Manual Chapter : Setting up F5 Guided Configuration for SSL Orchestrator

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 16.0.0
Manual Chapter

Setting up F5 Guided Configuration for SSL Orchestrator

Overview: Setting up F5 Guided Configuration for SSL Orchestrator

To install the F5 Guided Configuration for SSL Orchestrator 16.0.0-8.0 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the
BIG-IP Systems: Upgrading Software
guide. The F5 Guided Configuration for SSL Orchestrator 8.0 image is packaged with the F5 BIG-IP 16.0.0 image.
To upgrade to the newest version of SSL Orchestrator from a previous version, or you have an existing add-on license, follow the recommended upgrade steps in the
SSL Orchestrator recommended upgrade procedure
section. These procedures walk you through the detailed installation and upgrade details of existing SSL Orchestrator applications and RPMs before installing the new ISO image.
If you are upgrading from SSL Orchestrator version 13.x.x or 14.0.x (known as the forklift upgrade), you must follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments. This procedure includes uninstalling your previous version of the application. If these steps are not followed, further manual steps are required to reset your environment and undeploy the previous version found in the
F5 Guided Configuration for SSL Orchestrator: Upgrade Recovery Procedure
guide.
These upgrade steps are required since in some cases previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
If you are implementing a high availability environment for SSL Orchestrator, review the
Setting up F5 Guided Configuration for SSL Orchestrator in High Availability
section for more detailed information.
After upgrading SSL Orchestrator from version 5.x, 6.x, or 7.x, one or more existing configurations may show an error due to inconsistent egress information. For example, if the System Setting in version 7.0 had an egress setting of IPv4 while the topology setting was IPv6, the IPv6 topology’s egress setting will show an error after the upgrade. To fix, locate the error(s) and update the configuration with the correct egress information (such as egress gateway pool or SNAT settings) and redeploy.

F5 SSL Orchestrator recommended upgrade procedure

F5 recommends you follow one of the procedures below when upgrading to the newest version of SSL Orchestrator from a previous version.
  • Upgrade SSL Orchestrator from version 13.x.x, 14.0.x to 16.0.0 (forklift upgrade)
  • Upgrade SSL Orchestrator from version 14.1.x, 15.x.x to 16.0.0

Upgrade SSL Orchestrator from version 13.x.x, 14.0.x to 16.0.0 (forklift upgrade)

The SSL Orchestrator forklift version upgrade consists of the following three steps:
  • Export currently deployed SSL Orchestrator configurations (only for 13.x.x)
  • Undeploy your currently deployed SSL Orchestrator application
  • Uninstall SSL Orchestrator

Exporting currently deployed F5 SSL Orchestrator configurations

If you are upgrading SSL Orchestrator from 13.0.0-2.3 or 13.1.0-3.0, you have the option to first export any currently deployed configurations. Only SSL Orchestrator versions 13.0.0-2.3 and 13.1.0-3.0 contain the export functionality.
By exporting previously successful deployment configurations as JSON files, you can examine their configuration settings prior to new deployments with SSL Orchestrator.
Whether you have access to the export functionality or not, you can review any current configurations and make notes that are important for new configurations once you upgrade.
  1. Log in to SSL Orchestrator version 13.0.0-2.3 or 13.1.0-3.0.
  2. On the Main tab, click
    Settings
    Export Configs
    to view the export configuration settings. The Export Configurations screen opens.
    If you do not have any previously saved deployments, no information displays.
  3. In the
    Export Configurations
    table, select a previously deployed configuration.
  4. Click
    Export
    .
    A dialog box pop-up opens showing the JSON configuration information to be exported and asks
    Do you wish to export the current SSL Orchestrator Configuration settings to a .json file?
  5. To export the current SSL Orchestrator settings into a JSON export file, click
    OK
    , or click
    Cancel
    to stop the export process.
  6. Type the file name of the JSON file to export.
  7. Click
    OK
    .
The configuration information you selected to export is downloaded to your local system as a JSON file for later use as a reference to your previous deployments. You are now ready to undeploy your SSL Orchestrator configuration.

Undeploying your currently deployed F5 SSL Orchestrator application

If you are upgrading SSL Orchestrator from versions 14.0.x or older to 16.0.0, this task is required for a successful upgrade.
To undeploy your currently deployed configuration, do the following:
  1. On the Main tab, click
    SSL Orchestrator
    Configuration
    . The SSL Orchestrator Configuration screen opens.
  2. For SSL Orchestrator versions prior to 14.0.x-5.x, click
    Undeploy
    .
  3. For SSL Orchestrator versions 14.1.x-5.x or higher, select the check box next to the name of the deployments you want to remove and click
    Delete
    .
Your entire SSL Orchestrator configuration is now removed from your system and you are ready to uninstall your SSL Orchestrator application.

Uninstalling F5 SSL Orchestrator

If you are upgrading SSL Orchestrator from versions 13.x.x or 14.0.x to 16.0.0, this task is required for a successful upgrade.
To uninstall your SSL Orchestrator application, do the following:
  1. On the Main tab, click
    SSL Orchestrator
    Updates
    . The Updates screen opens.
  2. Under the Version field, click
    Uninstall
    .
  3. Click
    OK
    .
    Do not click on any link underneath the SSL Orchestrator tab after you click
    OK
    or the system will automatically reinstall.
    Your application is now removed from your system and you are ready to install the new BIG-IP 16.0.0 ISO image. Proceed to the
    Installing the new BIG-IP ISO
    section.

Upgrade SSL Orchestrator from version 14.1.x, 15.x.x to 16.0.0

If you are upgrading SSL Orchestrator from version 14.1.x, 15.x.x to 16.0.0, or if you have just completed the SSL Orchestrator forklift procedure, proceed with the following instructions.

Prerequisites

    • There should be no applications in Bound, Binding, or Error state when installing the new ISO or before booting to the new partition. There should not be any SSL Orchestrator blocks (block name starting with
      “sslo_ob_"
      ).
      To verify no issues exist, select
      iApps
      Application Services
      Applications LX
      . If there is anything in an error state (red icon), fix the deployment by correcting the configuration and redeploy. If there is anything in a bound state (green icon), select them all and click
      Undeploy
      . Once they have been undeployed, select the same block and delete them. If there is anything in a binding state (moving icon), wait until it completes. If the block remains in that state, contact customer care to resolve.
    • Perform a UCS backup before installing the new ISO. If any block is identified in Bound, Binding, Pending, or Error state, correct the issues before the UCS backup is performed.
      After an RPM upgrade from 14.1.x-5.0, 15.0.0-6.x, or 15.1.0-7.x to 16.0.0-8.0, previously existing egress topology configurations may contain incorrect egress settings and may result in a broken configuration. This error occurs after an RPM upgrade due to the system settings choosing either IPv4 or IPv6 when the topology workflow still allows a configuration to be created using both IPv4 and IPv6. To fix this conflict, update the configuration so that it is either using IPv4 or IPv6 and deploy the configuration again.

Installing the new BIG-IP ISO image

The latest version of SSL Orchestrator (8.0) is included with the BIG-IP 16.0.0 ISO image. When you install the F5 BIG-IP 16.0.0 ISO image, the BIG-IP system installs the configuration of the currently active boot location on the target installation location.
If you have not already done so, download BIG-IP SSL Orchestrator:
  1. Go to https://downloads.f5.com for ISO image.
  2. To upload to BIG-IP SSL Orchestrator, on the Main tab, click
    System
    Software Management
    Image List
    . Click
    Import
    .
  3. On
    System
    Software Management
    Image List
    screen, select the imported ISO image and click
    Install
    . The Install Software Image pop-up screen opens.
  4. In the
    Volume set name
    list, type a Boot Location name or number.
  5. Click
    Install
    . The Images List screen opens.
    If necessary, click the browser Refresh button if the BIG-IP version 16.0.0 image does not appear in the Installed Images list.
The BIG-IP installation is complete once the
Install Status
column for version 16.0.0 indicates
complete
. You are now ready to boot into the new partition and activate the newly installed version of SSL Orchestrator.
For complete step-by-step installation and upgrade instructions for BIG-IP, see the
BIG-IP Systems: Upgrading Software
document.

Booting into the new partition

To boot into the new partition and activate the installation upgrade, do the following:
  1. On the Main tab, click
    System
    Software Management
    Boot Locations
    . The Boot Locations screen appears.
  2. Click the Boot Location name you created in the Boot Location column for BIG-IP 16.0.0-8.0. The
    General Properties
    screen opens.
  3. Select the boot location and click
    Activate
    .
  4. Click
    OK
    .
Your newly changed system will reboot the BIG-IP device as it switches partition to the newest version.

Provisioning the newly activated resource

If you are upgrading SSL Orchestrator from versions 13.x.x or 14.0.x to 16.0.0, this task is required for a successful upgrade.
If you are upgrading SSL Orchestrator from version 14.1.x, 15.x.x to 16.0.0, this task is optional, and you can skip to the next section.
Your newly installed BIG-IP SSL Orchestrator must now be provisioned. After your system reboots, do the following:
  1. Use your previous SSL Orchestrator
    Username
    and
    Password
    to sign in. Click
    Log in
    . The Welcome screen opens.
  2. On the Main tab, click
    System
    Resource Provisioning
    to provision the system. The Resource Provisioning screen opens.
  3. In the
    Module
    column, locate SSL Orchestrator and select the check box in the
    Provisioning
    column if it is not already checked. The Provisioning column will change from
    None
    to
    Nominal
    if the check box was not already checked.
  4. Click
    Submit
    .
  5. Click
    OK
    . Your newly changed system will reboot the BIG-IP device as it provisions SSL Orchestrator.
  6. Click
    Continue
    .
A new version of F5 BIG-IP SSL Orchestrator has been successfully installed and provisioned.
If you do not follow the F5 recommended upgrade procedure, SSL Orchestrator will guide you through the upgrade scenario, providing warning messages and links to required tasks, as it assist you in activating and provisioning your newly installed resource.

Installing SSL Orchestrator RPM (on-box)

If you want to upgrade to the on-box RPM version, then follow the below steps:
  1. Log into your BIG-IP using management UI.
  2. Click on SSL Orchestrator > Configuration menu.
    This operation will auto-install the on-box RPM.

Insatlling SSL Orchestrator RPM (not on-box)

If you do not want to upgrade to the on-box RPM version, do the following:
  1. Download SSL Orchestrator RPM from https://downloads.f5.com.
  2. Log into your BIG-IP.
  3. Click
    iApps
    Package Management LX
    .
  4. Click on
    Import
    and select your RPM.
  5. Click
    Upload
    . This will install the user selected RPM on the box.
This operation will auto-install the on-box RPM.

Setting up F5 Guided Configuration for SSL Orechstrator logs settings

The SSL Orchestrator Settings option in the Logs menu can be used to enable logging for selected facilities at various levels of severity to describe the system messages. Facilities describe the specific element of the system generating the message: Per-Request Policy, FTP, IMAP, POP3, SMTPS, SSL Orchestrator Generic.
Each available level describes the severity of the message and are listed in order of the severity of the messages they handle. Generally, higher levels contain all the messages for lower levels. For example, the Alert level will generally also report all messages from the Emergency level, and the Debug level will generally also report all messages for all levels.

Setting up logs settings

Use the following procedure to set up your SSL Orchestrator logs settings with specific severity levels.
  1. On the Main tab, click
    SSL Orchestrator
    Logs
    Settings
    . The Logs Settings screen opens.
  2. If the
    Enable
    check box is not pre-selected, select the check box to see the available levels for each facility. The default severity is Debug.
  3. For each facility, you can select from the following log setting severities:
    • Emergency
      : Specifies the emergency system panic messages.
    • Alert
      : Serious errors that require administrator intervention.
    • Critical
      : Critical errors, including hardware and filesystem failures.
    • Error
      : Non-critical, but possibly very important, error messages.
    • Warning
      : Warning messages that should at least be logged for review.
    • Notice
      : Messages that contain useful information, but may be ignored.
    • Information
      : Messages that contain useful information, but may be ignored.
    • Debug
      : Messages that are only necessary for troubleshooting.
  4. Click
    Save
    .