Manual Chapter :
Working with master keys
Applies To:
Show Versions
BIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Working with master keys
Resetting the master key using tmsh
You can reset the BIG-IP system's master key using tmsh, which prompts you for a new password or passphrase. Choose a strong password or passphrase. The BIG-IP system then stores the new password or passphrase in the directory
/config/bigip/kstore
.If your system is provisioned for vCMP, reset the master key using the procedure in the section titled
vCMP and BIG-IP VE considerations
in this document.- Using a program such as PuTTY, open a console window on the system.
- Log in to the system.
- At the BIG-IP system prompt, access the TMOS Shell by typing this command:tmsh
- As an option, you can view the BIG-IP system's current master key by typing this command:show sys crypto master-keyThe command output appears similar to the following:Sys::Master-Key master-key hash <peG9W+X/fittfJA65hlDGpiGbYOp+GlvnOmHE0puZEbKY107MVZpaBKwbOOO+8BItsk99BXUXNN/anDSTZnTbA==> previous hash <>
- Reset the BIG-IP system's master key by typing this command:modify sys crypto master-key prompt-for-passwordThe command displays a prompt to enter a new unencrypted password:enter password:
- Type a new password.The system displays the prompt again:enter password:
- Type the new password again.
- Type this command to save the configuration:save sys config
- View the BIG-IP system's new master key by typing this command:show sys crypto master-keyThe system output appears similar to the following:Sys::Master-Key master-key hash <4X2mgPNwBG2EJv7Sm4QA9SyXTXehiaSgUzIYuG8+WhrgsOTRf8RlWyEUuXFaqfvxs5uib5UzXrLwxfAr/3KExg==> previous hash <peG9W+X/fittfJA65hlDGpiGbYOp+GlvnOmHE0puZEbKY107MVZpaBKwbOOO+8BItsk99BXUXNN/anDSTZnTbA==>
- If the BIG-IP system is in a Device Service Clustering (DSC) device group configuration, synchronize the configuration, which synchronizes the device's master key to all other devices, by using this tmsh command syntax:run cm config-sync to-groupnameFor example, to synchronize the device group namedexample_dg, type this command:run cm config-sync to-group example_dg
After you complete this task, the master key is reset and becomes the master key for all devices in a DSC device group.
Guidelines for creating strong passwords or passphrases
The following list shows the recommended criteria that a strong password or passphrase should contain:
- 10 or more characters
- One or more capital letters
- One or more lowercase letters
- One or more numbers
- One or more special, non-null characters
