How to: Install BIG-IP Next on rSeries¶
Overview¶
This document describes how to install the BIG-IP Next instance on rSeries.
Prerequisites¶
Complete the initial configuration of an rSeries system
Connect a console or terminal server to the console port of the rSeries appliance.
Run the Setup wizard (Enables DHCP, configures DNS and NTP)
-OR-
Configure static IP addresses (no enabling of DHCP):
F5 rSeries Planning Guide > Initial Setup of rSeries F5OS Platform Layer > IP Address Assignment & RoutingConfigure system settings (If did not run the Setup wizard: configures DNS, NTP, and external logging). You can use the CLI, webUI, or API. See: F5 rSeries Planning Guide > Initial Setup of rSeries F5OS Platform Layer > System Settings
You must also have the instance’s IP address, username and password.
Note: When you add a BIG-IP Next instance that was onboarded locally to BIG-IP Next Central Manager, all users currently configured on that local BIG-IP Next instance are automatically disabled, so management of the instance is done exclusively from BIG-IP Next Central Manager. You must set an initial “admin” password before adding the instance to Central Manager via Postman.
Limitations for rSeries 2K and 4K platforms:¶
Link Aggregation (LAG) is not currently supported.
The first active interface must be assigned to Control-Plane High Availability.
Additional details on interface modes are available for the 2K and 4K series devices.
Summary¶
Procedures¶
Download the BIG-IP Next tenant file¶
Log in to MyF5.
In the upper-right corner, click SIGN IN,
Type your Email address, and click Next.
From the top menu, click the RESOURCES list, and select Downloads.
To agree with the terms of downloading software, review the End User License Agreement and Program Terms. Click the checkbox, and then click Next.
From the Group list, select BIG-IP_Next.
From the Product Line list, select F5 Systems (HW).
From the Product Version list, select a version number.
From Select a product container, select the name of a product.
From Select a download file, select a .tar file.
From the Download locations list, select a location and then click the Download link.
After the download is complete, move the .iso file to a desired location.
Download the rSeries F5OS-A file¶
Log in to MyF5.
In the upper-right corner, click SIGN IN,
Type your Email address, and click Next.
From the top menu, click the RESOURCES list, and select Downloads.
To agree with the terms of downloading software, review the End User License Agreement and Program Terms. Click the checkbox, and then click Next.
From the Group list, select F5OS.
From the Product Line list, select F5OS Appliance Software.
From the Product Version list, select a version number.
From Select a product container, select the name of a product.
From Select a download file, select a .tar file.
From the Download locations list, select a location and then click the Download link.
After the download is complete, move the .iso file to a desired location.
Update the rSeries appliance software¶
Update the rSeries software (F5OS) to the required version: v1.7.0.
Log in to the rSeries webUI using an account with admin access.
On the left, click SYSTEM SETTINGS > Software Management .
Upload the Base OS image
At the bottom of the page, for Update Base OS Software, select Bundled.
For the ISO Image, select the full version release ISO image.
Click Save.
The software on the rSeries appliance is updated.
Upload a tenant image onto the rSeries appliance¶
Upload using the webUI.
With the DASHBOARD open, on the left, click TENANT MANAGEMENT > Tenant Images.
Click Upload. The Tenant Images window opens.
Select the bundle file.
Click Open.
The upload process starts.
Onboard via Postman¶
Download the F5 Postman collection.
Modify the Postman variables.
Create an environment or modify the collection variables.bigip_next_1_name: (i.e. my-bigip-next) domain_name: (i.e. example.com) bigip_next_1_mgmt_ip: (i.e. value that you configured above 192.168.122.245) bigip_next_admin_password: (i.e. preferred password, minimum 8 characters) bigip_next_1_external_ip: (i.e. self-ip of data-plane / secondary interface) bigip_next_external_network_mask: (netmask of data-plane network) static_route_gateway: (data-plane default gateway address)
Find the folder Virtual Edition Onboarding.
Execute the requests Reset Admin Password through Create Static Route.
Deploy a BIG-IP Next instance on an rSeries system using BIG-IP Next Central Manager¶
Sign in to BIG-IP Next Central Manager.
Click the Workspace menu icon next to the F5 icon, and click Infrastructure.
Click + Add.
Click Create a New Instance.
Click Next.
Type a Hostname and Description (optional).
From the Instance Template list, select the rSeries Standalone template, and then click Start Creating.
To create a new rSeries Provider:
Note: If you have already configured Providers, you can continue directly to step 9.
Click + Add.
Type a Name, rSeries IP address, and Port, and then click Connect.
Type a Username and Password, and then click Submit.
Click Done, and then click Next.
Note: For the Providers and tenant device certification errors, see Generate and change certificate in provider and tenant
In the rSeries Properties area, type Disk Size (between 10 GB and 30 GB), CPU Cores, Tenant Image Name, Tenant Deployment File, and VLAN IDs (optional), and then click Next.
Type a Management IP Address, Management Network Prefix Width, and Gateway IP Address (optional), and then click Next.
In the Networking area, complete the settings, and click Next.
Confirm the Management Username (default), type a Password, and then Confirm Password. Click Next.
Review the Summary, and click Deploy
Deployment may take up to 15 minutes.
Generate and change certificate in provider and tenant¶
As of version 20.2.1, the BIG-IP Next Central Manager includes a security update that requires a BIG-IP Next Instance to possess a device certificate with DNS and IP subjectAlternativeName (SAN) values. A BIG-IP Next Instance does not create a device certificate with these values, and hence, a new device certificate must be created before importing to BIG-IP Next Central Manager version 20.2.1.
DEVICE-00060: Internal error testing authentication
Upgrade to BIG-IP Next Central Manager version 20.2.1 to take advantage of security enhancements, including certificate SAN IP check during SSL handshake.
However, the providers and tenant device certificates does not contain the IP in SAN. Hence, to generate and change the certificate in the provider and tenant, read through the following scenarios and pick the one that is applicable. Perform the steps provided in the scenario that is suitable for you.
Following are the different scenarios:
Scenario 1:
To add a BIG-IP Next Instance with a version earlier than 20.2.0 on BIG-IP Next Central Manager 20.2.0 or later versions.
Solution:
The BIG-IP Next Central Manager 20.2.0 and later requires that the BIG-IP Next instance uses a TLS certificate with well-formed Subject Alternative Names (SAN).
Follow the recommended actions in the KB article, BIG-IP Next Instance discovery error to change the certification and settings.
Scenario 2:
How to change the certificate on provider to allow BIG-IP Next Central Manager 20.2.0 or later with rSeries (1.7 or below versions) as a provider to add them.
Solution:
Create a device certificate and private key with SAN DNS and IP values, run the following openssl command:
DNS=big-ip-next IP=10.1.1.7 openssl req -x509 -newkey rsa:2048 -days 1024 -keyout bigip_key.pem -out bigip_crt.pem -nodes -addext "subjectAltName = DNS:${DNS},IP:${IP}"
Use the following API to push the new certificate and key to the BIG-IP Next Instance:
a. Export Next instance variables
export NEXT=10.1.1.7 export USER=admin export PASS='mypassword'
b. Get a logon bearer token and BIG-IP Next Instance system ID
TOKEN=$(curl -sk "https://${NEXT}:5443/api/v1/login" -H 'Content-Type: application/json' --user "${USER}:${PASS}" | jq -r '.token') SYSID=$(curl -sk "https://${NEXT}:5443/api/v1/systems" -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" | jq -r '._embedded.systems[0].id')c. Push the private key to BIG-IP Next Instance files API
curl -sk \ -H 'Accept-Encoding: gzip, deflate, br' \ -H "Authorization: Bearer ${TOKEN}" \ -H 'Content-Type: multipart/form-data' \ -F "fileName=@bigip_key.pem;type=application/pkcs8" -F "name=bigip_key.pem" "https://${NEXT}:5443/api/v1/files"
d. Push the certificate to BIG-IP Next Instance files API
curl -sk \ -H 'Accept-Encoding: gzip, deflate, br' \ -H "Authorization: Bearer ${TOKEN}" \ -H 'Content-Type: multipart/form-data' \ -F "fileName=@bigip_crt.pem;type=application/x-x509-ca-cert" -F "name=bigip_crt.pem" "https://${NEXT}:5443/api/v1/files"
e. Set BIG-IP Next Instance device certificate to the new certificate and private key
curl -sk -X PUT \ -H 'Accept-Encoding: gzip, deflate, br' \ -H "Authorization: Bearer ${TOKEN}" \ -H 'Content-type: application/json' \ -d '{"cert": "bigip_crt.pem", "key": "bigip_key.pem"}' \ "https://${NEXT}:5443/api/v1/systems/${SYSID}/device-certificate"
Scenario 3:
Upgrading from BIG-IP Next Central Manager 20.1.0 to 20.2.0 or later, with a manually added BIG-IP Next Instance.
Solution:
After upgrading the BIG-IP Next Central Manager to 20.2.0 or later versions, click on Accept cert fingerprint in the pop-up that is displayed on the screen.
Scenario 4:
If rSeries (F5OS version 1.7 or earlier) is added manually as a provider in the BIG-IP Next Central Manager version 20.1.0, and the BIG-IP Next Central Manager is upgraded to version 20.2.1, then ensure that the provider is working as usual.
Solution:
After upgrading the BIG-IP Next Central Manager to 20.2.1 or later versions, to ensure that the provider works as usual, click on Accept cert fingerprint in the pop-up displayed on the screen.
Note: This solution does not work for BIG-IP Next Central Manager upgrade to version 20.2.0.