F5 Logo MyF5
Search
  1. MyF5 Home
  2. F5 Secure Vault: Administration
  3. BIG-IQ considerations
Manual Chapter : BIG-IQ considerations

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

BIG-IQ considerations

Format of encrypted object strings

A BIG-IQ system uses Secure Vault to store an encryption key that is used to encrypt data stored in other places. Secure Vault is used to encrypt this BIG-IQ system master key.

About a standby BIG-IQ in an HA or DCD configuration

During the initial setup of your BIG-IQ system, you chose a specific master key passphrase. You must use this same passphrase for all BIG-IQ systems that need to discover one another, such as the standby BIG-IQ in a high availability configuration, and any BIG-IQ data collection device (DCD) systems.
If the master key passphrases do not match, BIG-IQ cannot discover and communicate a remote DCD or a standby BIG-IQ in an HA configuration and returns an error message similar to this:
Discovery of BIG-IQ Data Collection Device 192.168.10.100 failed with state POST_FAILED and due to error Master Keys differ between this BIG-IQ and the one you are attempting to discover. Please configure both machines to have the same Master Key.

Resolving discovery issues

Only a BIG-IQ system can discover a data collection device (DCD). A DCD cannot discover a device.
There are three solutions to resolve discovery issues:
Solution
When to use: what do you know?
Solution 1
: Change the BIG-IQ master key passphrase
Know
: BIG-IQ master key (MK) passphrase of
both
 BIG-IQ Centralized Management (CM)
and
 data collection device (DCD)
Solution 2
: Specify the BIG-IQ master key passphrase on the DCD
Know
: CM master key passphrase,
but
do not know
: DCD master key passphrase
Solution 3
: Specify a new BIG-IQ master key passphrase
Know
: None of the MK passphrases

Solution 1: Change the BIG-IQ master key passphrase

If this BIG-IQ is part of an HA pair, you must first make this BIG-IQ standalone. To do this, click
BIG-IQ HA
 on the left, and click the
Remove Standby
 button.
If you change the BIG-IQ Configure Management (CM) master key, you need to change the secondary master key to the same passphrase before re-adding it, or the HA pairing will fail.
Use this procedure if you know the master key passphrases of
both
 BIG-IQ systems, not just one (old and new).
You can change the master key passphrase.
  1. Log in to BIG-IQ system user interface.
  2. At the top of the screen, click
    System
    .
  3. On the left, click
    General Properties
    .
  4. Click the
    Edit
     button.
  5. Click the
    Change Master Key
     button and type a new master key.
  6. Click
    Save & Close
    .
If you are running this BIG-IQ in an HA configuration, re-add the standby BIG-IQ system.

Solution 2: Specify the BIG-IQ master key passphrase on the DCD

  • Obtain the BIG-IQ system master key (MK) passphrase.
  • On the data collection device (DCD), be ready to reset the DCD system configuration to the default.
  • If you are only changing the MK on the DCD, then you do not need to break the HA pair.
Use this procedure when a BIG-IQ system and a DCD fail to discover one another, but you know the passphrase for the BIG-IQ system's master key. A discovery operation fails if the master keys of the BIG-IQ system and the DCD system don't match.
To resolve the discovery failure, you can restore the DCD system configuration to the factory default and begin a new first-time setup procedure. During DCD setup, you specify the same master key passphrase that's on the BIG-IQ system. Once the procedure is completed, you can attempt the discovery operation again.
If you follow this procedure, running
clear-rest-storage
 will remove all data on the BIG-IQ system, and the data is not recoverable.
  1. Using a program such as PuTTY, open a console window on the DCD system.
  2. Log in to the system.
  3. At the system prompt, reset the DCD system configuration to the default by typing this command:
    clear-rest-storage -d -l
  4. Log in to the DCD system user interface and follow the first-time setup procedure.
    During the master key step of the first-time setup procedure, ensure that you type the BIG-IQ system master key passphrase.
  5. Log in to the BIG-IQ system user interface and rediscover the DCD.
If you are running this BIG-IQ in an HA configuration, re-add the standby BIG-IQ system.

Solution 3: Specify a new BIG-IQ master key passphrase

If this BIG-IQ is part of an HA pair, you must first make this BIG-IQ standalone. To do this, click
BIG-IQ HA
 on the left, and click the
Remove Standby
 button.
When you don't know the BIG-IQ system's master key passphrase, you can perform the following task to restore both the BIG-IQ and DCD system configurations to their factory defaults and begin a new first-time setup procedure on each system. Once these setup procedures are completed, you can attempt the discovery operation again.
If you follow this procedure, running
clear-rest-storage
 will remove all data on the BIG-IQ system, and the data is not recoverable.
  1. Using a program such as PuTTY, open a console window on the BIG-IQ system.
  2. Log in to the system.
  3. At the system prompt, reset the BIG-IQ system configuration to the default by typing this command:
    clear-rest-storage -d -l
  4. If you see the message
    Member of an HA pair. Use
    ha_reset
     before trying to clear storage
    , type this command:
    ha_reset
    local discovery address
    You can ignore the message
    Error: error doing query...
  5. Log in to the BIG-IQ system user interface and follow the first-time setup procedure.
    During the master key step of the procedure, choose a new master key passphrase, and store the passphrase in a safe place.
  6. Using a program such as PuTTY, open a console window on the DCD system.
  7. Log in to the system.
  8. At the system prompt, reset the DCD system configuration to the default by typing this command:
    clear-rest-storage -d -l
  9. Log in to the DCD system user interface and follow the first-time setup procedure.
    During the master key step of the first-time setup procedure, ensure that you type the BIG-IQ system master key passphrase.
  10. From the user interface of the BIG-IQ system, rediscover the DCD system.
  11. At the system prompt, reset the BIG-IQ secondary system configuration to the default by typing this command:
    clear-rest-storage -d -l
  12. Log in to the BIG-IQ secondary system user interface and follow the first-time setup procedure.
    During the master key step of the first-time setup procedure, ensure that you type the same BIG-IQ system master key passphrase as the first BIG-IQ system.
If you are running this BIG-IQ in an HA configuration, re-add the standby BIG-IQ system.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information