Manual Chapter :
Setting up F5 Guided
Configuration for SSL Orchestrator
Applies To:
Show Versions
F5 SSL Orchestrator
- 16.0.1, 16.0.0
Setting up F5 Guided
Configuration for SSL Orchestrator
Overview: Setting up F5
Guided Configuration for SSL Orchestrator
To install the F5 Guided Configuration for SSL Orchestrator 16.0.0-8.0 and you
do not have an existing SSL Orchestrator add-on license, or a previous version of SSL
Orchestrator installed, download the image from downloads.f5.com.
For complete step-by-step installation instructions, see the
BIG-IP
Systems: Upgrading Software
guide. The F5 Guided Configuration for SSL Orchestrator 8.0
image is packaged with the F5 BIG-IP 16.0.0 image.To upgrade to the newest version of SSL Orchestrator from a previous version,
or you have an existing add-on license, follow the recommended upgrade steps in the
SSL Orchestrator recommended upgrade procedure
section. These
procedures walk you through the detailed installation and upgrade details of existing SSL
Orchestrator applications and RPMs before installing the new ISO image. If you are upgrading from SSL Orchestrator version 13.x.x or 14.0.x (known as
the forklift upgrade), you must follow the recommended upgrade procedure to undeploy your
previous SSL Orchestrator deployments. This procedure includes uninstalling your previous version
of the application. If these steps are not followed, further manual steps are required to reset
your environment and undeploy the previous version found in the
F5
Guided Configuration for SSL Orchestrator: Upgrade Recovery Procedure
guide.These upgrade steps are required since in some cases previously deployed SSL
Orchestrator configurations cannot be rolled forward or imported into the new version of SSL
Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing
your system for a clean installation.
If you are implementing a high
availability environment for SSL Orchestrator, review the
Setting up
F5 Guided Configuration for SSL Orchestrator in High Availability
section for more
detailed information.After upgrading SSL Orchestrator from
version 5.x, 6.x, or 7.x, one or more existing configurations may show an error due to
inconsistent egress information. For example, if the System Setting in version 7.0 had an egress
setting of IPv4 while the topology setting was IPv6, the IPv6 topology’s egress setting will
show an error after the upgrade. To fix, locate the error(s) and update the configuration with
the correct egress information (such as egress gateway pool or SNAT settings) and
redeploy.
F5 SSL Orchestrator recommended upgrade procedure
F5 recommends you follow one of the procedures below
when upgrading to the newest version of SSL Orchestrator from a previous version.
- Upgrade SSL Orchestrator from version 13.x.x, 14.0.x to 16.0.0 (forklift upgrade)
- Upgrade SSL Orchestrator from version 14.1.x, 15.x.x to 16.0.0
Upgrade SSL Orchestrator from version 13.x.x, 14.0.x to 16.0.0
(forklift upgrade)
The SSL Orchestrator forklift version upgrade consists of the following
three steps:
- Export currently deployed SSL Orchestrator configurations (only for 13.x.x)
- Undeploy your currently deployed SSL Orchestrator application
- Uninstall SSL Orchestrator
Exporting currently
deployed F5 SSL Orchestrator configurations
If you
are upgrading SSL Orchestrator from 13.0.0-2.3 or 13.1.0-3.0, you have the option to
first export any currently deployed configurations. Only SSL Orchestrator versions
13.0.0-2.3 and 13.1.0-3.0 contain the export functionality.
By
exporting previously successful deployment configurations as JSON files, you can
examine their configuration settings prior to new deployments with SSL Orchestrator.
Whether you have access to the export functionality
or not, you can review any current configurations and make notes that are important
for new configurations once you upgrade.
- Log in to SSL Orchestrator version 13.0.0-2.3 or 13.1.0-3.0.
- On the Main tab, click to view the export configuration settings. The Export Configurations screen opens.If you do not have any previously saved deployments, no information displays.
- In theExport Configurationstable, select a previously deployed configuration.
- ClickExport.A dialog box pop-up opens showing the JSON configuration information to be exported and asksDo you wish to export the current SSL Orchestrator Configuration settings to a .json file?
- To export the current SSL Orchestrator settings into a JSON export file, clickOK, or clickCancelto stop the export process.
- Type the file name of the JSON file to export.
- ClickOK.
The configuration
information you selected to export is downloaded to your local system as a JSON file for
later use as a reference to your previous deployments. You are now ready to undeploy
your SSL Orchestrator configuration.
Undeploying your
currently deployed F5 SSL Orchestrator application
If you are upgrading SSL Orchestrator from versions
14.0.x or older to 16.0.0, this task is required for a successful upgrade.
To undeploy your currently deployed configuration, do the
following:
- On the Main tab, click . The SSL Orchestrator Configuration screen opens.
- For SSL Orchestrator versions prior to 14.0.x-5.x, clickUndeploy.
- For SSL Orchestrator versions 14.1.x-5.x or higher, select the check box next to the name of the deployments you want to remove and clickDelete.
Your entire SSL
Orchestrator configuration is now removed from your system and you are ready to
uninstall your SSL Orchestrator application.
Uninstalling F5 SSL Orchestrator
If you are upgrading SSL Orchestrator from versions
13.x.x or 14.0.x to 16.0.0, this task is required for a successful upgrade.
To uninstall your SSL Orchestrator application, do the
following:
- On the Main tab, click . The Updates screen opens.
- Under the Version field, clickUninstall.
- ClickOK.Do not click on any link underneath the SSL Orchestrator tab after you clickOKor the system will automatically reinstall.Your application is now removed from your system and you are ready to install the new BIG-IP 16.0.0 ISO image. Proceed to theInstalling the new BIG-IP ISOsection.
Upgrade SSL Orchestrator from version 14.1.x, 15.x.x to 16.0.0
If you are upgrading SSL Orchestrator from version 14.1.x, 15.x.x to 16.0.0,
or if you have just completed the SSL Orchestrator forklift procedure, proceed with the
following instructions.
Prerequisites
Prerequisites
- There should be no applications in Bound, Binding, or Error state when installing the new ISO or before booting to the new partition. There should not be any SSL Orchestrator blocks (block name starting with“sslo_ob_").To verify no issues exist, select . If there is anything in an error state (red icon), fix the deployment by correcting the configuration and redeploy. If there is anything in a bound state (green icon), select them all and clickUndeploy. Once they have been undeployed, select the same block and delete them. If there is anything in a binding state (moving icon), wait until it completes. If the block remains in that state, contact customer care to resolve.
- Perform a UCS backup before installing the new ISO. If any block is identified in Bound, Binding, Pending, or Error state, correct the issues before the UCS backup is performed.After an RPM upgrade from 14.1.x-5.0, 15.0.0-6.x, or 15.1.0-7.x to 16.0.0-8.0, previously existing egress topology configurations may contain incorrect egress settings and may result in a broken configuration. This error occurs after an RPM upgrade due to the system settings choosing either IPv4 or IPv6 when the topology workflow still allows a configuration to be created using both IPv4 and IPv6. To fix this conflict, update the configuration so that it is either using IPv4 or IPv6 and deploy the configuration again.
Installing the new
BIG-IP ISO image
The latest version of SSL Orchestrator (8.0) is included with the
BIG-IP 16.0.0 ISO image. When you install the F5 BIG-IP 16.0.0 ISO image, the BIG-IP
system installs the configuration of the currently active boot location on the
target installation location.
If you have not already done so, download BIG-IP SSL Orchestrator:
- Go to https://downloads.f5.com for ISO image.
- To upload to BIG-IP SSL Orchestrator, on the Main tab, click . ClickImport.
- On screen, select the imported ISO image and clickInstall. The Install Software Image pop-up screen opens.
- In theVolume set namelist, type a Boot Location name or number.
- ClickInstall. The Images List screen opens.If necessary, click the browser Refresh button if the BIG-IP version 16.0.0 image does not appear in the Installed Images list.
The BIG-IP installation is complete once the
Install Status
column for version
16.0.0 indicates complete
. You
are now ready to boot into the new partition and activate the newly installed version of
SSL Orchestrator. For complete step-by-step installation and
upgrade instructions for BIG-IP, see the
BIG-IP Systems:
Upgrading Software
document.Booting into the new partition
To boot into the new partition and activate the installation upgrade,
do the following:
- On the Main tab, click . The Boot Locations screen appears.
- Click the Boot Location name you created in the Boot Location column for BIG-IP 16.0.0-8.0. TheGeneral Propertiesscreen opens.
- Select the boot location and clickActivate.
- ClickOK.
Your newly changed
system will reboot the BIG-IP device as it switches partition to the newest version.
Provisioning the newly
activated resource
If you are upgrading SSL Orchestrator from versions
13.x.x or 14.0.x to 16.0.0, this task is required for a successful upgrade.
If you
are upgrading SSL Orchestrator from version 14.1.x, 15.x.x to 16.0.0, this task is
optional, and you can skip to the next section.
Your
newly installed BIG-IP SSL Orchestrator must now be provisioned. After your system
reboots, do the following:
- Use your previous SSL OrchestratorUsernameandPasswordto sign in. ClickLog in. The Welcome screen opens.
- On the Main tab, click to provision the system. The Resource Provisioning screen opens.
- In theModulecolumn, locate SSL Orchestrator and select the check box in theProvisioningcolumn if it is not already checked. The Provisioning column will change fromNonetoNominalif the check box was not already checked.
- ClickSubmit.
- ClickOK. Your newly changed system will reboot the BIG-IP device as it provisions SSL Orchestrator.
- ClickContinue.
A new version of F5 BIG-IP SSL Orchestrator has been
successfully installed and provisioned.
If you do not follow
the F5 recommended upgrade procedure, SSL Orchestrator will guide you through the
upgrade scenario, providing warning messages and links to required tasks, as it
assist you in activating and provisioning your newly installed
resource.
Installing SSL Orchestrator RPM (on-box)
If you want to upgrade to the on-box RPM version,
then follow the below steps:
- Log into your BIG-IP using management UI.
- Click on SSL Orchestrator > Configuration menu.This operation will auto-install the on-box RPM.
Insatlling SSL Orchestrator RPM (not on-box)
If you do not want to upgrade to the on-box RPM
version, do the following:
- Download SSL Orchestrator RPM from https://downloads.f5.com.
- Log into your BIG-IP.
- Click .
- Click onImportand select your RPM.
- ClickUpload. This will install the user selected RPM on the box.
This operation will auto-install the on-box
RPM.
Setting up F5 Guided Configuration for SSL Orechstrator logs
settings
The SSL Orchestrator Settings option in the Logs menu can be used to enable
logging for selected facilities at various levels of severity to describe the system
messages. Facilities describe the specific element of the system generating the message:
Per-Request Policy, FTP, IMAP, POP3, SMTPS, SSL Orchestrator Generic.
Each available level describes the severity of the message and are listed in order of the
severity of the messages they handle. Generally, higher levels contain all the messages
for lower levels. For example, the Alert level will generally also report all messages
from the Emergency level, and the Debug level will generally also report all messages
for all levels.
Setting up logs settings
Use the following procedure to set up your SSL
Orchestrator logs settings with specific severity levels.
- On the Main tab, click . The Logs Settings screen opens.
- If theEnablecheck box is not pre-selected, select the check box to see the available levels for each facility. The default severity is Debug.
- For each facility, you can select from the following log setting severities:
- Emergency: Specifies the emergency system panic messages.
- Alert: Serious errors that require administrator intervention.
- Critical: Critical errors, including hardware and filesystem failures.
- Error: Non-critical, but possibly very important, error messages.
- Warning: Warning messages that should at least be logged for review.
- Notice: Messages that contain useful information, but may be ignored.
- Information: Messages that contain useful information, but may be ignored.
- Debug: Messages that are only necessary for troubleshooting.
- ClickSave.
