CNFs Licensing

Overview

The Cloud-Native Network Functions (CNFs) software requires a valid CNFs license to begin processing 5G application traffic using CNFs CRs. Once the CNFs CWC obtains a valid license, it begins collecting and reporting monthly CNFs software CRD usage summary telemetry statistics for the cluster. CNFs uses F5’s flexible consumption software licensing model, billing only for the CNFs features used.

_images/spk_info.png Note: CNFs Licensing applies to the cluster level, and is performed prior to installing the CNFs Controller instances.

This document guides you through the activating the CNFs software license.

CPCL modes

As described in the CNFs CWC guide, the Common Product Component and Libraries (CPCL) module supports two licensing modes:

  • disconnected - When the CWC does not have access to the internet, each licensing task must be performed manually. Use this document to perform the required licensing steps.
  • connected - When the CWC has access the internet, it can automatically perform each of the licensing tasks. Use this document to obtain the license status.

Licensing stages

When the CWC’s CPCL module operates in disconnected mode; having no direct access to the internet, uploading license reports and obtaining signed license acknowledgements from the F5 licensing server must be performed manually. Once the CWC and Controllers are installed, the licensing and entitlement events occur as follows:

  1. Obtain the JSON Web Token (JWT).
  2. Check CWC licensing status.
  3. Download the CWC cluster report.
  4. Send the report to the F5 licensing server.
  5. Send the signed acknowledgement to CWC.

Telemetry reports

Once the cluster is successfully licensed, the CWC enters a Telemetry In Progress state, calculating the software CRD usage summary telemetry statistics for the cluster. At the end of each month, the CWC generates a telemetry report which should be downloaded, sent to the F5 licensing server for acknowledgement, and the signed acknowledgement should then be sent back to the CWC. If a telemetry report is not signed by the F5 licensing server at the end of the month, it will be consolidated with the next telemetry report, and a consolidated report will then be available to download and sign.

Example of the Telemetry In Progress and report EndDate:

"TelemetryStatus": {
    "NextReport": {
        "StartDate": "2023-01-06 13:59:35.306014074 +0000 UTC m=+1346.343452122",
        "EndDate": "2023-01-31 13:59:35",
        "State": "Telemetry In Progress"
    }
}

License expiration

The cluster license requires renewal after the LicenseExpiryDate has passed. It is important to note that CNFs does not stop processing application traffic after this time, but will begin logging messages indicating the cluster must be relicensed.

Example of the LicenseExpiryDate:

"LicenseDetails": {
    "DigitalAssetID": "5ec9234e-8df3-4d90-9536-45142b87049f",
    "EntitlementType": "paid",
    "LicenseExpiryDate": "2022-11-17T00:00:00Z",
    "LicenseExpiryInDays": "204"
}

Licensing APIs

The CWC licensing APIs listed below can be used to perform licensing tasks programmatically, or with API platforms other than Postman. Refer to the Gather API info section to obtain the CWC’s SSL/TLS certificates and hostname. To license the cluster, refer to the Procedures section of this document.

_images/spk_warn.png Important: The URL to contact the CWC Pod includes the namespace name. In the examples below the CWC is in the cnf-gateway namespace.

License status

Returns the current CWC licensing status. This API should be used both for licensing the cluster and checking the telemetry report status. The LicenseStatus should indicate Config Report Ready to Download prior to downloading a license report.

https://f5-cnf-cwc.cnf-gateway:30881/status

Example:

curl --cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
https://f5-cnf-cwc.cnf-gateway:30881/status

License report

Downloads the CWC license report for the cluster. The license report will be sent to the F5 licensing server for acknowledgement.

https://f5-cnf-cwc.cnf-gateway:30881/report

Example:

curl --cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
https://f5-cnf-cwc.cnf-gateway:30881/report

Send report

Sends the license report to Telemetry server for acknowledgement. Send the full report, including the {} curly brackets.

Note: The DigitalAssetID is obtained from the License status, and the JWT from your MyF5 account.

https://product.apis.f5.com/ee/v1/entitlements/telemetry

Example:

curl -X POST https://product.apis.f5.com/ee/v1/entitlements/telemetry \
-H "Content-Type: application/json" -H "F5-DigitalAssetId: <Digital_Asset_ID>" \
-H "User-Agent: CNF" -H "Authorization: Bearer <JWT_Object>" -d '<Full_Report>'

Send manifest

Sends the acknowledged manifest to CWC. Send only the manifest data, no curly brackets {}, or quotations.

https://f5-cnf-cwc.cnf-gateway:30881/receipt 

Example:

curl --cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
https://f5-cnf-cwc.cnf-gateway:30881/receipt -d eyJhbGciOiJSUzUxMiIs

Reactivate/Switch License

Sends the JWT object to CWC. Send only the JWT data, no curly brackets {}, or quotations.

Can either switch a license from evaluation to paid license using the new JWT, or resubmit a JWT that was not properly submitted causing a CWC failure.

https://f5-cnf-cwc.cnf-telemetry:30881/reactivate

Example:

curl --k --cert-type PEM -cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
https://f5-cnf-cwc.cnf-telemetry:30881/reactivate -d <JWT object>

Requirements

Ensure you have:

Procedures

Gather API info

Licensing the CNFs software requires querying the CWC REST API to determine the cluster’s licensing status, and uploading a valid license. To authenticate the CWC REST API, the SSL/TLS certificates and the IP address of the API interface must first be obtained. Use the steps below to obtain the API information.

  1. Create a new directory for the CWC REST API certificates:

    mkdir cwc_api
    
  2. Copy each of the certificates into the new directory:

    cp api-server-secrets/ssl/client/certs/client_certificate.pem cwc_api
    
    cp api-server-secrets/ssl/ca/certs/ca_certificate.pem cwc_api
    
    cp api-server-secrets/ssl/client/secrets/client_key.pem cwc_api
    
  3. Obtain the name of the CWC Pod in the cluster:

    In this example, the CWC is in the cnf-gateway namespace.

    oc get pods -n cnf-gateway | grep f5-cnf-cwc
    

    In this example, the CWC Pod is named f5-cnf-cwc-86d89c4548-fmwpl.

    f5-cnf-cwc-86d89c4548-fmwpl   2/2     Running
    
  4. Obtain the IP address of the node the CWC Pod is scheduled on:

    In this example, the CWC is in the cnf-gateway namespace.

    oc describe pod f5-cnf-cwc-86d89c4548-fmwpl -n cnf-gateway | grep Node:
    

    In this example, the CWC Pod is running on worker-0.ocp.f5.com with IP address 10.144.175.18.

    Node:         worker-0.ocp.f5.com/10.144.175.18
    
  5. Edit the hosts file on your system, or setup DNS resolution mapping the node IP address to the CWC’s hostname:

    _images/spk_warn.png Important: The CWC hostname is required for SSL/TLS certiicate validation.

    10.144.175.18 f5-cnf-cwc.<namespace>
    

    In this example, the CWC is in the cnf-gateway namespace.

    10.144.175.18 f5-cnf-cwc.cnf-gateway
    

License the cluster in Disconnected Mode

Use the following steps to license the cluster in disconnected mode:

  1. Verify the current LicenseStatus of the CWC Pod, and obtain the DigitalAssetID used to license the cluster:

    curl --key cwc_api/client_key.pem --cert cwc_api/client_certificate.pem \
    --cacert cwc_api/ca_certificate.pem https://f5-spk-cwc.spk-telemetry:30881/status
    

    In this example, LicenseStatus shows Config Report Ready to Download, and the DigitalAssetID is b9270cae-5980-4c0e-bb44-f1948ff4b235.

    {"InitialRegistrationStatus":{"ClusterDetails":{"Name":"SPK Cluster"},
    "LicenseDetails":{"DigitalAssetID":"b9270cae-5980-4c0e-bb44-f1948ff4b235",
    "EntitlementType":"paid"},"LicenseStatus":{"State":"Config Report Ready to Download"}},"TelemetryStatus":{}
    
  2. Download the Config Report and copy/paste it into a text file:

    curl --key cwc_api/client_key.pem --cert cwc_api/client_certificate.pem \
    --cacert cwc_api/ca_certificate.pem https://f5-spk-cwc.spk-telemetry:30881/report
    

    The command output should appear similar to this truncated example:

    {"report": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7ImRv"}
    
  3. Send the Config Report, including the { and } characters, to the F5 licensing server along with the DigitalAssetID and your unique JWT:

    Important: The returned manifest is quite large, the command below captures the output to a file named manifest.txt.

    curl -X POST https://product.apis.f5.com/ee/v1/entitlements/telemetry \
    -H "Content-Type: application/json" \
    -H "F5-DigitalAssetId: b9270cae-5980-4c0e-bb44-f1948ff4b235" \
    -H "User-Agent: SPK" \
    -H "Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6" \
    -d '{"report": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7ImRv"}' > manifest.txt
    
  4. View the contents of the returned manifest.txt file:

    cat manifest.txt
    

    The command output should resemble this truncated example:

    {"manifest":"eyJhbGciOiJSUzUxMiIsImtpZCI6InYxIiwiamt1"}
    
  5. Send only the Manifest string after the : character. Do not include the { and } or characters:

    curl --key cwc_api/client_key.pem --cert cwc_api/client_certificate.pem \
    --cacert cwc_api/ca_certificate.pem https://f5-spk-cwc.spk-telemetry:30881/receipt \
    -d eyJhbGciOiJSUzUxMiIsImtpZCI6InYxIiwiamt1
    
  6. Verify the cluster license status:

    curl --key cwc_api/client_key.pem --cert cwc_api/client_certificate.pem \
    --cacert cwc_api/ca_certificate.pem https://f5-spk-cwc.spk-telemetry:30881/status
    

    The command output indicates the EntitlementType is paid and the LicenseExpiryDate is 2024-03-05. The LicenseExpiryInDays shows expiration occurs in 362 days.

    {"Status":{"ClusterDetails":{"Name":"SPK Cluster"},"LicenseDetails":{"DigitalAssetID":"f06ae970-5b16-4fc1-894e-ce419b928cc9",
    "EntitlementType":"paid","LicenseExpiryDate":"2024-03-05T00:01:13Z","LicenseExpiryInDays":"362"},
    "LicenseStatus":{"State":"Verification Complete"}},"TelemetryStatus": {"NextReport":
    {"StartDate":"2023-03-08 00:03:20.585513148 UTC m=+3093.980461514","EndDate":"2023-03-31 00:03:20 UTC",
    "State":"Telemetry In Progress"}
    

License the cluster in Connected Mode

Use the following step to license the cluster in connected mode:

  • Verify the cluster license status:

    curl --key cwc_api/client_key.pem --cert cwc_api/client_certificate.pem \
    --cacert cwc_api/ca_certificate.pem https://f5-spk-cwc.spk-telemetry:30881/status
    

    The command output indicates the EntitlementType is paid and the LicenseExpiryDate is 2024-03-05. The LicenseExpiryInDays shows expiration occurs in 362 days.

    {"Status":{"ClusterDetails":{"Name":"SPK Cluster"},"LicenseDetails":{"DigitalAssetID":"f06ae970-5b16-4fc1-894e-ce419b928cc9",
    "EntitlementType":"paid","LicenseExpiryDate":"2024-03-05T00:01:13Z","LicenseExpiryInDays":"362"},
    "LicenseStatus":{"State":"Verification Complete"}},"TelemetryStatus": {"NextReport":
    {"StartDate":"2023-03-08 00:03:20.585513148 UTC m=+3093.980461514","EndDate":"2023-03-31 00:03:20 UTC",
    "State":"Telemetry In Progress"}
    

Switching License

Use the following steps to switch license:

  1. Verify the current license status.

    It should be Verification Complete.

  2. Verify the status of Telemetry.

    It should be Telemetry in Progress.

  3. Switch license by calling /reactivate API.

    Example:

    curl --k --cert-type PEM -cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
    https://f5-spk-cwc.spk-telemetry:30881/reactivate -d <JWT object>
    
  4. Download Update report. This update report is the aggregated telemetry report from the start of month till the switch license is triggered.

    Example:

    curl --cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
    https://f5-spk-cwc.spk-telemetry:30881/report
    
  5. Send Update Report to Telemetry server.

    Example:

    curl -X POST https://product.apis.f5.com/ee/v1/entitlements/telemetry \
    -H "Content-Type: application/json" -H "F5-DigitalAssetId: <DigitalAssetID>" \
    -H "User-Agent: SPK" -H "Authorization: Bearer <JWT Object>" -d '<Full_Report>'
    
  6. View the contents of manifest file.

  7. Send manifest string to CWC using /receipt API.

  8. Verify status again.

_images/spk_info.png Notes:

  1. Switching is allowed from eval to paid and from paid to paid, but not from eval to eval.

  2. Switching is not allowed when current telemetry report is in any of the below states. User is expected to submit these reports, prior to switching the license

    a. Config report ready to download

    b. Config report downloaded

Next step

Continue to the BIG-IP Controller installation guide.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.