Manual Chapter :
Additional System Tasks
Applies To:
Show VersionsF5OS-A
- 1.2.0
Additional System Tasks
Service provider features overview
For information on configuring service provider features for your
BIG-IP tenant, see these documents in the BIG-IP LTM Knowledge Center:
- BIG-IP Service Provider: Administration
- BIG-IP Service Provider: Diameter Administration
- BIG-IP Service Provider: Generic Message Administration
- BIG-IP Service Provider: Message Routing Administration
- BIG-IP Service Provider: SIP Administration
Key migration overview
The
rSeries
system uses an encryption key
, also called the primary key, to encrypt
and decrypt highly sensitive passphrases contained in the configuration database. You
follow a key migration
process to set the encryption
key on the system to a known value so that same key can be can set on another machine
using same passphrase and salting. For more information, see the Migrate system configuration from one system to another
section.Reset the primary key
You might consider resetting (or rotating) the encryption key
periodically on a system for additional security.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Reset the primary key.system aaa primary-key set
- Commit the configuration changes.commit
The encryption key is reset (or refreshed) on the system.
Migrate system configuration from one system to another
from the CLI
Before you can migrate the system
configuration onto another
rSeries
system, you must have completed the initial
configuration of management IP address on the new system, and it must be in
stable running condition. You also must be able to log in to the existing
system.In the case of a Return Material
Authorization (RMA) or other situations when aligning multiple systems, you
might need to migrate the system configuration from one system (the
source) to another one (the destination). Such a migration requires that you
set the same encryption key on both systems so that the encrypted elements are
moved successfully along with the configuration. You can migrate the system configuration
from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set the primary key with the same passphrase on both the source and destination systems.system aaa primary-key set passphrase <known-pass> confirm-passphrase <known-pass> salt <known-salt> confirm-salt <known-salt>Be sure to make note of the salt and passphrase, as these are needed to restore the configuration on a replacement system.The system shows a message confirming that key migration has started:Key migration is initiated. Use 'show system aaa primary-key state status' to get status
- Return to user (operational) mode.end
- Check the status of the primary key on both the source and destination systems.show system aaa primary-key state statusA summary similar to this example displays:system aaa primary-key state status "COMPLETE Initiated: Thu Dec 2 01:12:34 2021"
- Check the primary key hash on both the source and destination systems.show system aaa primary-key state hashA summary similar to this example displays:system aaa primary-key state hash YTkPNw5nxY/nqgfyNjdHZUZ WD1tfvxNY30+VAbSstzheCnE6Vy6aADftJKrVWY5W5w3UaQeRnwkT0NeFkb5Svg==Be sure to make note of the primary key hash, as it is needed to restore the configuration on a replacement system.
- On the source system, save the system configuration.system database config-backup name <file-name>.xmlSystem configuration backup files are located inconfigs/.
- Export the configuration backup file from the source system to an HTTPS server.file export local-file configs/<file-name>.xml remote-file /<file-path>/<filename>.xml remote-host <ip-address> username root
- When prompted, type the password for the remote root account.
- Import the configuration backup onto the destination system from the HTTPS server.file import local-file configs/backup1.xml remote-file /tmp/backup1.xml remote-host <ip-address> username root
- When prompted, type the password for the remote root account.
- Load the configuration backup onto the destination system.system database config-restore name <filename>.xmlIf the migration fails for any reason, the system automatically restores the previous configuration.
- Reset the primary key with a different password on both the source and destination systems (not required but recommended for security).system aaa primary-key set passphrase <known-pass> confirm-passphrase <known-pass> salt <known-salt> confirm-salt <known-salt>
The destination system now has the same
configuration as the original source system, including a unique encryption
key.
Complete backup and restore overview
Before you can perform a backup and restore, you must disable appliance
mode, if it is enabled. There are a number of tasks recommended to perform a complete
backup and restore of the
rSeries
system and
tenants on that same system.For more information, see K50135154: Back up and restore the F5OS-C
configuration on a VELOS system.
If you want to move a system configuration from one system to another, you
also need to perform a key migration. For more information, see the
Migrate system configuration from one system to another
section.Disable appliance mode from the CLI
You can disable appliance mode on
the system from the CLI. While it is recommended that you enable appliance
mode most of the time, some tasks, such as restoring the default configuration
or running the Setup utility, require use of the root account (which is
unavailable in appliance mode).
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Check whether the system is in appliance mode:show system appliance-mode stateIf appliance mode is enabled, proceed to the next step to disable it. Otherwise, skip the rest of these steps.
- Disable appliance mode:system appliance-mode config disabled
- Commit the configuration changes.commit
- Return to user (operational) mode.end
Tenant configuration backup
To back up the configuration for your tenants, log in to each tenant and
back up the configuration using the method recommended for that
tenant.
- ForBIG-IPtenants
- Create and save an archive (or UCS file), and then export the UCS backups to an external location. For more information, see the section titled "About managing archives using the Configuration utility" inBIG-IP System: Essentialsat support.f5.com.
Back up configuration from the
CLI
When the system is configured for your
environment, you can log in to the CLI and back up the
configuration.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create a backup of the configuration.system database config-backup name backup1.xmlSystem configuration backup files are located inconfigs/.
- Export the configuration backup file onto an external system for safe keeping.file export local-file configs/backup1.xml remote-file /tmp/backup1.xml remote-host 192.51.100.75 username rootThe system requests the password for the remote root account.Value for 'password' (<string>): ******* result File transfer is initiated.(configs/backup1.xml)
You now have a backup of the system
configuration that you can restore, if
needed.
Reset system configuration to factory defaults from the CLI
Be sure that you have a backup of the existing system configuration before you go back to the defaults. You must also disable appliance mode, if it is enabled.
Resetting the configuration to factory defaults from the CLI might be useful if you are testing, performing an RMA, or for any other reason want to restore the system to its initial factory default settings.
Be sure you do this using a console
connection because resetting the system to the default values removes the management
network.
This procedure clears all existing configuration and regenerates the default configuration.
- Connect to the system using a management console or console server.The default baud rate and serial port configuration is 19200/8-N-1.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Reset the system to the default configuration.system database reset-to-default proceed yesThis command deletes all configuration on the system, including passwords.
- Commit the configuration changes.commit
The system now has the default configuration. You need to perform initial configuration and can run the Setup wizard for a guided experience of setting management IP addresses, DNS, and other required settings. For more information on initial configuration, see
F5 rSeries Systems: Getting Started
at techdocs.f5.com/en-us/hardware/f5-rseries-systems-getting-started.html.Restore system configuration from the
CLI
If you want to restore a
previously-saved system configuration, you can log in to the system
where you want to load the configuration backup file and restore
the saved configuration from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Import the configuration backup onto the destination system from the external system.file import local-file configs/<file-name>.xml remote-file /<file-path>/<filename>.xml remote-host <ip-address> username root
- When prompted, type the password for the remote root account.
- Load the configuration backup onto the system .system database config-restore name <filename>.xmlIn this example you restore from a backup file named backup1.xml:appliance-1(config)# system database config-restore name backup1.xml response Succeeded.If the restore operation fails, the system automatically uses the previous configuration.
- Commit the configuration changes.commit
- Reboot the system.system reboot
After you restore the system
configuration and reboot the system, you can restore any saved tenant
configurations.
Tenant configuration restore
To restore the configuration for your tenants, log in to each tenant and
restore the configuration using the method recommended for that
tenant.
- ForBIG-IPtenants
- Restore an archive (or UCS file) from an external location. For more information, see the section titled "Restore data from an archive using the Configuration utility" inBIG-IP System: Essentialsat support.f5.com.
Trusted Platform Module (TPM) overview
A Trusted Platform Module (TPM) is a hardware device that implements
security functions to provide the ability to determine a trusted computing environment,
allowing for an increased assurance of trust that a device behaves for its intended
purpose. The TPM chain of custody provides assurance that the software loaded on your
platform at startup time has the same signature as the software that is loaded by F5
when the system is manufactured.
These measurements include taking hashes of most of the BIOS code, BIOS
settings, TPM settings, tboot, Linux Initrd, and Linux kernel (initial
rSeries
release only validates BIOS) so that
alternative versions of the measured modules cannot be easily produced and so that the
hashes lead to identical measurements. You can use these measurements to validate
against known good values.For the
initial
rSeries
release, local attestation is
done automatically at boot time and can be displayed in the CLI. The TPM implements protected capabilities and locations that protect
and report integrity measurements using Platform Configuration Registers (PCRs). The TPM
also includes additional security functionality, including cryptographic key management,
random number generation, and the sealing of data to system state.
Your TPM-equipped
rSeries
system comes with functionality to aid in local attestation and confirming chain of
custody for the device locally without the need for doing it manually.If your system has been breached, consult your
security team immediately.
Local attestation overview
You can perform local attestation on your
rSeries
system of
the Trusted Platform Module (TPM) chain of custody using the Platform
Configuration Register (PCR) values to confirm that the firmware is
unmodified.Available local attestation system integrity states
This table lists the available local attestation
system integrity states for the Trusted Platform Module (TPM).
State |
Description |
---|---|
Not Supported |
Indicates that the system does not have the
capability to perform System Integrity Measurements. |
Pending |
Indicates that the system is not yet ready to
produce a System Integrity Measurement and evaluate the reference
values. |
Valid |
Indicates that the solicited System Integrity
Measurement matches one of the sets of reference values in the local
System Integrity Reference Repository (SIRR). |
Invalid |
Indicates that the System Integrity
Measurement has been taken without error, but the values do not match
any set of acceptable values in the local System Integrity Reference
Repository. This could mean that the SIRR is out of date or that the
system has been tampered with. |
Unavailable |
Indicates that an error has occurred. |
Display the local attestation status
You can display and verify the current
local attestation status of the system from the CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Display the current local attestation status of the appliance.show components component state tpm-integrity-statusA message similar to this example displays:appliance-1# show components component state tpm-integrity-status TPM INTEGRITY NAME STATUS --------------------- platform Valid