Manual Chapter : System behavior for master-key sync

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.0.0, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 17.0.0, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

System behavior for master-key sync

When your BIG-IP devices are configured in a Device Service Clustering (DSC) device group, all devices in the device group must have the same master key. To ensure this, DSC behaves in these ways:
  • When a new device joins a device group, the device that syncs its configuration to the new device also syncs a copy of its master key to the new device.
  • Whenever you modify the master key on a device group member, the BIG-IP system syncs the updated key to all other members of the device group. The updated key overwrites the master key that's currently on each device. To verify that the master key synced properly (either automatically or manually) to each device in the device group, you can open a console window on each device and at the system prompt, use the command
    f5mku -K
    to view the encrypted master key and compare it to the master key on the other devices.
  • Encrypted passwords and passphrases for BIG-IP configuration objects specified in the file
    /config/bigip.conf
    might appear differently when comparing the configuration files from different devices in the device group. This is because each device's instance of the mcpd process uses a different salt, or random data, to encrypt and decrypt passwords and passphrases. This does not affect configuration synchronization (config sync) in any way.