Manual Chapter :
Managing Device Trust
Applies To:
Show Versions
BIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Analytics
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP PEM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP DNS
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Managing Device Trust
What is device trust?
Before any BIG-IP® devices on a local network can be members of a Sync-Failover device
group to synchronize configuration data or fail over to one another, they must establish a trust
relationship known as device trust.
Device trust
between any two BIG-IP devices on
the network is based on mutual authentication through the signing and exchange of x509
certificates.Devices on a local network that trust one another constitute a trust domain. A
trust
domain
is a collection of BIG-IP devices that trust one another.The trust domain is represented by a system-generated device group named
device_trust_group
, which the system uses internally to synchronize trust domain information across all devices. You cannot delete this special device group from the system.You can add devices to a local trust domain from a single device on the network.
You can also view the identities of all devices in the local trust domain from a single device in
the domain. However, to maintain or change the authority of each trust domain member, you must
log in locally to each device.
Types of trust authority
Within a local trust domain, in order to establish device trust, you designate each BIG-IP® device as either a peer authority or a subordinate non-authority.
About certificate signing authorities
A
certificate signing authority
can sign x509 certificates for another BIG-IP
device that is in the local trust domain. For each authority device, you specify another device
as a peer authority device that can also sign certificates. In a standard redundant system
configuration of two BIG-IP devices, both devices are typically certificate signing authority
devices. For security reasons, F5 Networks recommends you limit the number of
authority devices in a local trust domain to as few as possible.
About peer authorities
A
peer authority
is another device in the local trust domain that can sign
certificates if the certificate signing authority is not available. In a standard redundant
system configuration of two BIG-IP devices, each device is typically a peer authority for the
other.About subordinate non-authorities
A
subordinate non-authority device
is a device for which a certificate signing
authority device signs its certificate. A subordinate device cannot sign a certificate for
another device. Subordinate devices provide an additional level of security because in the case
where the security of an authority device in a trust domain is compromised, the risk of
compromise is minimized for any subordinate device. Designating devices as subordinate devices
is recommended for device groups with a large number of member devices, where the risk of
compromise is high.Device identity
The devices in a BIG-IP® device group use x509 certificates for mutual
authentication. Each device in a device group has an x509 certificate installed on it that the
device uses to authenticate itself to the other devices in the group.
Device identity
is a set of information that uniquely identifies that device in
the device group, for the purpose of authentication. Device identity consists of the x509
certificate, plus this information: - Device name
- Host name
- Platform serial number
- Platform MAC address
- Certificate name
- Subjects
- Expiration
- Certificate serial number
- Signature status
From the Device Trust: Identity screen in the BIG-IP Configuration utility, you can view the x509 certificate installed on the local device.
Device discovery in a local trust domain
When a BIG-IP® device joins the local trust domain and establishes a trust
relationship with peer devices, the device and its peers exchange their device properties and
device connectivity information. This exchange of device properties and IP addresses is known as
device discovery
.For example, if a device joins a trust domain that already contains three trust domain members, the device exchanges
device properties with the three other domain members. The device then has a total of
four sets of device properties defined on it: its own device properties, plus the device
properties of each peer. In this exchange, the device also learns the relevant device connectivity
information for each of the other devices.
Establishing device trust
Before you begin this task, verify that:
- Each BIG-IP device that is to be part of the local trust domain has a device certificate installed on it.
- The local device is designated as a certificate signing authority.
You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the
local trust domain
. A device must be a member of the local trust domain prior to joining a device group.By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices
Bigip_1
, Bigip_2
, and Bigip_3
each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device Bigip_1
and add devices Bigip_2
and Bigip_3
to the local trust domain; there is no need to repeat this process on devices Bigip_2
and Bigip_3
.- On the Main tab, click .
- ClickAdd.
- From theDevice Typelist, selectPeerorSubordinate.
- Type a device IP address, administrator user name, and administrator password for the remote BIG-IP device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
- If the BIG-IP device is an appliance, type a management IP address (IPv4 or IPv6) for the device.
- If the BIG-IP device is a VIPRION device that is not licensed and provisioned for vCMP, type a primary cluster management IP address (IPv4 or IPv6) for the cluster.
- If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, then type a cluster management IP address (IPv4 or IPv6) for the guest.
- If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
- ClickRetrieve Device Information.
- Verify that the certificate of the remote device is correct, and then clickDevice Certificate Matches.
- In theNamefield, verify that the name of the remote device is correct.
- ClickAdd Device.
After you perform this task, the local device is now a member of the local trust domain. Also, the BIG-IP system automatically creates a special Sync-Only device group for the purpose of synchronizing trust information among the devices in the local trust domain, on an ongoing basis.
Repeat this task to specify each device that you want to add to the local trust domain.
Adding a device to the local trust domain
Verify that each BIG-IP device that is to be part of a local trust domain has a device
certificate installed on it.
Follow these steps to log in to any BIG-IP device
on the network and add one or more devices to the local system's local trust domain.
Any BIG-IP devices that you intend to add to a device group at
a later point must be members of the same local trust domain.
- On the Main tab, click .
- ClickAdd.
- From theDevice Typelist, selectPeerorSubordinate.
- Type a device IP address, administrator user name, and administrator password for the remote BIG-IP device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
- If the BIG-IP device is an appliance, type a management IP address (IPv4 or IPv6) for the device.
- If the BIG-IP device is a VIPRION device that is not licensed and provisioned for vCMP, type a primary cluster management IP address (IPv4 or IPv6) for the cluster.
- If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, then type a cluster management IP address (IPv4 or IPv6) for the guest.
- If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
- Verify that the certificate of the remote device is correct, and then clickDevice Certificate Matches.
- In theNamefield, verify that the name of the remote device is correct.
- ClickAdd Device.
After you perform this task, the local device and the device that you specified in this
procedure have a trust relationship and, therefore, are qualified to join a device
group.
Troubleshooting tips for establishing trust
This table lists possible problems that might occur when you are attempting to add a
BIG-IP device to a local trust domain. Each problem shows a recommended
action.
Problem |
Recommended action |
|---|---|
Another device with the same name already exists in the trust domain. |
Change the name of the device that you are adding to the trust domain. |
The version of BIG-IP software on the device does not match the version of the devices in the trust domain. |
Make sure that the BIG-IP version on the device you are adding exactly matches
the version on the devices in the trust domain, including the hotfix version (if
any). |
The exact time reported on the device you are adding is out of sync with the time on the other devices in the trust domain. |
Make sure that you have a Network Time Protocol (NTP) server configured for the device. |
There is no config sync address configured on the device. |
On the device you are adding, configure a config sync IP address. We recommend
that you specify the self IP address associated with the device's internal
VLAN. |
Managing trust authority for a device
You can use a Reset Device Trust wizard in the BIG-IP
Configuration utility to manage the certificate authority of a BIG-IP device in a
local trust domain. Specifically, you can:
- Retain the current authority (for certificate signing authorities only).
- Regenerate the self-signed certificate for a device.
- Import a user-defined certificate authority. In this case, a typical scenario is to generate another signing certificate and key through another certificate authority (such as OpenSSL) and then import the certificate to the BIG-IP system. The BIG-IP system then uses the certificate and key to sign the certificate signing request (CSR) that the BIG-IP generates. The resulting certificate is used to establish trust with other devices in the trust domain.
If you reset trust authority on a certificate signing authority by
retaining the authority of the device, you must subsequently recreate the local
trust domain and the device group. If you reset trust authority on a subordinate
non-authority, the BIG system removes the non-authority device from the local trust
domain. You can then re-add the device as an authority or non-authority
device.
- On the Main tab, click .
- In the Trust Information area of the screen, clickReset Device Trust.
- Choose a certificate signing authority option, and then clickUpdate.The system prompts you to confirm your choice.
When you confirm your choice, the system changes the
Authority
Type
.Viewing status for device trust
For any BIG-IP devices that have a
trust relationship, the BIG-IP system automatically puts these
devices into a special Sync-Only device group for device trust and syncs the trust
information. (BIG-IP devices in this device group can also be members of other device
groups that you create.) If any trust issue occurs between devices in the trust device
group, this indicates that you need to re-establish trust between two or more devices.
In this case, the BIG-IP system displays a config sync status of
Changes
Pending
. You can use the BIG-IP Configuration
utility to view the config sync status of this trust device group, which has a
system-supplied device group name. A device in a trust domain that is
not a member of a Sync-Failover device group normally shows a status in the BIG-IP
Configuration utility of
NOT WATCHED
. If you add the
device to a Sync-Failover device group, the status shows as either In
Sync
or Changes Pending
.- On the Main tab, click .
- In the Device Groups area of the screen, click the arrow next to the name of the relevant device group.The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
