How to: Configure the BIG-IP Next Central Manager as a Standalone Node or in a High Availability Group

The BIG-IP Next Central Manager provides a single, unified management interface to efficiently manage all your BIG-IP Next instances and services. This document outlines the steps to install and configure the BIG-IP Next Central Manager.

Prerequistes

The BIG-IP Next Central Manager can be installed on either OpenStack or VMware vSphere hypervisor infrastructure. The disk image for BIG-IP Next Central Manager is available for download through the MyF5 Downloads portal.

  • Ensure that all BIG-IP Next Central Manager nodes use the same image size (Standard or Large) before setting up High Availability (HA).

Below are the compute and storage resource requirements for the BIG-IP Next Central Manager, offered in two image sizes: Standard and Large.

Deployment Type Image Option vCPUs RAM Disk Space Resources Description
Standalone Deployment Standard 8 16 GB 350 GB 1 VM instance with 8 vCPU, 16GB RAM, and 350 GB hard disk storage
Standalone Deployment Large 16 64 GB 1 TB 1 VM instance with 16 vCPU, 64GB RAM, and 1 TB hard disk storage
High Availability Deployment Standard 8 16 GB 350 GB per instance 3 VM instances each with 8 vCPU, 16GB RAM, and 350 GB hard disk storage
High Availability Deployment Large 16 64 GB 1 TB per instance 3 VM instances each with 16 vCPU, 64GB RAM, and 1 TB hard disk storage

Requirements

  • Hypervisor Platform: VMware ESXi 7.x or KVM (QEMU 6.2 on Ubuntu 22.04 with i440fx or q35 machine types).

  • Network Resource: An IPv4 address is required for the BIG-IP Next Central Manager management interface.

  • External Storage (Optional): IP address and credentials for NFS or SAMBA network-attached storage (NAS) to configure the external storage option in BIG-IP Next Central Manager.

Storage Limitations

The BIG-IP Next Central Manager has specific storage setup requirements that must be met to ensure proper functionality:

  • It is recommended to use low-latency block storage devices for local storage volumes on VM instances.

  • The BIG-IP Next Central Manager can be optionally configured with external storage for system backups and Qkview. Ensure that the BIG-IP Next Central Manager root user has write permissions to create files and directories and can change ownership of folders mounted to UID and GID 1000. The CM admin user with UID and GID 1000 must be able to create files and directories inside the directories established by the CM root user.

High Availability Considerations

The BIG-IP Next Central Manager can be deployed either as a Standalone configuration on a single virtual machine instance or in a High Availability (HA) configuration across a 3-node virtual machine group. High availability is the recommended deployment mode, as it ensures resiliency in the event of a virtual machine instance failure.

High availability can be configured using one of the installation workflows:

  • Perform a new installation of the BIG-IP Next Central Manager on a 3-node virtual machine group.

  • Perform a new installation of the BIG-IP Next Central Manager as a Standalone service on a single virtual machine, then add two additional nodes later to enable High Availability.

Limitations

  • The supported virtual machine group size for High Availability (HA) is three nodes. The HA setup can continue to operate even if one of the nodes becomes unavailable. To restore the group to a healthy HA state, a new virtual machine instance must be added as a replacement for the unavailable node.

  • The BIG-IP Next Central Manager will become non-operational if more than one virtual machine node becomes unavailable in the HA group.

  • If a node in the 3-node HA group needs to be replaced, the node must first be removed from the group before adding a new node to the group.

Create BIG-IP Next Central Manager Instance

Optional: How to Enable SSH Password or Public Key authentication to Virtual Machine instances

By default, SSH password authentication is disabled for BIG-IP Next Central Manager virtual machine (VM) instances. To enable SSH password or public key based authentication, attach a cloud-init configuration when creating the VM instance on your hypervisor platform.

To enable SSH password authentication, create a cloud-config.yml file with the following content and replace the password entry with a valid password for the admin user:

#cloud-config
ssh_pwauth: true
chpasswd:
  expire: false
  users:
    - name: admin
      password: *************
      type: text
# Optional: Configure F5 Central Manager
f5_central_manager:
  k8s:
    cluster: false
    cluster_cidr: 100.76.0.0/14
    service_cidr: 100.75.0.0/16

To enable SSH public key authentication, create a cloud-config.yml file with the following content and replace the ssh_authorized_keys entry with your public key:

#cloud-config
users:
  - name: admin
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3MzaC1lZDI1NTE5AAAAIEskBkG991h8Cwsqa0AKqwuk+2bDMQ9fX73Jo400VSI0 user1@T2TR2M6HKH
# Optional: Configure F5 Central Manager
f5_central_manager:
  k8s:
    cluster: false
    cluster_cidr: 100.76.0.0/14
    service_cidr: 100.75.0.0/16

Attach Cloud-Init Configuration for VM instances on your hypervisor platform:

  • For OpenStack/KVM Platform

    • Include the contents of your cloud-config.yml file when creating your VM instance.

    • Optionally, attach the public key when creating VM instances.

  • For VMware ESXi Platform -

    • Open the Edit Settings page for your VM.

    • Select the VM Options tab.

    • Expand the Advanced section and click Edit Configuration.

      • Add the following configuration parameters:

        • guestinfo.userdata.encodingbase64

        • guestinfo.userdata → base64-encoded content of the cloud-config.yml file.

          Before attaching the cloud-config content, you must encode the cloud-config.yml content in base64 format. Use the following command:

           base64 -i cloud-config.yml
          
      • After adding the encoded data, click OK to save the new parameters.

      • Right-click the VM and select Power → Power On to complete the setup.

Note: F5 strongly recommends the use of SSH public key authentication instead of password authentication for improved security. If an SSH public key is provided, the admin password is locked by default.

If SSH password authentication is not enabled during the VM instance creation, it can be enabled later by log in via serial console using admin/admin credentials. Change the default admin password when prompted, and then execute the command enable-ssh-password-auth.

To enable SSH password authentication in addition to public key authentication, log in to the VM instance using the admin user and your SSH public key. Issue the command enable-admin-password, change the password when prompted, and then issue the command enable-ssh-password-auth.

Optional: How to Configure Static IP address for Virtual Machine instances

If the Virtual Machine (VM) instance for BIG-IP Next Central Manager does not have DHCP enabled, you will need to configure a static IP address.

The static IP address can be set during VM creation based on the hypervisor’s documentation or manually after the VM is created using a setup script.

To manually configure the static IP address, follow these steps:

  1. Access the serial console of the BIG-IP Next Central Manager VM instance from your hypervisor platform.

  2. Run the setup script to configure the static IP.

For detailed instructions on using the setup script, refer to your platform’s user guide.

Configure the Standalone Node or High Availability group using BIG-IP Next Central Manager GUI

Follow these steps to configure the BIG-IP Next Central Manager using the GUI:

  1. Access the BIG-IP Next Central Manager GUI:

    • Open a web browser and enter the IP address of your Virtual Machine (VM) instance.

  2. Log in for the First Time:

    • Log in to the BIG-IP Next Central Manager GUI using the default admin/admin credentials. You will be prompted to create a new password the first time you log in.

  3. Change the Default Password:

    • Type the Current Password, specify a New Password, re-enter the Confirm New Password, and then click Save. The password must meet the criteria displayed on the screen.

  4. Sign In with New Password:

    • You can now use this new password to sign in to BIG-IP Next Central Manager.

  5. Start the Setup Process:

    • Click Setup on the BIG-IP Next Central Manager window. Follow the instructions and click Next to proceed.

  6. Standalone Node Deployment:

    • If you want to deploy a BIG-IP Next Central Manager in Standalone Node, skip steps 7–12 and proceed to step 13.

  7. High Availability Deployment:

    • If you want to deploy a BIG-IP Next Central Manager in High Availability with three nodes, make sure to change the default credentials for the additional two nodes as mentioned in steps 1 to 3.

  8. Add the Second Node to the High Availability (HA) Setup:

    • From the BIG-IP Next Central Manager GUI Setup, click Nodes, then click the +Add button to add a node to the Central Manager HA setup.

    • Enter the Username, Password, and IP Address of the Virtual Machines (VMs) to be added.

    • Click Save.

  9. Enable Clustering:

    • Click Add on the Add Node window.

    • In the popup window, click Enable Clustering?.

    • Verify the fingerprint of the node and click Accept in the Continue Connecting? pop-up window.

    Note: When the second node is added to the BIG-IP Next Central Manager HA setup, the setup needs to be enabled. During this process, you will be logged out from the Central Manager GUI.

  10. Wait for Services to Start:

    • Wait up to 15 minutes for BIG-IP Next Central Manager Services to start and become operational.

  11. Add the Third Node:

    • Repeat step 8 to add the third node to the BIG-IP Next Central Manager HA setup.

    • Verify the status of all BIG-IP Next Central Manager nodes that have been added as Ready.

  12. Optional: Configure External Storage for BIG-IP Next Central Manager

    This step is optional but highly recommended. Setting up external storage (NFS or SAMBA) provides benefits such as storing instance and CM backup files, storing analytics, and preventing CM disk space from filling up.

    Note: External storage can only be enabled and configured during the BIG-IP Next Central Manager installation and cannot be enabled or modified afterward.

  • Enable External Storage:

    • Toggle the Enable external storage for the BIG-IP Next Central Manager System option.

  • Select Storage Type:

    • From the Select the Storage Type dropdown menu, choose either a NFS or SAMBA server.

  • If NFS storage type is selected, enter the NFS Server Details:

    • Enter the Storage Server IP Address.

    • Enter the Storage Share Directory. This is the source directory where the backup file will be stored.

    • Enter the Storage Server Share Path. This is the destination directory from which the restore will be performed.

  • If SAMBA storage type is selected, enter the SAMBA Server Details:

    • Enter the Storage Server IP Address.

    • Enter the Storage Share Directory. This is the source directory where the backup file will be stored.

    • Enter the Storage Server Share Path. This is the destination directory from which the restore will be performed.

    • Enter the Username and Password for the Samba Storage Server.

  • Test the Connection:

    • Click Test Connection to verify that the external storage is successfully configured.

    • Wait until you see the Test connection status Success message.

  1. Start CM Services:

    • Click Start CM services.

    • Wait for up to 15 minutes for BIG-IP Next Central Manager Services to start and become operational.

  2. Verify Installation:

    • After installation, log in to BIG-IP Next Central Manager as admin.

    • Click the Workspace icon next to the F5 icon, and navigate to SystemCM Maintenance.

    • The Properties screen will display the CM status as Completed.

Prerequisite

  • Make sure that you create three Virtual Machine(VM) instances using the disk image for BIG-IP Next Central Manager. A standalone CM deployment requires one VM instance, while a high availability deployment needs three VM instances.

  • Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API

  • Change the default Central Manager password for all the three VM instances by using the following API.

    Note: You don’t need to SSH login into the VM. If you do for diagnostic purposes, make sure to change the default SSH password.

    POST  https://{{CM_Node_IP}}/api/change-password
    
    {
        "username": "admin",
        "temp_password": "temppwd",
        "new_password": "password"
    }
    

Create HA group and Start CM Services

  1. Login to CM_Node_1 by sending the POST request to /api/login endpoint.

    POST  https://{{/CM_Node_1_IP}}/api/login
    
    {
      "username": "username",
      "password": "password"
    }
    

    Important

    • If you select Node_1 as your first instance, make sure you do all operations on the same node.

  2. Optional: Check the node status by sending the GET request to system/infra/nodes endpoint. Identify the fingerprint address to collect the fingerprints. Ensure that the node status is Ready before you proceed to the next step.

    GET  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes
    

    For more information about this request, see OpenAPI documentation.

  3. To deploy a BIG-IP Next Central Manager in a standalone node, skip steps 4-6 and proceed to step 7.

  4. To configure the high availability group, Collect the fingerprints of the other two nodes by sending a GET request to Node_1 using system/infra/nodes/cert-fingerprint?address=<node_address> endpoint. Modify node_address with corresponding node addresses to get the respective node’s fingerprint.

    GET  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes/cert-fingerprint?address=<node_address>
    

    Resend this request on Node 1, using the modified node address that corresponds to the IP address of the VM instance being added to the high availability group.

    For more information about this request, see OpenAPI documentation.

  5. Create the high availability group by sending the POST request to system/infra/nodes endpoint on Node 1.

    POST  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes
    

    For the request payload, use the following example, modifying the values as required.
    node_address is the IP address of the nodes.
    fingerprint is the node fingerprints for the validation of certificate with the node being added.

    [
        {
              "node_address": "{{CM_Node_2_IP}}",
              "username": "user1",
              "password": "password"       ,
              "fingerprint": "{{CM_Node_2_Fingerprint}}"  
        },
          
        {     "node_address": "{{CM_Node_3_IP}}",
              "username": "user2",
              "password": "password",
              "fingerprint": "{{CM_Node_3_Fingerprint}}"  
        }
    ]
    

    For more information about this API request, see OpenAPI documentation.

  6. Check the nodes status again by sending the GET request to /system/infra/nodes endpoint, until you see the nodes are in ready state.

    GET  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes
    

    Note: It might take about 30 seconds for group to be in ready state.

  7. Optional: Configure the external storage by sending the POST request to /system/infra/external-storage endpoint on Node_1.

    POST https://{{CM_Node_1_IP}}/api/v1/system/infra/external-storage
    

    For the request payload, use the following example, modifying the values as required.

    {
    "storage_type": "NFS",
    "storage_address": "xxx.xxx.xxx.xxx",
    "storage_share_path": "/export/data",
    "storage_share_dir": ""
    }
    

    For more information about configuring external storage using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  8. Start the CM services by sending the POST request to /system/infra/bootstrap endpoint on Node 1.

    POST  https://{{CM_Node_1_IP}}/api/v1/system/infra/bootstrap
    
  9. Check the bootstrap status by sending the GET request to system/infra/bootstrap endpoint on Node 1. Ensure that the bootstrap status is in the completed state.

    GET  https://{{CM_Node_1_IP}}/api/v1/system/infra/bootstrap
    

    Note: The status displays the progress of the Central Manger startup sequence, which takes approximately 15 minutes to complete.

    For more information about checking the bootstrap status using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

Enable High Availability in an Existing Standalone BIG-IP Next Central Manager

Follow these steps to add nodes to your existing BIG-IP Next Central Manager Standalone setup to achieve High Availability:

  1. Prepare two additional Virtual Machine instances for enabling the High Availability in the existing BIG-IP Next Central Manager.

    • Make sure to change the default credentials for the additional two nodes as mentioned in step 3 of the [Configure the BIG-IP Next Central Manager Using the GUI](#Configure the BIG-IP Next Central Manager Using the GUI)

  2. Access the BIG-IP Next Central Manager GUI:

    • Open a web browser and enter the IP address of the Standalone BIG-IP Next Central Manager Virtual Machine (VM) instance.

    • Log in to the BIG-IP Next Central Manager GUI using your admin credentials.

  3. Navigate to System Menu:

    • Click the workspace menu 𓃑 and go to the System menu.

    • Click Manage on the Properties page to view the existing virtual machine node under the Nodes table.

  4. Add a Second Node:

    • Click the +Add button to add a new node to the Central Manager setup.

    • Enter the Username, Password, and IP Address of the Virtual Machines (VMs) to be added.

    • Click Save.

  5. Enable Clustering:

    • Click Add on the Add Node window.

    • In the popup window, click Enable Clustering?.

    • Verify the fingerprint of the Node and click Accept in the Continue Connecting? pop-up window.

    Note: While adding the second node to the setup, you will be logged out from the BIG-IP Next Central Manager GUI.

  6. Wait for Services to Start:

    • Wait up to 15 minutes for BIG-IP Next Central Manager Services to start and become operational.

  7. Add the Third Node:

    • Repeat step 4 to add a third node to the BIG-IP Next Central Manager setup.

  8. Verify Node Status:

    • Verify the status of all the BIG-IP Next Central Manager nodes that have been added as Ready.

    Note: When the third node is added to the BIG-IP Next Central Manager setup, High Availability (HA) will initially show as Unhealthy. It may take up to 15 minutes for the BIG-IP Next Central Manager High Availability (HA) status to be shown as Healthy.

Prerequisite

  • Make sure that you create two additional Virtual Machine(VM) instances using the disk image for BIG-IP Next Central Manager.

  • Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API

  • Change the default Central Manager password for all the three VM instances by using the following API.

    Note: You don’t need to SSH login into the VM. If you do for diagnostic purposes, make sure to change the default SSH password.

    POST  https://{{CM_Node_IP}}/api/change-password
    
    {
        "username": "admin",
        "temp_password": "temppwd",
        "new_password": "password"
    }
    

Create HA group and Start CM Services

  1. Login to CM_Node_1 by sending the POST request to /api/login endpoint.

    POST  https://{{/CM_Node_1_IP}}/api/login
    
    {
      "username": "username",
      "password": "password"
    }
    

    Important

    • If you select Node_1 as your first instance, make sure you do all operations on the same node.

  2. To configure the high availability group, collect the fingerprints of the other two nodes by sending a GET request to Node_1 using system/infra/nodes/cert-fingerprint?address=<node_address> endpoint. Modify node_address with corresponding node addresses to get the respective node’s fingerprint.

    GET  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes/cert-fingerprint?address=<node_address>
    

    Resend this request on Node 1, using the modified node address that corresponds to the IP address of the VM instance being added to the high availability group.

    For more information about this request, see OpenAPI documentation.

  3. Create the high availability group by sending the POST request to system/infra/nodes endpoint on Node 1.

    POST  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes
    

    For the request payload, use the following example, modifying the values as required.
    node_address is the IP address of the nodes.
    fingerprint is the node fingerprints for the validation of certificate with the node being added.

    [
        {
              "node_address": "{{CM_Node_2_IP}}",
              "username": "user1",
              "password": "password"       ,
              "fingerprint": "{{CM_Node_2_Fingerprint}}"  
        },
          
        {     "node_address": "{{CM_Node_3_IP}}",
              "username": "user2",
              "password": "password",
              "fingerprint": "{{CM_Node_3_Fingerprint}}"  
        }
    ]
    

    For more information about this API request, see OpenAPI documentation.

  4. Check the nodes status again by sending the GET request to /system/infra/nodes endpoint, until you see the nodes are in ready state.

    GET  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes
    

    Note: It might take about 30 seconds for group to be in ready state.

Replace Unhealthy Nodes in BIG-IP Next Central Manager

Follow these steps if one of the nodes in the BIG-IP Next Central Manager HA group becomes unavailable or needs to be replaced:

  1. Access the BIG-IP Next Central Manager GUI:

    • Open a web browser and enter the IP address of the Standalone BIG-IP Next Central Manager Virtual Machine (VM) instance.

    • Log in to the BIG-IP Next Central Manager GUI using your admin credentials.

  2. Navigate to the System Menu:

    • Click the workspace menu (𓃑) and navigate to the System menu.

    • Click Manage in the Properties page. This will list the existing virtual machine nodes under the Nodes table.

  3. Identify Unhealthy Nodes:

    • If any of the nodes are down or unavailable, the Status will be shown as Not Ready.

  4. Remove the Unhealthy Node:

    • Select the node that needs to be replaced and click Remove.

    • Click Yes, Delete in the Delete Node pop-up window.

  5. Prepare a New BIG-IP Next Central Manager VM Instance:

    • Set up a new Central Manager Virtual Machine instance.

    Note: Log in to the BIG-IP Next Central Manager GUI of the new Virtual Machine instance and change the default admin/admin credentials.

  6. Log Back into the Existing BIG-IP Next Central Manager HA Setup:

    • Log back into the GUI of the existing BIG-IP Next Central Manager High Availability setup.

  7. Navigate to the System Menu:

    • Click the workspace menu (𓃑) and navigate to the System menu.

    • Click Manage in the Properties page. This will list the existing virtual machine nodes under the Nodes table.

  8. Add the Replacement Node:

    • Click the +Add button to add the replacement node to the BIG-IP Next Central Manager High Availability setup.

    • Enter the Username, Password, and IP Address of the Virtual Machines (VMs) to be added.

    • Click Save.

  9. Enable Clustering:

    • Click Add on the Add Node and Enable Clustering? pop-up window.

    • Verify the fingerprint of the Node and click Accept in the Continue Connecting? pop-up window.

  10. Wait for Node Readiness:

    • Wait for up to 15 minutes for the newly added node to be shown with the status as Ready.

Prerequisite

  • Make sure that you create new Virtual Machine(VM) instances to replace the existing unhealthy node.

  • Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API

  • Change the default Central Manager password for all the three VM instances by using the following API.

    Note: You don’t need to SSH login into the VM. If you do for diagnostic purposes, make sure to change the default SSH password.

    POST  https://{{CM_Node_IP}}/api/change-password
    
    {
        "username": "admin",
        "temp_password": "temppwd",
        "new_password": "password"
    }
    

Create HA group and Start CM Services

  1. Login to CM_Node_1 by sending the POST request to /api/login endpoint.

    POST  https://{{/CM_Node_1_IP}}/api/login
    
    {
      "username": "username",
      "password": "password"
    }
    

    Important

    • If you select Node_1 as your first instance, make sure you do all operations on the same node.

  2. Retrieve the list of the nodes by sending the GET request to system/infra/nodes endpoint.

    GET  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes
    

    Identify the node name from the reponse that is either healthy or requires replacement within the cluster.

    For more information about this request, see OpenAPI documentation.

  3. Remove the unhealty node by sending the DELETE request to /api/v1/system/infra/nodes/<node_name>.

    Modify the node_name with the unhealthy node name.

    DELETE https://{{CM_Node_IP}}/api/v1/system/infra/nodes/<node_name>
    
  4. Collect the fingerprints of the replacement node by sending a GET request to Node_1 using system/infra/nodes/cert-fingerprint?address=<node_address> endpoint.

    Modify node_address with the IP address of the replacement VM instance.

    GET  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes/cert-fingerprint?address=<node_address>
    

    Resend this request on Node 1, using the modified node address that corresponds to the IP address of the VM instance being added to the high availability group.

    For more information about this request, see OpenAPI documentation.

  5. Add the new node by sending the POST request to system/infra/nodes endpoint on Node 1.

    POST  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes
    

    For the request payload, use the following example, modifying the values as required.
    node_address is the IP address of the nodes.
    fingerprint is the node fingerprints for the validation of certificate with the node being added.

    [
        {
              "node_address": "{{CM_Node_IP}}",
              "username": "user1",
              "password": "password"       ,
              "fingerprint": "{{CM_Node_Fingerprint}}"  
        }
    ]
    

    For more information about this API request, see OpenAPI documentation.

  6. Check the nodes status again by sending the GET request to /system/infra/nodes endpoint, until you see all the three nodes are in ready state.

    GET  https://{{CM_Node_1_IP}}/api/v1/system/infra/nodes
    

    Note: It might take about 30 seconds for group to be in ready state.

Backup and Restore the BIG-IP Central Manager instance

Refer How to: Back up and restore the BIG-IP Next Central Manager

Upgrade the BIG-IP Next Central Manager

Refer How to: Upgrade the BIG-IP Next Central Manager