Manual Chapter : Working with master keys

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 16.0.0, 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 16.0.0, 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Working with master keys

Resetting the master key using tmsh

You can reset the BIG-IP system's master key using tmsh, which prompts you for a new password or passphrase. Choose a strong password or passphrase. The BIG-IP system then stores the new password or passphrase in the directory
/config/bigip/kstore
.
If your system is provisioned for vCMP, reset the master key using the procedure in the section titled
vCMP and BIG-IP VE considerations
in this document.
  1. Using a program such as PuTTY, open a console window on the system.
  2. Log in to the system.
  3. At the BIG-IP system prompt, access the TMOS Shell by typing this command:
    tmsh
  4. As an option, you can view the BIG-IP system's current master key by typing this command:
    show sys crypto master-key
    The command output appears similar to the following:
    Sys::Master-Key master-key hash <peG9W+X/fittfJA65hlDGpiGbYOp+GlvnOmHE0puZEbKY107MVZpaBKwbOOO+8BItsk99BXUXNN/anDSTZnTbA==> previous hash <>
  5. Reset the BIG-IP system's master key by typing this command:
    modify sys crypto master-key prompt-for-password
    The command displays a prompt to enter a new unencrypted password:
    enter password:
  6. Type a new password.
    The system displays the prompt again:
    enter password:
  7. Type the new password again.
  8. Type this command to save the configuration:
    save sys config
  9. View the BIG-IP system's new master key by typing this command:
    show sys crypto master-key
    The system output appears similar to the following:
    Sys::Master-Key master-key hash <4X2mgPNwBG2EJv7Sm4QA9SyXTXehiaSgUzIYuG8+WhrgsOTRf8RlWyEUuXFaqfvxs5uib5UzXrLwxfAr/3KExg==> previous hash <peG9W+X/fittfJA65hlDGpiGbYOp+GlvnOmHE0puZEbKY107MVZpaBKwbOOO+8BItsk99BXUXNN/anDSTZnTbA==>
  10. If the BIG-IP system is in a Device Service Clustering (DSC) device group configuration, synchronize the configuration, which synchronizes the device's master key to all other devices, by using this tmsh command syntax:
    run cm config-sync to-group
    name
    For example, to synchronize the device group named
    example_dg
    , type this command:
    run cm config-sync to-group example_dg
After you complete this task, the master key is reset and becomes the master key for all devices in a DSC device group.

Guidelines for creating strong passwords or passphrases

The following list shows the recommended criteria that a strong password or passphrase should contain:
  • 10 or more characters
  • One or more capital letters
  • One or more lowercase letters
  • One or more numbers
  • One or more special, non-null characters