How to: Add a locally-onboarded BIG-IP Next instance to BIG-IP Next Central Manager¶
Add a locally-onboarded BIG-IP Next instance to BIG-IP Next Central Manager for centralized management.
Note: Alternatively to the following procedure, you have the option to onboard a BIG-IP Next VE instance from BIG-IP Next Central Manager using an onboarding template, see: How to: Create a BIG-IP Next instance in a VMware vSphere environment using an onboarding template
Prerequisites¶
Before you add a BIG-IP Next instance to BIG-IP Next Central Manager, you must onboard the instance locally using the setup script. See: Create BIG-IP Next Instance Locally on VMware.
You must also have the instance’s IP address and username and password.
Note: When you add a BIG-IP Next instance that was onboarded locally to BIG-IP Next Central Manager, all users currently configured on that local BIG-IP Next instance are automatically disabled, so management of the instance is done exclusively from BIG-IP Next Central Manager. You must set an initial “admin” password before adding the instance to Central Manager either via the setup script or Postman.
To
Procedure
Use this procedure to add an instance that has already been locally onboarded through the BIG-IP Next instance.
Log in to BIG-IP Next Central Manager, click the workspace switcher next to the F5 icon, and click Infrastructure.
At the top of the screen, click + Start Adding Instances.
Type the IP address for the BIG-IP Next instance and click Connect.
You must use port5443.Enter the current username and password for this BIG-IP Next instance.
For the Management Credentials, in the Username and Password fields, specify a username and create a password for managing this instance from BIG-IP Next Central Manager and click Add Instance.
The password must meet the criteria displayed on the screen.Confirm the password you created by typing it in the Confirm Password field. You’ll use this username and password to manage the BIG-IP Next instance.
Click the Add Instance button.
Click the Add button.
Then a new prompt appears that ask you accept the fingerprint. Below points describes about this new prompt:Reason for prompt:
Security measure implemented to ensure the integrity and authenticity of communication between parties.
In the realm of secure communication, verifying the identities of entities involved is paramount.
Failure to do so adequately can result in serious risks such as mistaken identity and potential exploitation by malicious actors.
Implementation:
A certificate serves to associate an identity with a cryptographic key, thus facilitating the authentication of a communicating party.
Typically, the certificate is presented in an encrypted format, encompassing the hash of the subject’s identity, the public key, and additional details such as issuance and expiration timestamps, all encrypted with the issuer’s private key.
Verification of the certificate’s authenticity can be accomplished by decrypting it using the issuer’s public key.
Usefulness of accepting the fingerprint:
By verifying the fingerprint, users confirm the identity of the communicating parties, reducing the risk of unauthorized access or impersonation.
Verifying the fingerprint mitigates the potential for communication interception by malicious entities, safeguarding sensitive information from unauthorized access or tampering.
Click Accept, to accept the fingerprint.
A dialog box appears that a new instance is added.
Note: BIG-IP Next Central Manager removes all locally-configured users from the BIG-IP Next instance you are adding. If, for any reason, disablement of users on the local BIG-IP Next instance fails, adding the BIG-IP Next instance to BIG-IP Next Central Manager is halted and all users are re-enabled on the local BIG-IP Next instance.
Result
You can now manage this BIG-IP Next instance from BIG-IP Next Central Manager.
Overview
This document describes the API workflow on how to discover the BIG-IP Next Instance on BIG-IP Next Central Manager, and reset the password for BIG-IP Next Instance managed by the BIG-IP Next Central Manager.
Reset the BIG-IP Next Instance Password
The following API calls are necessary to initialize the Next instance.
These API calls are made directly to the Next instance.
Use this method to onboard the Next instance if you are unable to use the setup script.
Download the F5 Postman collection.
Modify the Postman variables.
Create an environment or modify the collection variables.bigip_next_1_name: (i.e. my-bigip-next) domain_name: (i.e. example.com) bigip_next_1_mgmt_ip: (i.e. value that you configured above 192.168.122.245) bigip_next_admin_password: (i.e. preferred password, minimum 8 characters)
The Postman collection will issue the following API calls.
Change the BIG-IP Next instance admin password using the below API.
a. Send a PUT request to
/api/v1/meendpointPUT: https://{{bigip_next_mgmt_ip}}:{{bigip_next_mgmt_port}}/api/v1/me
b. For the request payload, use the following example, modifying the values as required.
{ "currentPassword": "admin", "newPassword": "{{bigip_next_admin_password}}" }
c. Using the provided Postman collection you can issue the request “Virtual Edition Onboarding” -> “Reset Admin Password”
Login to BIG-IP Next instance with the new admin password to retrieve authentication token.
a. Send a GET request to
/api/v1/loginendpoint using basic authentication with username “admin” and your new passwordGET: https://{{bigip_next_mgmt_ip}}:{{bigip_next_mgmt_port}}/api/v1/login
b. For the request headers, use the following example, modifying the values as required.
Authorization: Basic YWRtaW46V2VsY29tZTEyMyE=
Save the value of “token” that is returned.
c. Using the provided Postman collection you can issue the request “Virtual Edition Onboarding” -> “Login”
Change the BIG-IP Next instance hostname and set NTP servers using the below API.
a. Send a PUT request to
/api/v1/onboardendpointPUT: https://{{bigip_next_mgmt_ip}}:{{bigip_next_mgmt_port}}/api/v1/onboard
b. For the request payload, use the following example, modifying the values as required.
Authorization: Bearer {{bigip_next_1_token}} { "token": "{{bigip_next_1_token}}", "platform": { "platformType": "ve", "hostname": "{{bigip_next_1_name}}.{{domain_name}}", "ntpServers": [ "{{ntp_server_1}}", "{{ntp_server_2}}" ] } }
c. Using the provided Postman collection you can issue the request “Virtual Edition Onboarding” -> “Onboarding”
Discover the BIG-IP Next Instance
The next set of API calls are made to the Central Manager API.
Login into BIG-IP Next Central Manager using API
a. Send a POST request to
/api/loginendpoint.POST: https://{{bigip_next_cm_mgmt_ip}}/api/login
b. For the request payload, use the following example, modifying the values as required.
{ "username": "admin", "password": "{{bigip_next_cm_admin_password}}" }
c. The following is the Sample JSON Response from the POST operation
{ "access_token": "<example_access_token>", "refresh_token": "<example_refresh_token>", "user_id": "example_user_id" }
d. Here’s an example to save the token in a variable using Postman.
pm.test("Login status code is 200", function () { pm.response.to.have.status(200); }); var resp = pm.response.json(); pm.collectionVariables.set("bigip_next_cm_token", resp.access_token);
Get access token from the above response and use it as a Authorization for all of the remaining API calls.
a. Send a POST request to
/api/loginendpoint.POST: https://{{bigip_next_cm_mgmt_ip}}/api/login
Send a POST request to the
/api/v1/spaces/default/instancesendpoint in order to discover the instance.POST: https://{{bigip_next_cm_mgmt_ip}}/api/v1/spaces/default/instances
a. For the request payload, use the following example, modifying the values as required.
{ "address": "xxx.xxx.xxx.xxx", "port": 5443, "device_user": "admin", "device_password": "password", "management_user": "admin-cm", "management_password": "password" }
b. The following is the JSON response from the POST operation
"_links": { "self": { "href": "/api/v1/spaces/default/instances/discovery-tasks/b0034c2e-7442-45c8-810a-475346cca1c6" } }, "path": "/api/v1/spaces/default/instances/discovery-tasks/b0034c2e-7442-45c8-810a-475346cca1c6" }
For more information about discovering the instance using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
Note: This API endpoint is only used to discover the BIG-IP Next Instance. To modify the instance, refer to the How to: Edit the Configuration for a Managed BIG-IP Next Instance.
Extract the Path ID
From the above response, extract the path value and refer to it as “discovery_path_id” (we can add it to the variables). Then, use the GET method along with this discovery_path_id to obtain the status of the discovery.
a. Send a GET request to
//{{bigip_next_cm_mgmt_ip}}{{discovery_path_id}}to the endpoint.GET: https://{{bigip_next_cm_mgmt_ip}}{{discovery_path_id}}
b. A sample JSON response is provided below. The important fields are “state” and “fingerprint.” If “state” is “discoveryWaitForUserInput” and “fingerprint” has a value, proceed to the next step. The following is the JSON Response from the GET operation.
Click to expand
{ "_links": { "self": { "href": "/api/v1/spaces/default/instances/discovery-tasks/2de87969-4c64-4164-866b-4768e299c61e" } }, "address": "xxx.xxx.xxx.xxx", "created": "2024-05-23T20:02:33.427858Z", "device_group": "default", "device_user": "admin", "fingerprint": "f7d95816ea02887ba6a17418c05e382505203d0ea3de5b5db551f4ea8bf8e917", "id": "2de87969-4c64-4164-866b-4768e299c61e", "port": 5443, "state": "discoveryWaitForUserInput", "status": "running" }
For more information about this API request, see OpenAPI documentation.
The response shows that the “state” is “discoveryWaitForUserInput” and the “status” is “running”. The state now says that it is waiting for user input, which means that we must accept the fingerprint in order to trust the certificate.
“state”: “discoveryWaitForUserInput”,
“status”: “running”
Accept the fingerprint
Accept the fingerprint to trust the certificate.
a. Send a PATCH request to
//{{bigip_next_cm_mgmt_ip}}{{discovery_path_id}}endpoint.PATCH: https://{{bigip_next_cm_mgmt_ip}}{{discovery_path_id}}
b. For the request payload, use the following example, modifying the values as required.
{"is_user_accepted_untrusted_cert":true}
For more information about this API request, see OpenAPI documentation
Discover the BIG-IP Next Instance again
Repeat the Get request to discover the BIG-IP Next Instance again.
a. Send a GET request to
//{{bigip_next_cm_mgmt_ip}}{{discovery_path_id}}end point.GET: https://{{bigip_next_cm_mgmt_ip}}{{discovery_path_id}}
b. A sample response will appear with “state” going through different values, “fingerprint” containing a value, and “is_user_accepted_untrusted_cert” set to true.
Click to expand
{ "_links": { "self": { "href": "/api/v1/spaces/default/instances/discovery-tasks/74fdf051-9a81-4f4f-ad7e-f74d7aa8eaa1" } }, "address": "xxx.xxx.xxx.xxx", "created": "2024-06-03T20:38:38.784561Z", "device_group": "default", "device_user": "admin", "discovered_device_id": "958c1df6-91e7-40f3-92af-f7a46bc0baf8", "discovered_device_path": "/v1/inventory/958c1df6-91e7-40f3-92af-f7a46bc0baf8", "fingerprint": "0490994fc5f56850cccdfed931ce9de4da063667407fc5c806cdcb9ff9301e8b", "id": "74fdf051-9a81-4f4f-ad7e-f74d7aa8eaa1", "is_user_accepted_untrusted_cert": true, "port": 5443, "state": "discoverySyncL3Networks", "status": "running" }
Keep checking the Discover the BIG-IP Next Instance again status until you notice the following values, which indicate the instance discovery is successful (or until it fails).
“state”: “discoveryDone”,
“status”: “completed”
a. Send a GET request to
//{{bigip_next_cm_mgmt_ip}}{{discovery_path_id}}end point.GET: https://{{bigip_next_cm_mgmt_ip}}{{discovery_path_id}}
b. The following is the JSON Response from the GET operation
Click to expand
{ "_links": { "self": { "href": "/api/v1/spaces/default/instances/discovery-tasks/74fdf051-9a81-4f4f-ad7e-f74d7aa8eaa1" } }, "address": "xxx.xxx.xxx.xxx", "completed": "2024-06-03T20:39:55.228083Z", "created": "2024-06-03T20:38:38.784561Z", "device_group": "default", "device_user": "admin", "discovered_device_id": "958c1df6-91e7-40f3-92af-f7a46bc0baf8", "discovered_device_path": "/v1/inventory/958c1df6-91e7-40f3-92af-f7a46bc0baf8", "failure_reason": "", "fingerprint": "0490994fc5f56850cccdfed931ce9de4da063667407fc5c806cdcb9ff9301e8b", "id": "74fdf051-9a81-4f4f-ad7e-f74d7aa8eaa1", "is_user_accepted_untrusted_cert": true, "port": 5443, "state": "discoveryDone", "status": "completed" }
After completing the previous steps, the instance should be visible in BIG-IP Next Central Manager or in the API call outputs.
You can send a GET request to retrieve the basic details of the discovered instance via the GET endpoint.
a. Send a GET request to
/api/v1/spaces/default/instances?filter=address eq '{{bigip_next_mgmt_ip}}endpoint.GET: https://{{bigip_next_cm_mgmt_ip}}/api/v1/spaces/default/instances?filter=address eq '{{bigip_next_mgmt_ip}}'
b. The following is the JSON Response from the GET operation
Click to expand
{ "_embedded": { "devices": [ { "_links": { "self": { "href": "/api/v1/spaces/default/instances?filter=address+eq+%27xxx.xxx.xxx.xxx%27/08c043fd-7528-4eac-8e01-406a2c95b687" } }, "address": "xxx.xxx.xxx.xxx", "certificate_validated": "2024-05-23T20:03:23.87275Z", "certificate_validation_error": "tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of \"x509: invalid signature: parent certificate cannot sign this kind of certificate\" while trying to verify candidate authority certificate \"localhost\")", "certificate_validity": false, "hostname": "velins1", "id": "08c043fd-7528-4eac-8e01-406a2c95b687", "mode": "STANDALONE", "platform_name": "VELOS", "platform_type": "CHASSIS", "port": 5443, "short_id": "9icN5XMk", "version": "20.3.0-2.435.1" } ] }, "_links": { "self": { "href": "/api/v1/spaces/default/instances?filter=address+eq+%27xxx.xxx.xxx.xxx2%27" } }, "count": 1, "total": 1 }
For more information about this request, see OpenAPI documentation.
Results
You can now manage this BIG-IP Next instance from BIG-IP Next Central Manager.