Manual Chapter : Resetting the vCMP host's master key

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Resetting the vCMP host's master key

Before performing this task, be aware that this task requires you to reboot the vCMP host and its guests.
Whenever you reset the master key on a vCMP host for any reason, you must reboot the system immediately afterwards and then reset the master key of each guest. Otherwise, the host loses each guest's unit key and causes an issue with each guest's master key. This causes the state of each guest to switch to
INOPERATIVE
and causes the BIG-IP system to log messages such as the following to the file
/var/log/ltm
:
01071038:5: Loading keys from the file. 012a0004:4: halStorageRead: unable to read storage on this platform. 01071029:5: Cannot open unit key store
To reset the master key on both the vCMP host and each guest, use this procedure.
  1. Using a program such as PuTTY, open a console window on the vCMP host.
  2. Log into the system.
  3. Optional
    : This step is only useful to ensure that the master key has changed. At the system prompt, display the host's current, encrypted master key by typing the command
    f5mku -K
    .
    Here is sample output from the
    f5mku -K
    command:
    8/igZhCdlag5Z4rbuOpFtg==
  4. Reset the master key by typing this command, specifying a new password in the process:
    tmsh modify /sys crypto master-key prompt-for-password
  5. After the password is changed, reboot the vCMP host and its guests by typing the command
    tmsh rebooot
  6. After the reboot of the host and guests is finished, log in to each guest and reset the guest's master key by typing this command, specifying a new unencrypted password in the process:
    tmsh modify /sys crypto master-key prompt-for-password
  7. Re-deploy each guest.
After performing this task, the vCMP host and all guests should be deployed, with a modified master key on the host and on each guest.