file with all regKey - REQUIRED if not using -k -k regKey(s) separated by , - REQUIRED if not using -c -r Report option automatic or manual - OPTIONAL (default is automatic) Command example automatic report: # cd /shared/scripts # ./licenseUtilityReport.pl -k DRLPZ-JISKU-VPUPT-HZMMV-LERVPYQ,GYCWI-FOUEZ-YMWPX-LYROB-PXTKMTG CSV file example manual report: # ./licenseUtilityReport.pl -c listregkey.csv-r manual # cat listregkey.csv DRLPZ-JISKU-VPUPT-HZMMV-LERVPYQ GYCWI-FOUEZ-YMWPX-LYROB-PXTKMTG Cron table example (every 1st of the month at 10am) for both above examples: # crontab -e (edit: type 'o' to add a new line, then 'ESC' and ':x' to save and quit) # crontab -l (list) 0 10 1 * * /usr/bin/perl /shared/scripts/licenseUtilityReport.pl -k DRLPZ-JISKU-VPUPT-HZMMV-LERVPYQ 0 10 1 * * /usr/bin/perl /shared/scripts/licenseUtilityReport.pl -c /shared/script/listregkey.csv-r manual ┌───────────── minute (0 - 59) │ ┌───────────── hour (0 - 23) │ │ ┌───────────── day of month (1 - 31) │ │ │ ┌───────────── month (1 - 12) │ │ │ │ ┌───────────── day of week (0 - 6) (Sunday to Saturday; │ │ │ │ │ 7 is also Sunday on some systems) │ │ │ │ │ │ │ │ │ │ ** * * * In case you need toobfuscate the Utility Billing Report before sending it, use manual export, then use the following script to mask IP/Macaddresses and Hostnames from the report. Then submit/email report to F5 (Please contact F5 Support for assistance). # ./f5_sanitize_usage_report.sh F5_Billing_License_Report.<date>.json Location of the scriptson GitHub:https://github.com/f5devcentral/f5-big-iq-pm-teamAutomate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ
The functionality to automate the import of SSL cert & key from BIG-IP to BIG-IQ is available in the product starting BIG-IQ 7.0 and above. This script should not be used on BIG-IQ 7.0+ as it has not been tested on those versions. This script will import all supported SSL Certificate, Key & CRL that exist as unmanaged objects on this BIG-IQ which can be found on the target BIG-IP. Steps performed by the script: Gather certificateand key metadata (including cache-path) from BIG-IPs Download certificate and key file datafrom BIG-IPs Upload certificateand key file data to BIG-IQ Prerequisite:Discover and import LTM services before using this script.The target BIG-IP will be accessed over ssh using the BIG-IP root account. Installation:The script mustbe installed in BIG-IQ under /shared/scripts: # mkdir /shared/scripts# chmod +x /shared/scripts/import-bigip-cert-key-crl.py Command example: # ./import-bigip-cert-key-crl.py <big-ip IP address> Enter the root user's password if prompted. Allowed command line options:-h show this help message and exit-l LOG_FILE,log to the given file name--log-level {debug,info,warning,error,critical},set logging to the given level (default: info)-p PORT BIG-IPssh port (default: 22) Result:Configuration > Certificate Management > Certificates & Keys Before running the script: After running the script: Location of the scriptson GitHub:https://github.com/f5devcentral/f5-big-iq-pm-team In case you BIG-IQ is running on Hardware: Step 1: Install packages using pip, targeting a location of your choice # mkdir py-modules# pip install --target py-modules requests argparse Step 2: Run using python2.7, adding py-modules to the python path # PYTHONPATH=py-modules python2.7 import-bigip-cert-key-crl.py <big-ip IP address>BIG-IQ Reporting for Subscription and ELA Programs
October 2018 Rev:D Scope This document describes the following: When reporting is needed and how the report is used How BIG-IQ reporting determines what to include in the report Submission models – Manual and Automatic How to find “missing reports” Detailed Report contents When reporting is needed and how the report is used For subscription and ELA programs, administrator must use BIG-IQ to issue licenses to BIG-IP VE instances and keep track of usage. By the 10th day of the month, a usage report is submittedfrom BIG-IQ to F5 for processing from the previous calendar month. The report contains information on the license grant and revoke operations across your infrastructure where BIG-IQ is managing the licenses. How BIG-IQ reporting determines what to include in the report It is important to understand how BIG-IQ determines what to include in the report because it affects what you need to send to F5 on a periodic basis. BIG-IQ keeps track of all the licensing activities (grant of license, revoke of license) in its database as a time series of events. Each time a report is generated, BIG-IQ remembers the end date/time of the report and subsequent reports only report on transactions occurring after the last report. Consider the following reporting activities: “Report 1” will contain all transactions plus all outstanding license grants (not yet revoked) from the system’s first start up until 6/2/2018 12:12:00Z. “Report 2” will contain all transactions plus all outstanding license grants from 6/2/2018 12:12:01Z to 7/3/2018 13:45:00Z. When “Report 3” is generated, it will contain all transactions plus all outstanding grants from 7/3/2017 13:45:01Z to the date and time the report was generated. The BIG-IQ reporting system thus never takes a “date range” for administrators to report on, instead, BIG-IQ keeps track of what’s been reported and what has not been reported so you don’t have to keep track of it. To illustrate, perhaps by an extreme example, consider the following. Perhaps you were“testing” the reporting capability to see how it works and/or to debug connectivity issues to F5. In this case, the generated Reports 2, 3, 4, 5, 6, and 7 and all of those reports must be submitted for the June 2018 reporting period. Reason is report #7 only contains reporting transactions from 6/28/2018 23:21:00Z to 7/3/2018 13:45:00Z. This would leave a reporting gap between 6/2/2018 12:12:01Z (the May report to the far left of the diagram) and 6/28/2018 23:21:00Z. It is OK to generate multiple reports during the month, but please keep each one and when the submission date arrives, send all of the reports in to prevent reporting gaps. Submission models – Manual and Automatic There are two ways to submit reports: Automatic – submit over the internet directly from BIG-IQ Manual – extract the report, and EMAIL the report to F5 Automatic Automatic report submission is the least-effort method of submitting usage reporting to F5. However, it requires the following: BIG-IQ must be able to resolve api.f5.com from your DNS configuration BIG-IQ must be able connect to api.f5.com to post 443 (SSL). You can test this by logging into your BIG-IQ system as “root” (SSH connection), and telneting to the service: $ telnet api.f5.com 443 Trying 104.219.110.164... Connected to api.f5.com. Escape character is '^]'. ^C If you see the “Trying <ip>” address message from telnet, this means DNS is working and your BIG-IQ system is able to resolve the IP address for api.f5.com. If you see the two yellow highlighted lines, it means BIG-IQ was able to connect to api.f5.com on port 443. This usually indicates you’ll be able to submit a report to F5 automatically. If this does not work as described and you want to submit automatically, you’ll need to enable a firewall rule (or whatever ACL'ish thing you're using) allowing your BIG-IQ to reach api.f5.com over port 443. Alternatively, BIG-IQ can be configured to use a network proxy to make a connection to api.f5.com. The proxy configuration is shown in the screen shot below: Please note, because BIG-IQ is transferring the report over SSL, the content is encrypted in transit from your BIG-IQ to F5’s api.f5.com end-point. To submit a report automatically, log into BIG-IQ as “admin” or a License Manager persona, click the “Devices” table, open “LICENSE MANAGEMENT” on the left navigation, then click “Licenses”. This is shown below: Next, in the type, select “Utility Billing Report”, select and move the Licenses you are using to license your BIG-IPs, and click “Generate and automatically submit report to F5”. In the lower right, click submit, and the system will attempt the transaction and indicate if it was a success or failure. NOTE: If the automatic submission failed, you’ll need to manually extract, download and email the report to F5. Currently, there is no way to retry sending an already-created report. Manual Manual report submission is needed when your BIG-IQ cannot submit a report automatically. For manual submission, you’ll extract the report from BIG-IQ, then email it to F5 to SalesLicensingPrograms (at) f5.com. Starting at the same place in the BIG-IQ UI, you’ll click Report, then pick type as “Utility Billing Report”, move the licenses you are using as part of the program to the Selected column/box, choose “Generate and manually submit report to F5”. Please ignore the message asking you to call F5 support unless you’ve encountered a product problem doing this workflow. Finally, click Download, then attach the report to an EMAIL and send to vesubscriptions (at) f5.com. Automated Reports Currently, BIG-IQ does not have a scheduling mechanism. You can automate your monthly reports by leveraging a sample script on GitHub and then using your “crontab” scheduler (or equivalent) to create by the 10th day of the calendar month. Ensure that you have chosen the Generate and automatically submit report to F5 Reporting Option. How to find “missing reports” In the event you get a notice from F5 for a “missing report” for a time period during the reporting period, you can find the reports directly on your BIG-IQ system. The reports are written to /var/config/rest/license-reports – simply log into BIG-IQ as “root” and SCP (secure copy) the reports from BIG-IQ to your system, then attach and send the reports to F5 manually to SalesLicensingPrograms (at) f5.com. Please note: If you are using BIG-IQ in an HA cluster, the contents of /var/config/rest/license - reports is not replicated between the active and standby BIG-IQ systems. If there was a failover event during the month, you may need to look the contents of /var/config/rest/license-reports in both systems to locate the missing report(s). Report Contents The report is JSON format – the table below describes each field and following the table is a sample JSON report. Elements Description product Identifies the F5 product submitting the report version Indicates the version of the F5 product sending the report reportType Indicates the type of reporting being sent poolType Indicates the type of license pool regkey BIG-IQ system regkey poolRegkey Service catalog regkey poolName Name of your pool periodStarted Report coverage starting date & time periodEnded Report coverage ending date & time For Each Device: id Unique BIG-IP id, if device is licensed as 'managed' or 'unmanaged' address IP address of BIG-IP hostname Name of BIG-IP, if device is licensed as 'managed' or 'unmanaged' type How device was licensed: managed, unmanaged, unreachable sku Service catalog assigned to device uom Unit-of-measure (yearly for subscription and ELA) granted Date/time of license grant revoked Date/time of license revocation (if still licensed, this is omitted) Sample Report { "product": "big-iq", "version": "5.0.0.0.0.3007", "reportType": "pool usage", "poolType": "CLPv2", "regKey": "U8917-466961-104-8159544-3215874", "poolRegkey": "xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxx", "poolName": "xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxx", "periodStarted": "2016-06-03T17:20:07Z", "periodEnded": "2016-06-04T12:24:14Z", "records": [ { "id": "f80f00e0-000f-4f4f-8012f-1fee0f6ff500", "address": "10.128.10.10", "hostname": "BIG-IP-001.sassy.molassy", "type": "MANAGED", "sku": "F5-BIG-MSP-LTM-200M", "uom": "hourly", "granted": "2016-06-02T21:41:09Z" }, { "id": "a3225f5f-8ffb-40ff-90ff-9547d00f755f", "address": "10.128.10.20", "hostname": "BIG-IP-002.sassy.molassy", "type": "MANAGED", "sku": "F5-BIG-MSP-LTM-200M", "uom": "hourly", "granted": "2016-06-02T21:44:10Z", "revoked": "2016-06-03T21:45:07Z" } ] } Support Need additional help or have questions? Need additional help or have questions? Contact your SE for any additional questions or email SalesLicensingPrograms (at) f5.com. As always, let us know what else we can write about regarding licensing and how we can help you manage your BIG-IP environments. Happy adminining.BIG-IQ Reporting for Subscriptions and ELA - How to Generate and Revoke Licenses for Isolated BIG-IP VE Instances
October 2018 Rev:D Scenario Some network designs may disallow BIG-IQ from reaching BIG-IP VE instances over the network due to network design, network partitioning, security reasons... you get the idea. BIG-IQ’s usual operation requires BIG-IQ to connect to port 443 on the BIG-IP VE’s management IP address. However, when the networks are partitioned in a way that does not allow the BIG-IQ to connect to the BIG-IP, a system outside of BIG-IQ is required to: POST an operation to generate a license GET the license from BIG-IQ Copy the license to the target BIG-IP VE instance And later, when the BIG-IP VE is no longer operational, revoking the license from BIG-IQ. This document explains how to manage licenses on BIG-IP VEs in this network design. Step 1: Gather your BIG-IP VE information for the licensing operation In order to successfully license BIG-IP VE, BIG-IQ needs specific information from the BIG-IP VE to be licensed. Log into the BIG-IP VE instance using “root” credentials Execute the following command: # get_dossier -b TBD -c Record the MAC address. You will also need to know the hypervisor your BIG-IP VE is running on. Example: [root@biq1-yabba-dabba-do:Active:Standalone] config # get_dossier -b d -c F5_BIOS_ID=Phoenix Technologies LTD 6.00 04/05/2016 VMware Virtual Platform None F5_MAC=00:50:56:bf:02:02 F5_PROBES=0x01000013 F5_SYS_UUID=543ff2ec-1c2f-844a-23d0-1e226b90678e F5_KEY=d F5_VERSION=BIG-IQ 6.0.1 0.0.469 Step 2: Requesting a License from BIG-IQ for your BIG-IP VE For this step, you need to have the following information: The name of the license pool in BIG-IQ you want to license the BIG-IP VE from The IP address of the BIG-IP VE device The MAC address (from step 1) The hypervisor type The offering name you wish to assign to the BIG-IP VE instance We’ll walk you through each one. The name of the pool comes from your BIG-IQ centralized management console. To get the name of the pool: Log into BIG-IQ Click the Devices tab On the left navigation, open LICENSE MANAGEMENT On the left navigation, click on Licenses Here you will see your license pools – the pool names are shown in the red rectangle in the example screen shot below. In this case, there are two pools “Engineering-Pool” and “IT-Pool” The next one we’ll discuss is the offering (service catalog) name, this will become important when we form the JSON request for the post. Click on your pool name, this will open the properties of the pool It looks as shown in the following diagram, highlighted by the red rectangle: The BIG-IQ API allows you to specify one or two “search keywords” to be used for matching the offering you wish to assign to your BIG-IP VE instance. For example, the first search keyword could be the feature level you’d like and the second the throughput, such as “LTM” and “10G”. Or, you can just specify the entire offering name as the only search keyword for an exact patch, such as “F5-BIG-MSP-LTM-5G-LIC-DEV”. Once you have the information available, form your JSON request, here is an example you can start with, we’ll take you through each part: { "licensePoolName": "Engineering-Pool", "command": "assign", "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34", "hypervisor": "vmware", "unitOfMeasure": "yearly", "skuKeyword1": "LTM", "skuKeyword2": "10G" } Elements Description licensePoolName Name of your pool as previously discussed in this article command The request to BIG-IQ to assign/allocate a license for this instance of BIG-IP VE address IP of your BIG-IQ (use the management IP) assignmentType must be 'unreachable': this instructs BIG-IQ to avoid trying to POST the license to the BIG-IP VE macAddress The MAC addressed obtained using method previously discussed hypervisor Underlying hypervisor hosting the BIG_IP VE you wish to license. Valid values are "aws","azure","gce","vmware","hyperv","kvm", and "xen". unitOfMeasure Must be "yearly" when you are using a license pool as part of the F5 subscription license or Enterprise Licensing Agreement (ELA) programs. skuKeyword1 Is the first search keyword skuKeyword2 Is the second search keyword The search keywords are optional; if none are specified, you’ll get the first license pool BIG-IQ matches on. If only one is specified, you’ll get the first license pool finds matching the search string. Here is an example with a single search keyword: { "licensePoolName": "Engineering-Pool", "command": "assign", "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34", "hypervisor": "vmware", "unitOfMeasure": "yearly", "skuKeyword1": "F5-BIG-MSP-LTM-3G-LIC-DEV" } Next, you need to POST your JSON body to BIG-IQ. You’ll need to enable basic authentication on BIG-IQ in order to use username and password authentication, the default is to use token- based authentication. To enable basic authentication, log into BIG-IQ console as “root” and enter “set-basic-auth on”. For the example below, we’ll use CURL – the JSON body is stored in a file named “getlicense.txt”. # curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X POST -T getlicense.txt "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member-management" In this case, the BIG-IQ is at 10.255.65.16 and we’re using the admin login account on BIG-IQ with password “admin”. Your POST must go to “/mgmt/cm/device/tasks/licensing/pool/member- management” This results in the following return, if BIG-IQ has accepted your request: { "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "command": "assign", "generation": 1, "hypervisor": "vmware", "id": "64100009-e20c-4add-9d3f-6cf4ed6fde31", "identityReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admin" } ], "kind": "cm:device:tasks:licensing:pool:member-management:devicelicensingassignmenttaskstate", "lastUpdateMicros": 1531492957761866, "licensePoolName": "Engineering-Pool", "macAddress": "FA:16:3E:1B:6D:34", "ownerMachineId": "9890115d-3e0b-4e7f-a9a0-ebb22c5747e4", "selfLink": "https://localhost/mgmt/cm/device/tasks/licensing/pool/member-management/64100009-e20c-4add-9d3f-6cf4ed6fde31", "skuKeyword1": "F5-BIG-MSP-LTM-3G-LIC-DEV", "status": "STARTED", "taskWorkerGeneration": 1, "unitOfMeasure": "yearly", "userReference": { "link": "https://localhost/mgmt/shared/authz/users/admin" } } IG-IQ is an asynchronous, task-based design, as such, the license is not returned when the POST completes, but rather, the acceptance of your request to BIG-IQ. To get the license, you must poll the “selfLink” (highlighted above). # curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X GET "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member-management/64100009-e20c- 4add-9d3f-6cf4ed6fde31" If successful, this GET will return the license for the BIG-IP VE instance described in the JSON request in the “licenseText” field of the JSON body. For brevity, it is omitted. If there was an error encountered, the error text is returned in the “errorMessage” field of the JSON return body. Step 2: Place the License on BIG-IP VE To complete the licensing operation, you’ll need to extract the license from the “licenseText” element in the returned JSON. You’ll need to login to the BIG-IP VE instance as “root” and do the following: Place the licenseText on the BIG-IP VE instance at the following location and file name: /config/bigip.license Restart BIG-IP VE services: bigstart restart At this point, your BIG-IP VE is licensed. Step 3: Revoking and Returning the License to BIG-IQ When your BIG-IP VE instance is no longer needed, it is time to return the license to the pool. This is called a revoke operation. You’ll need to gather the following information: The name of the license pool on BIG-IQ The IP address of the BIG-IP VE The MAC address of the BIG-IP VE Please see the information in the “Step 1” section on how to obtain and gather this information. The JSON body is then formed, here is an example: { "licensePoolName": "load7afterfix", "command": "revoke", "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34" } The “command” must be “revoke” to return the license to the pool. Here is the example CURL command to the revoke, the JSON body is stored in a file called “revokelicense.txt”: # curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X POST -T revokelicense.txt "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member- management" If successful, this request will return a JSON body similar to the following: { "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "command": "revoke", "generation": 1, "id": "c7348b6a-6973-4372-9b66-f07c40bd0fd5", "identityReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admin" } ], "kind": "cm:device:tasks:licensing:pool:member-management:devicelicensingassignmenttaskstate", "lastUpdateMicros": 1531490803422235, "licensePoolName": "load7afterfix", "macAddress": "FA:16:3E:1B:6D:34", "ownerMachineId": "9890115d-3e0b-4e7f-a9a0-ebb22c5747e4", "selfLink":"https://locahost/mgmt/cm/device/tasks/licensing/pool/member-management/c7348b6a-6973-4321-8f66-f07e41bf0ed4", "status": "STARTED", "taskWorkerGeneration": 1, "userReference": { "link": "https://localhost/mgmt/shared/authz/users/admin" } } Similar to the licensing operation, you can poll the selfLink using a GET operation to monitor BIG-IQ’s progress in finishing up the revoke.
F5 Venafi Solution for Enterprise Key and Certificate Management
Solution Overview If you have deployed multiple BIG-IP systems to protect your business applications, you know how complex—and important—the certificate and key management process is. Certificates and keys play a critical role in securing data and application identity, and any mismanagement represents a significant risk to security and overall operations. F5 has partnered with Venafi, the industry leader in machine identity protection, to develop a BIG-IQ based integrated solution that automates the certificate and key management lifecycle—creating certificate requests, retrieving and managing certificates and keys, and overseeing their distribution to multiple BIG-IP systems. This comprehensive solution enables our customers to simplify and centralize the control of this crucial process while maintaining high levels of security. Solution Deployment F5 BIG-IQ is at the core of this integrated solution, automating management of the entire key and certificate lifecycle. BIG-IQ establishes a secure control channel with Venafi Trust Protection Platform (TPP) for certificate signing requests and enrollment. Once the certificates are signed and received from Venafi TPP, BIG-IQ enables you to assign them to the virtual servers and securely provision them to BIG-IP systems. Bill of materials F5 BIG-IQ, managing BIG-IP systems Venafi Trust Protection Platform (TPP) Deployment Steps Before beginning the detailed configuration, we recommend verifying the network reachability and hostname resolution of Venafi TPP server from BIG-IQ. Step-1: Add Venafi as third party CA provider in BIG-IQ From the BIG-IQ management GUI, click on the Configuration tab and navigate to LOCAL TRAFFIC >> Certificate Management >> Third Party CA Management. Click the Create button and select Venafi as the CA provider. Enter the WebSDK URL and credentials to authenticate with Venafi. Once configured, click the Test Connection button to verify BIG-IQ can reach Venafi TPP server. Click the Save & Close button. The Venafi provider you added appears in the list. Click the Edit Policy link of the new Venafi provider you added. In the Policy Folder Path, type the path of the Venafi TPP where the certificates and keys are located, and then click the Get button. BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or later), you have the option to rename the policies for easier identification by editing its nickname. Click the Save & Close button. Step-2: Create a CSR to get a signed certificate from Venafi Navigate to LOCAL TRAFFIC >> Certificate Management >> Certificates & Keys and click on the Create button. Select ‘Venafi’ as the Issuer, and the policy folder. Specify the Certificate and Key properties. Click the Save & Close button. BIG-IQ generates the CSR and sends it to Venafi TPP for signed certificates and keys. You can now assign this imported certificate to your managed BIG-IP VE devices. Step-3: Assign the certificate and key to the application Navigate to LOCAL TRAFFIC >> Profiles. Click the Create button. Create a Client SSL Profile selecting the certificate and the key. Once configured, click the Save & Close button Navigate to LOCAL TRAFFIC >> Virtual Servers. Click the Create button. Create a virtual server and assign the client SSL profile. Once configured, click the Save & Close button Step-4: Deploy the configuration to a target BIG-IP System Click on the Deployment tab and navigate to EVALUATE & DEPLOY >> Local Traffic & Network. In Deployment section, Click the Create button. Select the Virtual Server object and Target Device- BIG-IP system. Click the Deploy button. Click on the configuration tab and navigate to LOCAL TRAFFIC >> Virtual Servers. You will see the virtual server has been successfully deployed to the target BIG-IP system. Summary As this demonstration shows, BIG-IQ not only offers a centralized management solution for BIG-IP systems, it also provides a one stop solution for key and certificate lifecycle automation through its integration with Venafi TPP. This simple, easy-to-deploy solution enables you to deliver secure applications more quickly and effectively, whether on-premises or on cloud. Additional Links Key and Certificate Management with F5 and Venafi (video) F5 BIG-IQ knowledge center Venafi marketplace
