You named your products "Good, Better and Best?" What were you thinking?
“That’s not going to fly with Enterprise customers.” “Are you really serious?” “Funny … but really, what are the names you’re going to market with?” “I’m not presenting these to my customer. They’re too simple.” And that’s when I knew we’d gotten it right. After all, the objective for licensing is to make it simple. Why make it simple? Product licensing is one of those things no one likes or really understands. IDC Research Survey Report (sponsored by Flexera Software) on Software Licensing showed that 85% of organizations were found to be out of compliance with their software license agreements, worse 37% were audited by their software vendors in the last 18-24 months, and 56% were handed true-up bills (21% for a million dollars or more…yuck!). The goals of a license should be to make it easy for customers to know what they’ve got. Make sure they can leverage it to get real business value from their investment. I’ve never met a customer that really wanted to be out of compliance or a sales rep that wanted to hand a true-up bill to their customer. I’ve been part of this conversation in the past and I’m not looking forward to it happening again. Complex licensing requirements make it hard to build a trustworthy relationship and they often slow down decision making. Most of the time no one really understood the pages and pages of fine print. It’s not simple and it’s not good business. How do you come up with a licensing model that’s easy for everyone to understand? Make them simple! And what better way to show simple? Give them the simplest names you can think of …. Good Better and Best or GBB. You don’t need to know the product to know that Better is better than Good and Best is, well the best. But simple naming isn’t enough. The licensing model itself really needs to be simple. F5, with its many different hardware platforms, software modules and various virtual edition options meant a dizzying combination of licensing options (over 1100 SKUs) that required customers to not only know exactly what they needed right now but to anticipate the need for services like web app security or identity and access management for a new app that hadn’t even been developed yet. Today, even though there are even more modules and hardware platforms available, there are a smaller number of licensing options (fewer than 100 SKUs) and customers receive the luxury of being able to take advantage of services they need today to keep their applications fast, secure and available as well as those they might need tomorrow or next month. Licensing for them has become as simple as Good, Better and Best. This is what GBB looks like: What I like about simple is it gives customer confidence. Confidence to use your products broadly. Confidence to simplify their IT environments. Confidence to right size their investments. After a year of selling with GBB, Customer have spoken. We’re seeing broad adoption of F5’s complete suite of capabilities. Customer are future proofing and adding Security Services to their applications. Customers are saving money. Would we name the products Good, Better and Best again? Yes, but now we’ve got a new problem. How do you make Best even better … Bester? In my next Blog I’ll talk about the latest steps we’re taking to ensure we keep it simple as customers move their applications to the cloud.BIG-IQ Reporting for Subscriptions and ELA - How to Generate and Revoke Licenses for Isolated BIG-IP VE Instances
October 2018 Rev:D Scenario Some network designs may disallow BIG-IQ from reaching BIG-IP VE instances over the network due to network design, network partitioning, security reasons... you get the idea. BIG-IQ’s usual operation requires BIG-IQ to connect to port 443 on the BIG-IP VE’s management IP address. However, when the networks are partitioned in a way that does not allow the BIG-IQ to connect to the BIG-IP, a system outside of BIG-IQ is required to: POST an operation to generate a license GET the license from BIG-IQ Copy the license to the target BIG-IP VE instance And later, when the BIG-IP VE is no longer operational, revoking the license from BIG-IQ. This document explains how to manage licenses on BIG-IP VEs in this network design. Step 1: Gather your BIG-IP VE information for the licensing operation In order to successfully license BIG-IP VE, BIG-IQ needs specific information from the BIG-IP VE to be licensed. Log into the BIG-IP VE instance using “root” credentials Execute the following command: # get_dossier -b TBD -c Record the MAC address. You will also need to know the hypervisor your BIG-IP VE is running on. Example: [root@biq1-yabba-dabba-do:Active:Standalone] config # get_dossier -b d -c F5_BIOS_ID=Phoenix Technologies LTD 6.00 04/05/2016 VMware Virtual Platform None F5_MAC=00:50:56:bf:02:02 F5_PROBES=0x01000013 F5_SYS_UUID=543ff2ec-1c2f-844a-23d0-1e226b90678e F5_KEY=d F5_VERSION=BIG-IQ 6.0.1 0.0.469 Step 2: Requesting a License from BIG-IQ for your BIG-IP VE For this step, you need to have the following information: The name of the license pool in BIG-IQ you want to license the BIG-IP VE from The IP address of the BIG-IP VE device The MAC address (from step 1) The hypervisor type The offering name you wish to assign to the BIG-IP VE instance We’ll walk you through each one. The name of the pool comes from your BIG-IQ centralized management console. To get the name of the pool: Log into BIG-IQ Click the Devices tab On the left navigation, open LICENSE MANAGEMENT On the left navigation, click on Licenses Here you will see your license pools – the pool names are shown in the red rectangle in the example screen shot below. In this case, there are two pools “Engineering-Pool” and “IT-Pool” The next one we’ll discuss is the offering (service catalog) name, this will become important when we form the JSON request for the post. Click on your pool name, this will open the properties of the pool It looks as shown in the following diagram, highlighted by the red rectangle: The BIG-IQ API allows you to specify one or two “search keywords” to be used for matching the offering you wish to assign to your BIG-IP VE instance. For example, the first search keyword could be the feature level you’d like and the second the throughput, such as “LTM” and “10G”. Or, you can just specify the entire offering name as the only search keyword for an exact patch, such as “F5-BIG-MSP-LTM-5G-LIC-DEV”. Once you have the information available, form your JSON request, here is an example you can start with, we’ll take you through each part: { "licensePoolName": "Engineering-Pool", "command": "assign", "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34", "hypervisor": "vmware", "unitOfMeasure": "yearly", "skuKeyword1": "LTM", "skuKeyword2": "10G" } Elements Description licensePoolName Name of your pool as previously discussed in this article command The request to BIG-IQ to assign/allocate a license for this instance of BIG-IP VE address IP of your BIG-IQ (use the management IP) assignmentType must be 'unreachable': this instructs BIG-IQ to avoid trying to POST the license to the BIG-IP VE macAddress The MAC addressed obtained using method previously discussed hypervisor Underlying hypervisor hosting the BIG_IP VE you wish to license. Valid values are "aws","azure","gce","vmware","hyperv","kvm", and "xen". unitOfMeasure Must be "yearly" when you are using a license pool as part of the F5 subscription license or Enterprise Licensing Agreement (ELA) programs. skuKeyword1 Is the first search keyword skuKeyword2 Is the second search keyword The search keywords are optional; if none are specified, you’ll get the first license pool BIG-IQ matches on. If only one is specified, you’ll get the first license pool finds matching the search string. Here is an example with a single search keyword: { "licensePoolName": "Engineering-Pool", "command": "assign", "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34", "hypervisor": "vmware", "unitOfMeasure": "yearly", "skuKeyword1": "F5-BIG-MSP-LTM-3G-LIC-DEV" } Next, you need to POST your JSON body to BIG-IQ. You’ll need to enable basic authentication on BIG-IQ in order to use username and password authentication, the default is to use token- based authentication. To enable basic authentication, log into BIG-IQ console as “root” and enter “set-basic-auth on”. For the example below, we’ll use CURL – the JSON body is stored in a file named “getlicense.txt”. # curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X POST -T getlicense.txt "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member-management" In this case, the BIG-IQ is at 10.255.65.16 and we’re using the admin login account on BIG-IQ with password “admin”. Your POST must go to “/mgmt/cm/device/tasks/licensing/pool/member- management” This results in the following return, if BIG-IQ has accepted your request: { "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "command": "assign", "generation": 1, "hypervisor": "vmware", "id": "64100009-e20c-4add-9d3f-6cf4ed6fde31", "identityReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admin" } ], "kind": "cm:device:tasks:licensing:pool:member-management:devicelicensingassignmenttaskstate", "lastUpdateMicros": 1531492957761866, "licensePoolName": "Engineering-Pool", "macAddress": "FA:16:3E:1B:6D:34", "ownerMachineId": "9890115d-3e0b-4e7f-a9a0-ebb22c5747e4", "selfLink": "https://localhost/mgmt/cm/device/tasks/licensing/pool/member-management/64100009-e20c-4add-9d3f-6cf4ed6fde31", "skuKeyword1": "F5-BIG-MSP-LTM-3G-LIC-DEV", "status": "STARTED", "taskWorkerGeneration": 1, "unitOfMeasure": "yearly", "userReference": { "link": "https://localhost/mgmt/shared/authz/users/admin" } } IG-IQ is an asynchronous, task-based design, as such, the license is not returned when the POST completes, but rather, the acceptance of your request to BIG-IQ. To get the license, you must poll the “selfLink” (highlighted above). # curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X GET "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member-management/64100009-e20c- 4add-9d3f-6cf4ed6fde31" If successful, this GET will return the license for the BIG-IP VE instance described in the JSON request in the “licenseText” field of the JSON body. For brevity, it is omitted. If there was an error encountered, the error text is returned in the “errorMessage” field of the JSON return body. Step 2: Place the License on BIG-IP VE To complete the licensing operation, you’ll need to extract the license from the “licenseText” element in the returned JSON. You’ll need to login to the BIG-IP VE instance as “root” and do the following: Place the licenseText on the BIG-IP VE instance at the following location and file name: /config/bigip.license Restart BIG-IP VE services: bigstart restart At this point, your BIG-IP VE is licensed. Step 3: Revoking and Returning the License to BIG-IQ When your BIG-IP VE instance is no longer needed, it is time to return the license to the pool. This is called a revoke operation. You’ll need to gather the following information: The name of the license pool on BIG-IQ The IP address of the BIG-IP VE The MAC address of the BIG-IP VE Please see the information in the “Step 1” section on how to obtain and gather this information. The JSON body is then formed, here is an example: { "licensePoolName": "load7afterfix", "command": "revoke", "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "macAddress": "FA:16:3E:1B:6D:34" } The “command” must be “revoke” to return the license to the pool. Here is the example CURL command to the revoke, the JSON body is stored in a file called “revokelicense.txt”: # curl -k -l -H'Accept:application/json' -H'Content-Type:application/json' -X POST -T revokelicense.txt "https://admin:admin@10.255.65.16/mgmt/cm/device/tasks/licensing/pool/member- management" If successful, this request will return a JSON body similar to the following: { "address": "192.0.2.3", "assignmentType": "UNREACHABLE", "command": "revoke", "generation": 1, "id": "c7348b6a-6973-4372-9b66-f07c40bd0fd5", "identityReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admin" } ], "kind": "cm:device:tasks:licensing:pool:member-management:devicelicensingassignmenttaskstate", "lastUpdateMicros": 1531490803422235, "licensePoolName": "load7afterfix", "macAddress": "FA:16:3E:1B:6D:34", "ownerMachineId": "9890115d-3e0b-4e7f-a9a0-ebb22c5747e4", "selfLink":"https://locahost/mgmt/cm/device/tasks/licensing/pool/member-management/c7348b6a-6973-4321-8f66-f07e41bf0ed4", "status": "STARTED", "taskWorkerGeneration": 1, "userReference": { "link": "https://localhost/mgmt/shared/authz/users/admin" } } Similar to the licensing operation, you can poll the selfLink using a GET operation to monitor BIG-IQ’s progress in finishing up the revoke.
License Revocation Limits?
I am planning to use some permanent lab licensed in a dynamic deployment environment. This means when the current session is finished I will tear down the infra and userevoke /sys license for the license key. So it can be used on next deployment. This plan heavily depends on the fact there is no limits to license revocation. Is anyone aware of restrictions on revocation and reuse of lab licenses?
aWAF DOS Protection Licensing
Hi everybody! I have a question most probably related to aWAF VE licensing (I am not completely sure whether the root cause is related to licensing but looks like this is the most probable reason for my issue). I am trying to configure DoS protection for applications according to the guide below and I am not able to find "Application Security" tab in protection profile: https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/preventing-dos-attacks-on-applications.html#GUID-FEA647E5-53C1-45B5-A6A2-28D5F57D85D2 My TMOS version is 14.1.2.3, build 0.0.5, point release 3. Initially, the license was provided for VE v 15.0.0 but I downgraded SW to the version mentioned. I attached information related to activated modules, available licenses and protection profile output. My questions are: 1) is this a licensing issue and I need to request license update/renewal or so? 2) if this is not related to the licensing, what can be the problem? Thank you!
Version Plus, Upgrades and Support Contract?
Hi, I'm trying to figure out the Version Plus licensing scheme, but I'm getting mixed information from F5 partners. Say I buy now a -V18 Version Plus P/N, but also assign a support contract to it. When version 19 is releases, will I be able to upgrade if I have active contract, or do I need to re-buy everything? Thanks01071aca:3: Client SSL profile (/Common/crypto-server-default-clientssl): Certificate matching the configured cipher suites doesn't exist.
I was making test with a Strongbox unit, and after relicensed with the same modules, I got this error and the config doesn't load correctly. I cant save config, load config. I didnt find any hint about whet to check, the config files are ok with the config, but the device is not loading them. I was running 14.0.0.2 - Point Release 2.So you're going to the Cloud? Make sure you're using the 5 Minute Cloud Licensing Challenge
Moving to the Cloud sounds simple enough, but as you start it becomes clear that this is a major change. There are many questions that must be answered. How will I move and orchestrate hundreds of applications? Which applications should go first? Which Cloud has the best performance and monitoring capabilities? Can I manage the Security and Networking needs of my applications when there is no longer a data-center perimeter? These are all hard questions that need well thought-out answers. Licensing management should not add to this burden. Before we start on licensing, I’d like to share F5’s perspective on Micro-segmentation. As you move applications to the cloud your security and networking perimeter moves from the datacenter to the application itself. No matter if you’re thinking about containers like Docker or more traditional Virtual Machines, your licensing model should not change. Every Application deserves to be Fast, Available and Secure and having an ADC for every applications is a logical step as you move to the Cloud. Ensuring every application has a complete set of ADC services is easy when you leverage “Good-Better-Best” licensing. According to Information Week moving to the Cloud can add more complexity to an already complex licensing environment. This issue can be so complex 37% of companies responding have a person that spends 50% or more of their time just managing licensing. This is not cost effective. It’s every vendor’s job to bring simplicity to their licensing models. If you can’t understand it in a 5 minute conversation you’ve failed. The 5 Minute Cloud Licensing Challenge So here’s a challenge that you should put every vendor through. Explain your licensing model for the cloud in 5 minutes or less. If you can understand it, chances are you’ll avoid potential compliance pitfalls and the need to dedicate resources to manage your licensing portfolio. The key elements of a simple licensing model are ensuring that you’re meeting your customers where they’re going -- no matter what stage of development an application is at: from experimentation and testing to limited production to full scale deployment, the solutions need to be cost effective. Let’s look at these three scenarios and I’ll show you how F5 is focusing on cost effective solutions that meet customer’s needs. Experimentation & Testing in the Cloud: Cloud Licensing Program Anytime you start testing in a Public Cloud, you want to make sure you’re being cost effective. To make this work we’ve develop a Licensing program called Cloud Licensing Program or CLP. CLP is an easy way to get started because it’s a utility model, you only pay for what you use. The CLP program is available from a variety of different Cloud providers but the most obvious one is via the marketplace at Amazon Web Services. This is a great way to get started because there is no capital investment, you get the flexibility to deploy GBB VE images at a variety of throughput performance levels and there is no need for license management. You simply pay for what you use. Limited Production in the Cloud – Virtual Edition BYOL Once you’ve tested your application in the Cloud, you are ready to go into production. If you’ve used the Cloud Licensing Program and you do the math you’ll find paying for software by the hour when you’re using it 24 hours a day 7 days a week can be very expensive. Like renting a car by the hour and driving it all day every day, it will be the most expensive car you’re ever had. That’s why F5 has a Bring Your Own License (BYOL) program to meet these needs. F5 makes it easy to buy Virtual Editions of BIG-IP and take them to any Cloud based on the same packaging of capabilities you have with Good-Better-Best. With BYOL you can buy these licenses and take them to any Cloud, or move them to other Clouds with a cost model that provides affordability for limited productions. Scale Production in the Cloud – Volume Licensing Subscription So now you’re ready to take 100 or 200 or more of your applications to the Cloud. And just like with CLP, if you buy 100s of VE BIG-IP, the cost of buying them one at a time can become very expensive. To solve this issue we’ve developed a new licensing model we call Volume Licensing Subscription or VLS. VLS is a new licensing option that rounds out our Cloud offerings so that it’s easier than ever to move to the cloud. Look for our announcement on 3/19. VLS give customers the ability to adopt all the advanced capabilities you get with “Good-Better-Best,” provides flexibility to move VE instances to different clouds (both Public and Private), and (because it’s a subscription) the costs are significantly lower than they would be if you purchased the licenses individually. In some cases that savings can be as high at 67% on BIG-IP and 78% for LineRate Point. And because we know moving this many applications will not happen overnight and the number of applications you have in the cloud may scale up and down over time, you can scale the number of VLS instances up and down over time to ensure you’re not overspending on licensing. So that’s about 5 minutes. I hope the different licensing options available to you are clear and you have a better understanding of how to pick the right tool for the right job. F5 is committed to helping customers move to the Cloud. Meeting them with both great technical solutions as well as easy to understand cost effective licensing solutions is a top priority.
