Manual Chapter : Solution 1: Reset the master key on a new system

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Solution 1: Reset the master key on a new system

The task below requires you to know the unencrypted password or passphrase for the master key. Before continuing, make sure you have read the section titled Preventing UCS restore issues
in this document.
Use this task if you intend to use a user configuration set (UCS) archive from an existing BIG-IP system to configure a new (or replacement) system, and you no longer have the master key from the existing system to decrypt any passwords or passphrases in the archive.
In this case, if you at least know the unencrypted password or passphrase associated with the master key that's on the existing system, you can ensure that the new BIG-IP system loads the BIG-IP configuration successfully: Before you restore the UCS archive on the new system, simply reset the master key on the new system, using the same unencrypted password or passphrase from the master key on the existing system. The following task describes this process.
You can perform this task on any BIG-IP system, including a vCMP host or a vCMP guest.
  1. On the new system, open a console window using a program such as PuTTY.
  2. Log in to the system.
  3. At the system prompt, type
    tmsh
    .
  4. Begin resetting the master key on the new system by typing this command:
    modify sys crypto master-key prompt-for-password
    The command displays this prompt:
    enter new password:
  5. Type the unencrypted password or passphrase that's associated with the master key on the existing system.
    The system displays the prompt again:
    enter new password:
  6. Type the password or passphrase again.
  7. Securely copy the UCS archive from the existing system to the
    /var/local/ucs
    directory on the new BIG-IP system. For information about transferring files, see the Knowledge Base article K175: Transferring files to or from an F5 system, on
    http://support.f5.com
    .
  8. Restore the UCS archive on the new system by using this command syntax:
    load sys ucs
    ucs_archive_name
  9. Save the BIG-IP configuration on the new system by typing this command:
    save sys config
  10. At the BIG-IP system prompt on the new system, load the BIG-IP configuration by typing this command:
    load sys config
After you perform this task, the BIG-IP system configuration is successfully loaded on the new system, and the new system has the same master key as the existing system.