F5 Logo MyF5
Search
  1. MyF5 Home
  2. F5 Secure Vault: Administration
  3. vCMP and BIG-IP VE platform considerations
Manual Chapter : vCMP and BIG-IP VE platform considerations

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

vCMP and BIG-IP VE platform considerations

vCMP master key administration

Key storage location for vCMP hosts and guests

The master key and unit key for a vCMP host are stored in these locations:
Host unit key
On systems that support electrically erasable programmable read-only memory (EEPROM).
Host master key
On the vCMP host in the master file in the directory
/config/bigip/kstore
, encrypted using the host's unit key.
The master key and unit key for each vCMP guest are stored in these locations:
Guest unit key
In the host's configuration. Encrypted using the host's master key.
Guest master key
On each vCMP guest in the master file in the directory
/config/bigip/kstore

Resetting the vCMP host's master key

Before performing this task, be aware that this task requires you to reboot the vCMP host and its guests.
Whenever you reset the master key on a vCMP host for any reason, you must reboot the system immediately afterwards and then reset the master key of each guest. Otherwise, the host loses each guest's unit key and causes an issue with each guest's master key. This causes the state of each guest to switch to
INOPERATIVE
 and causes the BIG-IP system to log messages such as the following to the file
/var/log/ltm
:
01071038:5: Loading keys from the file.
012a0004:4: halStorageRead: unable to read storage on this platform.
01071029:5: Cannot open unit key store
To reset the master key on both the vCMP host and each guest, use this procedure.
  1. Using a program such as PuTTY, open a console window on the vCMP host.
  2. Log into the system.
  3. Optional
    : This step is only useful to ensure that the master key has changed. At the system prompt, display the host's current, encrypted master key by typing the command
    f5mku -K
    .
    Here is sample output from the
    f5mku -K
     command: 
    8/igZhCdlag5Z4rbuOpFtg==
  4. Reset the master key by typing this command, specifying a new password in the process:
    tmsh modify /sys crypto master-key prompt-for-password
  5. After the password is changed, reboot the vCMP host and its guests by typing the command
    tmsh rebooot
  6. After the reboot of the host and guests is finished, log in to each guest and reset the guest's master key by typing this command, specifying a new unencrypted password in the process:
    tmsh modify /sys crypto master-key prompt-for-password
  7. Re-deploy each guest.
After performing this task, the vCMP host and all guests should be deployed, with a modified master key on the host and on each guest.

Resetting a vCMP guest's master key

F5 recommends that for any new BIG-IP system, you reset the master key as part of the initial system setup. You can perform the following task to reset the master key on a vCMP guest.
  1. Using a program such as PuTTY, open a console window on the vCMP guest.
  2. Log into the guest.
  3. At the system prompt, reset the guest's master key by typing this command, specifying a new password in the process:
    tmsh modify /sys crypto master-key prompt-for-password

Troubleshooting an INOPERATIVE guest

After you upgrade the vCMP host to another BIG-IP software version, a vCMP guest sometimes remains in an INOPERATIVE state. If you then open a console window on the guest, you might see the following messages logged to the log file
/var/log/ltm
:

01071038:5: Loading keys from the file.
012a0004:4: halStorageRead: unable to read storage on this platform.
01071029:5: Cannot open unit key store
To change the state of the guest to DEPLOYED, use the following procedure.
  1. On the vCMP host, activate the boot partition that was active prior to the BIG-IP software upgrade.
    For example, if the previously-active boot partition was HD1.1, you can run this command:
    switchboot HD1.1
    .
  2. Display the master key for the host by opening a console window on the host, and at the system prompt, typing the command
    f5mku -K
    .
    Here is sample output from the
    f5mku -K
     command: 
    
8/igZhCdlag5Z4rbuOpFtg==
  3. Activate the boot partition that contains the upgraded version of the BIG-IP software.
    For example, if the boot partition for the upgraded BIG-IP version is HD1.2, you can run this command again:
    switchboot HD1.2
    .
  4. Verify that the master key on the upgraded version is the same as the master key on the previous version (viewed in Step 2) by typing the command
    f5mku -K
     again.
  5. If the master key is not the same on both software versions, then update the master key on the upgraded version (in the newly-active partition):typing this command:
    f5mku -r
    master key
    • If you know the unencrypted password or passphrase, type this command:
      tmsh modify /sys master-key prompt-for-password
      . This is the recommended way to reset the master key.
    • If you only know the encrypted password or passphrase, type this command:
      f5mku -r
      master key
      . Use this command with caution. Using the
      -r
       option when the file
      /config/bigip.conf
       contains encrypted passwords or passphrases will cause a BIG-IP load operation to fail.
    For example:
    f5mku -r 8/igZhCdlag5Z4rbuOpFtg==
  6. At the system prompt, comment out the sym-unit-key of every guest by typing this command:
    sed -i.bak 's/sym-unit-key/#sym-unit-key/g' /config/bigip.conf
    This command edits the file /config/bigip.conf.
    A backup of this file is automatically created: /config/bigip.conf.bak
  7. At the system prompt on the host, load the host configuration by typing this command:
    tmsh load sys config
  8. Reboot the host by typing the command
    tmsh reboot
    Without a reboot, the changes will not take effect.
After the host has finished rebooting, all guests should boot normally.

About unit key storage on BIG-IP Virtual Edition systems

Normally, unit keys are stored in EEPROM on an F5 platform. However, a BIG-IP Virtual Edition (VE) system does not have EEPROM, so a unit key must be stored elsewhere.
The storage location for unit keys on BIG-IP VE systems is in the hidden file named
.unitkey
 in the directory
/config/bigip/kstore
.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information