Manual Chapter : Setting up F5 Guided Configuration for SSL Orchestrator

Applies To:

Show Versions Show Versions
Manual Chapter

Setting up F5 Guided Configuration for SSL Orchestrator

Overview: Setting up F5 Guided Configuration for SSL Orchestrator

To install the F5 Guided Configuration for SSL Orchestrator 15.0.0-6.0 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the
BIG-IP Systems: Upgrading Software
guide. The F5 Guided Configuration for SSL Orchestrator 6.0 image is packaged with the F5 BIG-IP 15.0.0 image.
To upgrade to the newest version of SSL Orchestrator from a previous version, or you have an existing add-on license, follow the recommended upgrade steps in the
SSL Orchestrator recommended upgrade procedure
section. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPMs before installing the new ISO image.
If you do not follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, further manual steps are required to reset your environment and undeploy the previous version. See the
Upgrade from previous F5 SSL Orchestrator versions using the recovery procedure
task steps based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.
These upgrade steps are required since in some cases previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
If you are implementing a high availability environment for SSL Orchestrator, review the
Setting up F5 Guided Configuration for SSL Orchestrator in High Availability
section for more detailed information.

F5 SSL Orchestrator recommended upgrade procedure

F5 recommends you follow the procedure shown below when upgrading to the newest version of SSL Orchestrator from a previous version.
Some sections are conditional and are based on your particular upgrade path. Ensure that you review all instructions and conditions for which sections are optional, required, or can be skipped.
  • Export currently deployed SSL Orchestrator configurations
  • Undeploy your currently deployed SSL Orchestrator application
  • Uninstall SSL Orchestrator
  • Install the new BIG-IP ISO image
  • Boot into the new partition and activate the upgrade installation
  • Provision the newly activated resource
  • Using the F5 SSL Orchestrator setup utility
After an RPM upgrade from 14.1.x-5.0 to 15.0.0-6.0, previously existing egress topology configurations may contain incorrect egress settings and may result in a broken configuration. This error occurs after an RPM upgrade due to the system settings choosing either IPv4 or IPv6 when the topology workflow still allows a configuration to be created using both IPv4 and IPv6. To fix this conflict, update the configuration so that it is either using IPv4 or IPv6 and deploy the configuration again.

Exporting currently deployed F5 SSL Orchestrator configurations

If you are upgrading SSL Orchestrator from 13.0.0-2.3 or 13.1.0-3.0, you have the option to first export any currently deployed configurations. Only SSL Orchestrator versions 13.0.0-2.3 and 13.1.0-3.0 contain the export functionality.
By exporting previously successful deployment configurations as JSON files, you can examine their configuration settings prior to new deployments with SSL Orchestrator.
Whether you have access to the export functionality or not, you can review any current configurations and make notes that are important for new configurations once you upgrade.
  1. Log in to SSL Orchestrator version 13.0.0-2.3 or 13.1.0-3.0.
  2. On the Main tab, click
    Settings
    Export Configs
    to view the export configuration settings. The Export Configurations screen opens.
    If you do not have any previously saved deployments, no information displays.
  3. In the
    Export Configurations
    table, select a previously deployed configuration.
  4. Click
    Export
    .
    A dialog box pop-up opens showing the JSON configuration information to be exported and asks
    Do you wish to export the current SSL Orchestrator Configuration settings to a .json file?
  5. To export the current SSL Orchestrator settings into a JSON export file, click
    OK
    , or click
    Cancel
    to stop the export process.
  6. Type the file name of the JSON file to export.
  7. Click
    OK
    .
The configuration information you selected to export is downloaded to your local system as a JSON file for later use as a reference to your previous deployments. You are now ready to undeploy your SSL Orchestrator configuration.

Undeploying your currently deployed F5 SSL Orchestrator application

If you are upgrading SSL Orchestrator from versions 14.0.x or older to 15.0.0, this task is required for a successful upgrade.
If you are upgrading SSL Orchestrator from version 14.1.x to 15.0.0, you can skip to the
Installing the new BIG-IP ISO image
section.
To undeploy your currently deployed configuration, do the following:
  1. On the Main tab, click
    SSL Orchestrator
    Configuration
    . The SSL Orchestrator Configuration screen opens.
  2. For SSL Orchestrator versions prior to 14.0.x-5.x, click
    Undeploy
    .
  3. For SSL Orchestrator versions 14.1.x-5.x or higher, select the check box next to the name of the deployments you want to remove and click
    Delete
    .
Your entire SSL Orchestrator configuration is now removed from your system and you are ready to uninstall your SSL Orchestrator application.

Uninstalling F5 SSL Orchestrator

If you are upgrading SSL Orchestrator from versions 14.0.x or older to 15.0.0, this task is required for a successful upgrade.
If you are upgrading SSL Orchestrator from version 14.1.x to 15.0.0, you can skip to the
Installing the new BIG-IP ISO image
section.
To uninstall your SSL Orchestrator application, do the following:
  1. On the Main tab, click
    SSL Orchestrator
    Updates
    . The Updates screen opens.
  2. Under the Version field, click
    Uninstall
    .
  3. Click
    OK
    .
    Do not click on any link underneath the SSL Orchestrator tab after you click
    OK
    or the system will automatically reinstall.
    Your application is now removed from your system and you are ready to install the new BIG-IP 15.0.0 ISO image.

Installing the new BIG-IP ISO image

The latest version of SSL Orchestrator (6.0) is included with the BIG-IP 15.0.0 ISO image. When you install the F5 BIG-IP 15.0.0 ISO image, the BIG-IP system installs the configuration of the currently active boot location on the target installation location.
If you have not already done so, download BIG-IP SSL Orchestrator:
  1. Go to https://downloads.f5.com and click Downloads. The
    Downloads
    Overview screen opens.
  2. Click
    Find a Download
    . The Select a Product Line screen opens.
  3. In the
    F5 Product Family
    column, find the Security section.
  4. In the
    Product Line
    column, click
    SSL Orchestrator
    . The Select a Product Version and Container for SSL Orchestrator screen opens.
  5. Select
    15.0.0
    from the list of BIG-IP version numbers and then click SSL Orchestrator. The Software Terms and Conditions screen opens.
  6. Click
    I Accept
    . The Select a Download screen appears.
  7. Click the appropriate filename to download BIG-IP SSL Orchestrator.
  8. To install BIG-IP SSL Orchestrator, on the Main tab, click
    System
    Software Management
    Image List
    . The Images List screen opens.
  9. From the
    Available Images
    section, select the check box next the to BIG-IP 15.0.0 ISO image.
  10. Click
    Install
    . The Install Software Image pop-up screen opens.
  11. In the
    Volume set name
    list, type a Boot Location name or number.
  12. Click
    Install
    . The Images List screen opens.
    If necessary, click the browser Refresh button if the BIG-IP version 15.0.0 image does not appear in the Installed Images list.
  13. The BIG-IP installation is complete once the
    Install Status
    column for version 15.0.0 indicates
    complete
    .
You are now ready to boot into the new partition and activate the newly installed version of SSL Orchestrator.
For complete step-by-step installation and upgrade instructions for BIG-IP, see the
BIG-IP Systems: Upgrading Software
document.

Booting into the new partition and activating the upgrade installation

To upgrade SSL Orchestrator to 15.0.0-6.0 when your system is partitioned with both 15.0.0-6.0 and a version prior to 14.1.0-5.0, do the following:
  1. On the Main tab, click
    System
    Software Management
    Boot Locations
    . The Boot Locations screen appears.
  2. Click the Boot Location name you created in the Boot Location column for BIG-IP 15.0.0. The
    General Properties
    screen opens.
  3. From the
    Install Configuration
    list, click
    Yes
    .
    This option is not supported on VIPRION platforms. If you are using SSL Orchestrator on a VIPRION platform, refer to K14724: Using the cpcfg command to copy a configuration from one boot location to another on AskF5 for detailed instructions.
  4. Click
    Activate
    .
  5. Click
    OK
    .
Your newly changed system will reboot the BIG-IP device as it switches partition to the newest version.

Provisioning the newly activated resource

If you are upgrading SSL Orchestrator from versions 14.0.x or older to 15.0.0, this task is required for a successful upgrade.
If you are upgrading SSL Orchestrator from version 14.1.x to 15.0.0, this task is optional and you can skip to the next section.
Your newly installed BIG-IP SSL Orchestrator must now be provisioned. After your system reboots, do the following:
  1. Use your previous SSL Orchestrator
    Username
    and
    Password
    to sign in. Click
    Log in
    . The Welcome screen opens.
  2. On the Main tab, click
    System
    Resource Provisioning
    to provision the system. The Resource Provisioning screen opens.
  3. In the
    Module
    column, locate SSL Orchestrator and select the check box in the
    Provisioning
    column if it is not already checked. The Provisioning column will change from
    None
    to
    Nominal
    if the check box was not already checked.
  4. Click
    Submit
    .
  5. Click
    OK
    . Your newly changed system will reboot the BIG-IP device as it provisions SSL Orchestrator.
  6. Click
    Continue
    .
A new version of F5 BIG-IP SSL Orchestrator has been successfully installed and provisioned and you are ready to begin setting up SSL Orchestrator using the Setup Utility. Refer to the
Using the F5 SSL Orchestrator setup utility
section.
If you do not follow the F5 recommended upgrade procedure, SSL Orchestrator will guide you through the upgrade scenario, providing warning messages and links to required tasks, as it assist you in activating and provisioning your newly installed resource.

Using the F5 SSL Orchestrator setup utility

Before you begin, make sure you set up a management IP address, netmask, and default routing on your system and that you have no license currently installed.
If at any time during your configuration you need to return to the SSL Orchestrator Setup Utility, simply click the F5 logo in the upper-left corner of the configuration utility, and on the Welcome screen, click the Run the Setup Utility link.
Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
The SSL Orchestrator setup utility guides you through the basic, minimal setup configuration for SSL Orchestrator.
  1. On the Welcome screen, click
    Next
    .
  2. On the License screen, click
    Activate
    .
  3. In the
    Base Registration Key
    field, paste your SSL Orchestrator base license registration key and click
    Next
    .
  4. On the EULA screen, click
    Accept
    .
    The license activates and the system reboots for the configuration changes to take effect.
  5. After the system reboots, click
    Continue
    . The Resource Provisioning screen opens.
    If you want to validate the installed license and the active and optional modules before proceeding, click
    Setup Utility
    License
    . The License screen opens. Click
    Next
    to return to the Resource Provisioning screen.
  6. On the Resource Provisioning screen, an Informational message indicates that the selected modules are recommended for your current, active license.
  7. You may modify the selections as needed based on additional licenses that need to be recognized during provisioning.
  8. Click
    Next
    to indicate you accept the module setup and then click
    OK
    to provision the selected modules.
    Reprovisioning may restart daemons or reboot the system causing lost connects.
  9. Click
    Continue
    . The Device Certificates screen opens where you can review Certificate Properties.
  10. Click
    Next
    . The Platform screen opens.
    You may also click
    Renew
    to launch a Device Certificates screen where you can make edits to the various fields.
  11. In the
    Host Name
    field, type the host name (example: bigip.f5.com).
  12. In the
    Root Account
    and
    Admin Account
    fields, type a respective password and then confirm it.
  13. Click
    Next
    .
  14. Click
    OK
    .
    Since you have updated your password, you will be logged out. You must log in again with your new password before continuing.
  15. Log back in by typing your new password and click
    Log in
    . The Network Time Protocol NTP Configuration screen opens.
  16. Click
    Next
    . The Domain Name Server DNS Configuration screen opens.
  17. Click
    Next
    . The Forward Proxy Certificate screen opens.
  18. On the Forward Proxy Certificate screen, do the following to provide
    Forward Proxy Certificate
    and
    Key Source
    details.
    • In the
      Certificate Name
      field, maintain the default
      New
      radio button and type a name for the certificate (example: newCert).
    • In the
      Certificate Source
      field, maintain the default
      Upload File
      radio button and click
      Choose File
      . Select a certificate file from your local system and click
      Open
      .
    • In the
      Key Source
      field, maintain the default
      Upload File
      radio button and click
      Choose File
      . Select a key file from your local system and click
      Open
      .
    • In the
      Security Type
      field, maintain the
      Normal
      default setting.
  19. Click
    Finish
    .
You are now ready to log in to the BIG-IP and start using F5 Guided Configuration for SSL Orchestrator by clicking
SSL Orchestrator
Configuration
.

Overview: Setting up F5 Guided Configuration for SSL Orechstrator logs settings

The SSL Orchestrator Settings option in the Logs menu can be used to enable logging for selected facilities at various levels of severity to describe the system messages. Facilities describe the specific element of the system generating the message: Per-Request Policy, FTP, IMAP, POP3, SMTPS, SSL Orchestrator Generic.
Each available level describes the severity of the message and are listed in order of the severity of the messages they handle. Generally, higher levels contain all the messages for lower levels. For example, the Alert level will generally also report all messages from the Emergency level, and the Debug level will generally also report all messages for all levels.

Setting up logs settings

Use the following procedure to set up your SSL Orchestrator logs settings with specific severity levels.
  1. On the Main tab, click
    SSL Orchestrator
    Logs
    Settings
    . The Logs Settings screen opens.
  2. If the
    Enable
    check box is not pre-selected, select the check box to see the available levels for each facility. The default severity is Debug.
  3. For each facility, you can select from the following log setting severities:
    • Emergency
      : Specifies the emergency system panic messages. Severity: Minimum.
    • Alert
      : Serious errors that require administrator intervention. Severity: Low.
    • Critical
      : Critical errors, including hardware and filesystem failures. Severity: Low.
    • Error
      : Non-critical, but possibly very important, error messages. Severity: Low.
    • Warning
      : Warning messages that should at least be logged for review. Severity: Medium.
    • Notice
      : Messages that contain useful information, but may be ignored. Severity: Medium.
    • Information
      : Messages that contain useful information, but may be ignored. Severity: High.
    • Debug
      : Messages that are only necessary for troubleshooting. Severity: Maximum.
  4. Click
    Save
    .

Overview: Upgrade from previous F5 SSL Orchestrator versions using the recovery procedure

If you need to recover from a failed recommended upgrade procedure and still need to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, manual steps are required to reset your environment and undeploy the previous version.
Depending on your previous SSL Orchestrator version and current access to the BIG-IP Applications LX menu, use one of the following upgrade paths:
  • Upgrading from SSL Orchestrator versions 12.x.x, 13.x.x using recovery procedure
  • Upgrading from SSL Orchestrator versions 14.0.x using recovery procedure with Applications LX menu access
  • Upgrading from SSL Orchestrator versions 14.0.x using recovery procedure without Applications LX menu access

Upgrading from F5 SSL Orchestrator versions 12.x.x, 13.x.x using recovery procedure

  • Access to log on to the BIG-IP console as root or equivalent privileges.
  • Access to user credentials so to enter a curl command.
To upgrade from SSL Orchestrator version 12.x.x or 13.x.x, follow the procedure in this section to cleanup your environment. When you complete this procedure, your environment will be clean and you can log in to BIG-IP and start using SSL Orchestrator Guided Configuration by clicking
SSL Orchestrator
Configuration
.
Steps to cleanup your environment:
  • Cleaning up forwarding database (FDB) entries
  • Cleaning up nodes
  • Cleaning up iApp application service
  1. Either SSH to BIG-IP as a root user or as a user with equivalent or higher privileges.
    For example, SSH
    root@<Management IP>
    .
  2. Enter the following command to get the SSL Orchestrator block and write down the value for the
    id
    ,
    name
    , and
    state
    attribute from the output of the command.
    curl --insecure -XGET 'https://<<BigIp management IP>>/mgmt/shared/iapp/blocks?$select=id,name,state&$filter=presentationHtmlReference/link%20eq%20%27https://localhost/iapps/f5-iappslx-ssl-orchestrator/index.html%27%20and%20state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example, note down the details:
    "id": "2f00771a-48c1-4c0d-a907-b586164177d7", "name": "ssloAppName", "state": "BOUND" [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,name,state&$filter=presentationHtmlReference/link%20eq%20%27https://localhost/iapps/f5-iappslx-ssl-orchestrator/index.html%27%20and%20state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 265 100 265 0 0 884 0 --:--:-- --:--:-- --:--:-- 904 { "generation": 57, "items": [ { "id": "2f00771a-48c1-4c0d-a907-b586164177d7", "name": "ssloAppName", "state": "BOUND" } ], .... }
  3. Cleaning up forwarding database (FDB) entries
  4. To delete and cleanup the FDB entries, F5 recommends that you first map the MAC addresses and VLAN names so to properly determine the TMUI command to delete the FDB entries. We recommend creating a table to track the required information.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
  5. To retrieve the MAC addresses, enter the following command and populate the table with the correct information.
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=id,name,inputProperties/value/receiveOnlyServices/macAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>>| python -m json.tool
    Update the table with the MAC address details.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    11:22:33:44:55:66
    77:88:99:11:22:33
    The MAC address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,name,inputProperties/value/receiveOnlyServices/macAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 390 100 390 0 0 2502 0 --:--:-- --:--:-- --:--:-- 2635 { "generation": 57, "items": [ { "id": "2f00771a-48c1-4c0d-a907-b586164177d7", "inputProperties": [ { "value": { "receiveOnlyServices": [ { "macAddress": "11:22:33:44:55:66" }, { "macAddress": "77:88:99:11:22:33" } ] } }, { "value": true } ], "name": "ssloAppName" } ], ....... }
  6. To retrieve the VLAN names, enter the following command and populate the table with the correct information.
    curl --insecure -XGET 'https://<<Big Ip Management IP>>/mgmt/tm/net/fdb/vlan?$select=name,records/name' -u <<User ID>>:<<Password>> | python -m json.tool
    Update the table with the VLAN name details.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    11:22:33:44:55:66
    v1
    77:88:99:11:22:33
    v1
    Ignore "v3" because the mapped MAC address in not present in the above table.
    Ignore the MAC address fa:18:4a:ca:c1:4d from any "v1" VLAN name.
    The VLAN name information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/tm/net/fdb/vlan?$select=name,records/name' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 434 100 434 0 0 1254 0 --:--:-- --:--:-- --:--:-- 1280 { "items": [ { "name": "ssloAppName-70-0-D" }, { "name": "ssloAppName-70-0-S" }, { "name": "ssloAppName-71-0-D" }, { "name": "ssloAppName-71-0-S" }, { "name": "v1", "records": [ { "name": "11:22:33:44:55:66" }, { "name": "77:88:99:11:22:33" }, { "name": "fa:18:4a:ca:c1:4d" } ] }, { "name": "v2", }, { "name": "v3", "records": [ { "name": "fa:16:3e:cb:d1:8d" } ] }, { "name": "v4" } ], ...... }
  7. Use the following command to build the delete commands for cleaning up the FDB entries and update the table.
    modify net fdb vlan <<vlan name>> records delete { <<macaddress>> }
    Update the table with the delete command details.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    11:22:33:44:55:66
    v1
    modify net fdb vlan v1 records delete { 11:22:33:44:55:66 }
    77:88:99:11:22:33
    v1
    modify net fdb vlan v1 records delete { 77:88:99:11:22:33 }
  8. Enter all of the delete commands for deleting FDB entries. For example:
    tmsh modify net fdb vlan v1 records delete { 11:22:33:44:55:66 }
    tmsh modify net fdb vlan v1 records delete { 77:88:99:11:22:33 }
  9. Cleaning up nodes
  10. To delete the necessary nodes used in different services and objects created through the SSL Orchestrator application, you must identify the list of IP addresses that map to each node. F5 recommends you populate a table to track the information using information output from commands detailed in the steps below. For example:
    IP Address
    TMUI command for deleting nodes
  11. Enter the following command and populate the table with the values in the IP address column. Ignore all duplicates when listing all IP addresses for
    explicitProxyConfiguration
    ,
    ingressDeviceEgressConfiguration
    ,
    ingressDeviceConfiguration
    ,
    egressDeviceEgressConfiguration
    , and
    decryptZone
    .
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=inputProperties/value/generalSection/ingressDeviceEgressConfiguration/ipv4OutboundGateways/ip,inputProperties/value/generalSection/ingressDeviceEgressConfiguration/ipv6OutboundGateways/ip,inputProperties/value/generalSection/egressDeviceEgressConfiguration/ipv4OutboundGateways/ip,inputProperties/value/generalSection/egressDeviceEgressConfiguration/ipv6OutboundGateways/ip&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example:
    IP Address
    TMUI command for deleting nodes
    90.90.90.94
    90.90.90.95
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    The
    explicitProxyConfiguration
    ,
    ingressDeviceEgressConfiguration
    ,
    ingressDeviceConfiguration
    ,
    egressDeviceEgressConfiguration
    , and
    decryptZone
    IP address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=inputProperties/value/generalSection/ingressDeviceEgressConfiguration/ipv4OutboundGateways/ip,inputProperties/value/generalSection/ingressDeviceEgressConfiguration/ipv6OutboundGateways/ip,inputProperties/value/generalSection/egressDeviceEgressConfiguration/ipv4OutboundGateways/ip,inputProperties/value/generalSection/egressDeviceEgressConfiguration/ipv6OutboundGateways/ip&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 534 100 534 0 0 3144 0 --:--:-- --:--:-- --:--:-- 3296 { "generation": 57, "items": [ { "inputProperties": [ { "value": { "generalSection": { "egressDeviceEgressConfiguration": { "ipv4OutboundGateways": [ { "ip": "" } ], "ipv6OutboundGateways": [ { "ip": "" } ] }, "ingressDeviceEgressConfiguration": { "ipv4OutboundGateways": [ { "ip": "90.90.90.94" }, { "ip": "90.90.90.95" } ], "ipv6OutboundGateways": [ { "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" } ] } } } }, { "value": true } ] } ], "kind": "shared:iapp:blocks:blockcollectionstate", ...... }
  12. List all IP addresses for
    receiveOnlyServices
    and update the IP addresses in the table by entering the following command:
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=inputProperties/value/receiveOnlyServices/ipAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example:
    IP Address
    TMUI command for deleting nodes
    90.90.90.94
    90.90.90.95
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    10.10.10.10
    20.20.20.20
    The
    receiveOnlyServices
    IP address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=inputProperties/value/receiveOnlyServices/ipAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 311 100 311 0 0 1800 0 --:--:-- --:--:-- --:--:-- 1884 { "generation": 57, "items": [ { "inputProperties": [ { "value": { "receiveOnlyServices": [ { "ipAddress": "10.10.10.10" }, { "ipAddress": "20.20.20.20" } ] } }, { "value": true } ] } ], "kind": "shared:iapp:blocks:blockcollectionstate", ...... }
  13. List all IP addresses for
    icapServices
    and update the IP addresses in the table by entering the following command:
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=inputProperties/value/icapServices/inspectionDevices/ipAddress,inputProperties/value/icapServices/backupItem/inspectionDevices/ipAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example:
    IP Address
    TMUI command for deleting nodes
    90.90.90.94
    90.90.90.95
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    10.10.10.10
    20.20.20.20
    30.30.30.30
    40.40.40.40
    50.50.50.50
    The
    icapServices
    IP address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=inputProperties/value/icapServices/inspectionDevices/ipAddress,inputProperties/value/icapServices/backupItem/inspectionDevices/ipAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 538 100 538 0 0 3987 0 --:--:-- --:--:-- --:--:-- 4014 { "generation": 57, "items": [ { "inputProperties": [ { "value": { "icapServices": [ { "backupItem": { "inspectionDevices": [ { "ipAddress": "30.30.30.30" }, { "ipAddress": "40.40.40.40" } ] }, "inspectionDevices": [ { "ipAddress": "30.30.30.30" }, { "ipAddress": "40.40.40.40" } ] }, { "backupItem": { "inspectionDevices": [ { "ipAddress": "50.50.50.50" } ] }, "inspectionDevices": [ { "ipAddress": "50.50.50.50" } ] } ] } }, { "value": true } ] } ], "kind": "shared:iapp:blocks:blockcollectionstate", ..... }
  14. Create the delete commands for cleaning up FDB entries and update the IP addresses in the table by entering the following command:
    delete ltm node <<IP Address>>
    For example:
    IP Address
    TMUI command for deleting nodes
    90.90.90.94
    delete ltm node 90.90.90.94
    90.90.90.95
    delete ltm node 90.90.90.95
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    delete ltm node 2001:0db8:85a3:0000:0000:8a2e:0370:7334
    10.10.10.10
    delete ltm node 10.10.10.10
    20.20.20.20
    delete ltm node 20.20.20.20
    30.30.30.30
    delete ltm node 30.30.30.30
    40.40.40.40
    delete ltm node 40.40.40.40
    50.50.50.50
    delete ltm node 50.50.50.50
  15. Enter all of the delete commands built in the table.
    Ignore the following error message if any delete commands fail since the node may be getting used somewhere else.
    "Node address '/Common/<<IP Address>>' is referenced by a member of pool '/Common/<<Pool Name>>'"
    Example of delete commands:
    tmsh delete ltm node 90.90.90.94 tmsh delete ltm node 90.90.90.95 tmsh delete ltm node 2001:0db8:85a3:0000:0000:8a2e:0370:7334 tmsh delete ltm node 10.10.10.10 tmsh delete ltm node 20.20.20.20 tmsh delete ltm node 30.30.30.30 tmsh delete ltm node 40.40.40.40 tmsh delete ltm node 50.50.50.50
  16. Cleaning up iApp application service
  17. Enter the following command using the SSL Orchestrator application name noted down in Step 4:
    tmsh delete sys application service <<SSLO App Name>>.app/<<SSLO App Name>>
    For example, "name":"ssloAppName" would look much like this:
    delete sys application service ssloAppName.app/ssloAppName
  18. Enter the following command while replacing the
    <<block id>>
    with the
    id
    value noted down in Step 2:
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks/<<block Id>>' -u <<userID>>:<<password>>
    For example:
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/2f00771a-48c1-4c0d-a907-b586164177d7' -u admin:admin
  19. Wait at least two to three minutes before attempting to execute the following command so to check the status of the iApp block. Repeat this command until the status value changes to
    ERROR/UNBOUND
    .
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=state,id&$filter=id%20eq%20%27<<Block Id>>%27' -u <<userID>>:<<password>> | python -m json.tool
    In this example, the
    id
    that was noted down in Step 2 is:
    2f00771a-48c1-4c0d-a907-b586164177d7
    .
    curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=state,id&$filter=id%20eq%20%27
    2f00771a-48c1-4c0d-a907-b586164177d7
    %27' -u admin:admin | python -m json.tool
  20. Enter the following command to delete the iApp block. The block must be in
    EROR
    state before executing this command. Refer to step 16 to check the block state.
    curl --insecure -X DELETE 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks/2f00771a-48c1-4c0d-a907-b586164177d7' -u <<userID>>:<<password>>
    For example:
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/2f00771a-48c1-4c0d-a907-b586164177d7' -u admin:admin
You have now cleaned the device of SSL Orchestrator deployments. Log in to the BIG-IP and start using SSL Orchestrator by clicking
SSL Orchestrator
Configuration
.

Upgrading from F5 SSL Orchestrator versions 14.0.x using recovery procedure with Applications LX menu access

To upgrade from SSL Orchestrator versions 14.0.x while you have access to the
Applications LX
menu, follow the procedure in this section to cleanup your environment. When you complete this procedure your environment will be clean and you can log in to BIG-IP and start using SSL Orchestrator Guided Configuration by clicking
SSL Orchestrator
Configuration
.
  1. Login to BIG-IP and navigate to
    iApps
    Application Services
    Applications LX
    .
  2. Select all deployed SSL Orchestrator applications in the table.
  3. Click
    Undeploy
    .
  4. Delete all SSL Orchestrator applications which have the below template type:
    • f5-ssl-orchestrator-storage
    • f5-ssl-orchestrator-network
    • f5-ssl-orchestrator-policy
    • f5-ssl-orchestrator-service
    • f5-ssl-orchestrator-tls
    • f5-ssl-orchestrator
  5. Click
    iApps
    Package Management LX
    . The Package Management LX screen opens.
  6. Select the
    f5-iappslx-ssl-orchestrator
    package and click
    uninstall
    .
You have now cleaned the device of any SSL Orchestrator deployments. Log in to the BIG-IP and start using SSL Orchestrator by clicking
SSL Orchestrator
Configuration
.

Upgrading from F5 SSL Orchestrator versions 14.0.x using recovery procedure without Applications LX menu access

To upgrade from SSL Orchestrator versions 14.0.x and you do not have access to the
Applications LX
menu, follow the procedure in this section to cleanup your environment. When you complete this procedure your environment will be clean and you can log in to BIG-IP and start using SSL Orchestrator Guided Configuration by clicking
SSL Orchestrator
Configuration
.
  1. Enter the following command and note down the
    name
    and
    id
    .
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=id,name&$filter=configurationProcessorReference/link%20eq%20%27https://localhost/mgmt/shared/iapp/processors/f5-iappslx-ssl-orchestrator%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example, note down the
    name
    and
    id
    details:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,name&$filter=configurationProcessorReference/link%20eq%20%27https://localhost/mgmt/shared/iapp/processors/f5-iappslx-ssl-orchestrator%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current . Dload Upload Total Spent Left Speed 100 257 100 257 0 0 1771 0 --:--:-- --:--:-- --:--:-- 1889 { "generation": 11569, "items": [ { "id": "c670eb32-89a5-4555-a2bf-e7a82c743ff6", "name": "sslo_TestSsloApp" } ], ..... }
  2. To delete and cleanup the forwarding database (FDB) entries, F5 recommends you first map the MAC addresses and VLAN names so to properly determine the TMUI command to delete the FDB entries. We recommend creating a table to track the required information.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
  3. To retrieve all of the MAC addresses used for FDB entries, enter the following command and populate the table with the correct information.
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=id,state,name,inputProperties/value/customService/serviceSpecific/macAddress,inputProperties/value/customService/serviceSpecific/vlan&$filter=configurationProcessorReference/link%20eq%20%27https://localhost/mgmt/shared/iapp/processors/f5-iappslx-ssl-orchestrator-service%27%20and%20inputProperties/value/customService/serviceType%20eq%20%27tap%27%20and%20%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    Populate the table with the MAC addresses.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    fa:16:3e:cb:d1:8d
    fa:16:3e:5d:fe:58
    For example, the MAC address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,state,name,inputProperties/value/customService/serviceSpecific/macAddress,inputProperties/value/customService/serviceSpecific/vlan&$filter=configurationProcessorReference/link%20eq%20%27https://localhost/mgmt/shared/iapp/processors/f5-iappslx-ssl-orchestrator-service%27%20and%20inputProperties/value/customService/serviceType%20eq%20%27tap%27%20and%20%20state%20ne%20%27TEMPLATE%27' -u admin:bigip123 | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current . Dload Upload Total Spent Left Speed 100 645 100 645 0 0 752 0 --:--:-- --:--:-- --:--:-- 761 { "generation": 13107, "items": [ { "id": "9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb", "inputProperties": [ { "value": { "customService": { "serviceSpecific": { "macAddress": "fa:16:3e:5d:fe:58", "vlan": "/Common/ssloN_vLan3Sslo.app/ssloN_vLan3Sslo" } } } } ], "name": "ssloS_TapService_2", "state": "BOUND" }, { "id": "6e161941-826d-424e-865e-3defbfdfd116", "inputProperties": [ { "value": { "customService": { "serviceSpecific": { "macAddress": "fa:16:3e:cb:d1:8d", "vlan": "/Common/vLan1" } } } } ], "name": "ssloS_TapService", "state": "BOUND" } ], .... }
  4. To retrieve the VLAN names, enter the following command and populate the table with the correct information.
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/tm/net/fdb/vlan?$select=name,records/name' -u <<userID>>:<<password>> | python -m json.tool
    Update the table with the VLAN name details.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    fa:16:3e:cb:d1:8d
    vLan1
    fa:16:3e:cb:d1:8d
    ssloN_ssloVlan_1
    fa:16:3e:5d:fe:58
    ssloN_vLan3Sslo
    If the same MAC address is associated with multiple VLANs, note the multiple VLAN names against each of the MAC addresses.
    For example, the information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/tm/net/fdb/vlan?$select=name,records/name' -u admin:bigip123 | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current . Dload Upload Total Spent Left Speed 100 372 100 372 0 0 1252 0 --:--:-- --:--:-- --:--:-- 1261 { "items": [ { "name": "ssloN_ssloVlan_1", "records": [ { "name": "fa:16:3e:cb:d1:8d" } ] }, { "name": "ssloN_vLan3Sslo", "records": [ { "name": "fa:16:3e:5d:fe:58" } ] }, { "name": "vLan1", "records": [ { "name": "fa:16:3e:cb:d1:8d" } ] }, { "name": "vLan2" }, { "name": "vLan3" }, { "name": "vLan4" } ], .... }
  5. Use the following command to build the delete commands for cleaning up the FDB entries and update the table.
    modify net fdb vlan <<vlan name>> records delete { <<macaddress>> }
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    fa:16:3e:cb:d1:8d
    vLan1
    modify net fdb vlan vLan1 records delete { fa:16:3e:cb:d1:8d }
    fa:16:3e:cb:d1:8d
    ssloN_ssloVlan_1
    modify net fdb vlan ssloN_ssloVlan_1.app/ssloN_ssloVlan_1 records delete {fa:16:3e:cb:d1:8d }
    fa:16:3e:5d:fe:58
    ssloN_vLan3Sslo
    modify net fdb vlan ssloN_vLan3Sslo.app/ssloN_vLan3Sslo records delete {fa:16:3e:5d:fe:58 }
    If you receive a strictness warning (Protcted/Unprotected Configurations) while deleting FDB entries, enter the following command and try to enter the delete command again.
    modify sys application service <<vLan Name>>.app/<<vLan Name>> strict-updates disabled
    For example, the information would come from this source:
    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify net fdb vlan ssloN_vLan3Sslo.app/ssloN_vLan3Sslo records delete {fa:16:3e:5d:fe:58 } 010715bc:3: The application service (/Common/ssloN_vLan3Sslo.app/ssloN_vLan3Sslo) has strict updates enabled, the object (VLAN /Common/ssloN_vLan3Sslo.app/ssloN_vLan3Sslo) must be updated using an application management interface. root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys application service ssloN_vLan3Sslo.app/ssloN_vLan3Sslo strict-updates disabled root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify net fdb vlan ssloN_vLan3Sslo.app/ssloN_vLan3Sslo records delete {fa:16:3e:5d:fe:58 } root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
  6. Enter all of the delete commands for deleting FDB entries. For example:
    tms modify net fdb vlan vLan1 records delete { fa:16:3e:cb:d1:8d }
    tmsh modify net fdb vlan ssloN_ssloVlan_1.app/ssloN_ssloVlan_1 records delete {fa:16:3e:cb:d1:8d }
    tmsh modify net fdb vlan ssloN_vLan3Sslo.app/ssloN_vLan3Sslo records delete {fa:16:3e:5d:fe:58 }
  7. Enter the following command on the BIG-IP:
    tmsh
    For example:
    [root@localhost:Active:Standalone] config # tmsh
    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
  8. Enter the following command and press
    tab
    to view the list of deployed application services. The resulting information from this step will be used in step 9.
    delete sys application service
    For example:
    [root@localhost:Active:Standalone] config # tmsh root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service Options: recursive Configuration Items: ssloN_ssloVlan_1.app/ ssloN_vLan3Sslo.app/ ssloS_HttpService.app/ ssloS_L2Service_1.app/ ssloS_L3Service_2.app/ ssloS_TapService_2.app/ ssloS_iCapService_2.app/ ssloT_sslSettings_1.app/ ssloN_vLan2Sslo.app/ ssloP_PRP1.app/ ssloS_HttpService_1.app/ ssloS_L3Service_1.app/ ssloS_TapService.app/ ssloS_iCapService_1.app/ ssloT_SSL3.app/ sslo_TestSsloApp.app/
  9. Populate a table based on the output from the command used in step 8. For example:
    • Deployment App
      : Name which matches the format <<SSLO deployed App>>.app here <<SSLO deployed App>> is the name which is noted down in step 1.
    • Policy App
      : Name which starts with ssloP_.
    • Services App
      : Name which starts with ssloS_.
    • Network App
      : Name which starts with ssloN_.
    • SSL App
      : Name which starts with ssloT_.
    Deployment App
    Policy App
    Services App
    Network App
    SSL App
    sslo_TestSsloApp.app/
    ssloP_PRP1.app/
    ssloS_HttpService.app/
    ssloS_L2Service_1.app/
    ssloS_L3Service_2.app/
    ssloS_TapService_2.app/
    ssloS_iCapService_2.app/
    ssloS_HttpService_1.app/
    ssloS_L3Service_1.app/
    ssloS_TapService.app/
    ssloS_iCapService_1.app/
    ssloN_ssloVlan_1.app/
    ssloN_vLan3Sslo.app/
    ssloN_vLan2Sslo.app/
    ssloT_SSL3.app/
    ssloT_sslSettings_1.app/
  10. Enter the following command for all of the apps listed in step 9.
    Make sure to enter the TMSH command before starting this step on the BIG-IP device.
    The order in which the commands are entered is important. F5 recommends that you start with Deployment App, followed by Policy App, and so on based on the suggested table headings.
    If a command fails due to a dependency, determine what the dependency is from the message and delete it before proceeding.
    delete sys application service <<appName>>/ <<press TAB to complete the command>>
    For example:
    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service sslo_TestSsloApp.app/sslo_TestSsloApp root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloP_PRP1.app/ssloP_PRP1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_HttpService.app/ssloS_HttpService root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_HttpService_1.app/ssloS_HttpService_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_L2Service_1.app/ssloS_L2Service_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_L3Service_2.app/ssloS_L3Service_2 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_TapService_2 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_TapService_2.app/ssloS_TapService_2 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_iCapService_2.app/ssloS_iCapService_2 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_L3Service_1.app/ssloS_L3Service_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_TapService.app/ssloS_TapService root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_iCapService_1.app/ssloS_iCapService_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloN_ssloVlan_1.app/ssloN_ssloVlan_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloN_vLan3Sslo.app/ssloN_vLan3Sslo root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloN_vLan2Sslo.app/ssloN_vLan2Sslo root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloT_SSL3.app/ssloT_SSL3 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloT_sslSettings_1.app/ssloT_sslSettings_1
  11. Enter the following command:
    curl --insecure -XGET 'https://<<BigIP Management IP>>mgmt/shared/iapp/blocks?$select=id,state,name&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,state,name&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3550 100 3550 0 0 20938 0 --:--:-- --:--:-- --:--:-- 21005 { "generation": 46597, "items": [ { "id": "c670eb32-89a5-4555-a2bf-e7a82c743ff6", "name": "sslo_TestSsloApp", "state": "BOUND" }, { "id": "35947fc5-3152-4ee9-94be-d98cc3c32059", "name": "ssloT_sslSettings_1", "state": "BOUND" }, { "id": "c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2", "name": "ssloS_L3Service_1", "state": "BOUND" }, { "id": "9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb", "name": "ssloS_TapService_2", "state": "BOUND" }, { "id": "22841137-9d38-4176-ad75-362748f7067b", "name": "ssloS_HttpService", "state": "BOUND" }, { "id": "0cf207ce-0460-49b3-b0f3-a140bb265fa9", "name": "ssloN_vLan3Sslo", "state": "BOUND" }, { "id": "aef17b81-929c-4c12-90e6-a70931952ff9", "name": "ssloT_SSL3", "state": "BOUND" }, { "id": "5c8f3039-d6cc-45db-88a1-6d030dac686b", "name": "7684d4ac-00d0-4f43-a0ba-921f459113bc-1538161044915", "state": "ERROR" }, { "id": "2f952eba-4331-4a3e-995d-644f5a01b045", "name": "ssloS_L3Service_2", "state": "BOUND" }, { "id": "46e05e4e-c350-4e33-8ffc-fa2671acac80", "name": "ssloS_iCapService_1", "state": "BOUND" }, { "id": "75800f9c-f8c8-46e4-9e71-1c7b11fff5fd", "name": "ssloN_vLan2Sslo", "state": "BOUND" }, { "id": "7684d4ac-00d0-4f43-a0ba-921f459113bc", "name": "ssloP_PRP1", "state": "BOUND" }, { "id": "41697b7c-c059-47f2-b13a-b574d2b858f8", "name": "ssloS_L2Service_1", "state": "BOUND" }, { "id": "e44a78c0-4efd-45cc-a3f1-a7d79302004e", "name": "ssloN_ssloVlan_1", "state": "BOUND" }, { "id": "e47a45fb-7422-4ab3-a59a-deafe257660c", "name": "ssloS_iCapService_2", "state": "BOUND" }, { "id": "69ba205f-e618-479e-b355-ae8010219b5f", "name": "ssloS_HttpService_1", "state": "BOUND" }, { "id": "6e161941-826d-424e-865e-3defbfdfd116", "name": "ssloS_TapService", "state": "BOUND" }, { "id": "df843553-dcbb-4239-a3f7-fbf4cf5ccf22", "name": "c670eb32-89a5-4555-a2bf-e7a82c743ff6-1538161044915", "state": "ERROR" }, { "id": "ab0584b4-e8dd-461d-a3c9-f7585c42fdc7", "name": "22841137-9d38-4176-ad75-362748f7067b-1538161044915", "state": "ERROR" }, { "id": "2037b09f-dfaf-4c60-bef9-52b7e1f74ba7", "name": "69ba205f-e618-479e-b355-ae8010219b5f-1538161044915", "state": "ERROR" }, { "id": "ead269a0-43a8-4fd4-88cf-471cd287a6d5", "name": "2f952eba-4331-4a3e-995d-644f5a01b045-1538161044915", "state": "ERROR" }, { "id": "38c5b1af-3f6b-4498-93fc-6380affd1483", "name": "41697b7c-c059-47f2-b13a-b574d2b858f8-1538161044915", "state": "ERROR" }, { "id": "1e97e0ff-955b-43f2-b43f-fa9f806273bc", "name": "9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb-1538161044915", "state": "ERROR" }, { "id": "f705eb0a-3e8e-4434-8bcc-8bd9135e5383", "name": "6e161941-826d-424e-865e-3defbfdfd116-1538161044915", "state": "ERROR" }, { "id": "3f31c864-d2ca-4b15-baf2-47f4d490f84c", "name": "c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2-1538161044915", "state": "ERROR" }, { "id": "1356eb55-53c4-4eee-86a2-c647228d5cae", "name": "e47a45fb-7422-4ab3-a59a-deafe257660c-1538161044915", "state": "ERROR" }, { "id": "e778bcb2-697f-4238-a76d-169894304d44", "name": "46e05e4e-c350-4e33-8ffc-fa2671acac80-1538161044915", "state": "ERROR" }, { "id": "e75c0952-8838-4484-817d-2cded5d7e63c", "name": "35947fc5-3152-4ee9-94be-d98cc3c32059-1538161044915", "state": "ERROR" }, { "id": "f9c38383-a5a7-46fc-8fca-4196f021a64e", "name": "aef17b81-929c-4c12-90e6-a70931952ff9-1538161044915", "state": "ERROR" }, { "id": "d65877b5-20d2-4c81-9723-0151aa5a51a1", "name": "75800f9c-f8c8-46e4-9e71-1c7b11fff5fd-1538161044915", "state": "ERROR" }, { "id": "05131174-faf2-42a7-8b98-85718e4676d5", "name": "e44a78c0-4efd-45cc-a3f1-a7d79302004e-1538161044915", "state": "ERROR" }, { "id": "67a567c1-f711-45bc-94ac-232121030aa2", "name": "0cf207ce-0460-49b3-b0f3-a140bb265fa9-1538161044915", "state": "ERROR" } ], ..... }
  12. F5 recommends creating a table to track the required information based on the output from the command entered in step 11.
    ID
    State
    Patch Command
    Delete Command
    <<block Id>>
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks/<<block Id>>' -u <<userID>>:<<password>>
    curl --insecure -X DELETE 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks/<<block Id>>' -u <<userID>>:<<password>>
    <<block Id>>
    ERROR
    NO NEED FOR ERROR
    For example:
    ID
    State
    Patch Command
    Delete Command
    c670eb32-89a5-4555-a2bf-e7a82c743ff6
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    c670eb32-89a5-4555-a2bf-e7a82c743ff6'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    c670eb32-89a5-4555-a2bf-e7a82c743ff6'
    -u admin:admin
    35947fc5-3152-4ee9-94be-d98cc3c32059
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    35947fc5-3152-4ee9-94be-d98cc3c32059'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    35947fc5-3152-4ee9-94be-d98cc3c32059'
    -u admin:admin
    c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2'
    -u admin:admin
    9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb'
    -u admin:admin
    22841137-9d38-4176-ad75-362748f7067b
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    22841137-9d38-4176-ad75-362748f7067b'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    22841137-9d38-4176-ad75-362748f7067b'
    -u admin:admin
    0cf207ce-0460-49b3-b0f3-a140bb265fa9
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    0cf207ce-0460-49b3-b0f3-a140bb265fa9'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    0cf207ce-0460-49b3-b0f3-a140bb265fa9'
    -u admin:admin
    aef17b81-929c-4c12-90e6-a70931952ff9
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    aef17b81-929c-4c12-90e6-a70931952ff9'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    aef17b81-929c-4c12-90e6-a70931952ff9'
    -u admin:admin
    5c8f3039-d6cc-45db-88a1-6d030dac686b
    ERROR
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    5c8f3039-d6cc-45db-88a1-6d030dac686b'
    -u admin:admin
    2f952eba-4331-4a3e-995d-644f5a01b045
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    2f952eba-4331-4a3e-995d-644f5a01b045'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    2f952eba-4331-4a3e-995d-644f5a01b045'
    -u admin:admin
    46e05e4e-c350-4e33-8ffc-fa2671acac80
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    46e05e4e-c350-4e33-8ffc-fa2671acac80'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    46e05e4e-c350-4e33-8ffc-fa2671acac80'
    -u admin:admin
    75800f9c-f8c8-46e4-9e71-1c7b11fff5fd
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    75800f9c-f8c8-46e4-9e71-1c7b11fff5fd'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    75800f9c-f8c8-46e4-9e71-1c7b11fff5fd'
    -u admin:admin
    7684d4ac-00d0-4f43-a0ba-921f459113bc
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    7684d4ac-00d0-4f43-a0ba-921f459113bc'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    7684d4ac-00d0-4f43-a0ba-921f459113bc'
    -u admin:admin
    41697b7c-c059-47f2-b13a-b574d2b858f8
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    41697b7c-c059-47f2-b13a-b574d2b858f8'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    41697b7c-c059-47f2-b13a-b574d2b858f8'
    -u admin:admin
    e44a78c0-4efd-45cc-a3f1-a7d79302004e
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    e44a78c0-4efd-45cc-a3f1-a7d79302004e'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    e44a78c0-4efd-45cc-a3f1-a7d79302004e'
    -u admin:admin
    e47a45fb-7422-4ab3-a59a-deafe257660c
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    e47a45fb-7422-4ab3-a59a-deafe257660c'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    e47a45fb-7422-4ab3-a59a-deafe257660c'
    -u admin:admin
    69ba205f-e618-479e-b355-ae8010219b5f
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    69ba205f-e618-479e-b355-ae8010219b5f'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    69ba205f-e618-479e-b355-ae8010219b5f'
    -u admin:admin
    6e161941-826d-424e-865e-3defbfdfd116
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    6e161941-826d-424e-865e-3defbfdfd116'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    6e161941-826d-424e-865e-3defbfdfd116'
    -u admin:admin
    df843553-dcbb-4239-a3f7-fbf4cf5ccf22
    ERROR
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    df843553-dcbb-4239-a3f7-fbf4cf5ccf22'
    -u admin:admin
    ab0584b4-e8dd-461d-a3c9-f7585c42fdc7
    ERROR
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    ab0584b4-e8dd-461d-a3c9-f7585c42fdc7'
    -u admin:admin
    2037b09f-dfaf-4c60-bef9-52b7e1f74ba7
    ERROR
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    2037b09f-dfaf-4c60-bef9-52b7e1f74ba7'
    -u admin:admin
You have now cleaned the device of SSL Orchestrator deployments. Log in to the BIG-IP and start using SSL Orchestrator by clicking
SSL Orchestrator
Configuration
.