Manual Chapter : Solution 2: Copy a master key to a new system

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Solution 2: Copy a master key to a new system

Before you perform this task, make sure you read the section titled
Preventing UCS restore issues
in this document.
Use this task if you intend to use a user configuration set (UCS) archive from an existing BIG-IP system to configure a new (or replacement) system, and you have the existing system's master key.
In this case, you can manually copy the master key from the existing system to the new system and then, on the new system, restore the UCS archive. This will ensure that you can load the BIG-IP configuration successfully.
This task is based on the assumption that the existing system and the new system are members of the same Device Service Clustering (DSC) device group.
You can perform this task on any BIG-IP system, including a vCMP guest.
  1. On both the existing system and the new system, open a console window, using a program such as PuTTY.
  2. Log in to the existing BIG-IP system, and at the system prompt, obtain the master key by typing this command:
    f5mku -K
    . The command output appears similar to this example:
    oruIVCHfmVBnwGaSR/+MAA==
  3. Copy the output.
    The output is the master key that you will install on the new BIG-IP system.
  4. Log in to the new system, and at the system prompt, install the master key that you copied from the existing system by typing this command:
    f5mku -r
    key_value
    Use the
    -r
    option with extreme caution. Using this option when the file
    /config/bigip.conf
    contains encrypted passwords or passphrases will cause a BIG-IP load operation to fail.
    Here's a sample command sequence:
    f5mku -r oruIVCHfmVBnwGaSR/+MAA==
  5. Verify that the master key is the same on both the existing system and the new system by typing this command from the command lines of both systems:
    f5mku -K
  6. Restore the UCS archive on the new system using this command syntax:
    tmsh load sys ucs
    file_name
    .ucs no-license
    Because the original device license was created using device-specific information and specific license registration key(s), any attempt to restore the UCS archive without specifying the
    no-license
    flag places the device in the unlicensed state, causing the restore operation to fail.
  7. On the new system, save the BIG-IP configuration by typing this command:
    tmsh save sys config
  8. On the new system, load the BIG-IP configuration by typing this command:
    tmsh load sys config
  9. At the existing system's system prompt, set the existing system as the sync leader using this command syntax:
    tmsh modify cm device-group
    device_group
    devices modify {
    existing_BIG-IP
    { set-sync-leader } }
    Note that in this command sequence,
    device_group
    is the name of the device group that both the existing system and the new system are members of.
  10. At the existing system's system prompt, sync the configuration to the new system using this command syntax:
    tmsh run cm config-sync to-group
    device_group
    Note that the process of initializing the BIG-IP configuration on the new system can take up to a full minute to complete.
  11. Confirm that the two systems are in sync by typing this command:
    tmsh show cm sync-status