Manual Chapter : Additional System Tasks

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.8.0
Manual Chapter

Additional System Tasks

Service provider features overview

F5
r5000 and r10000 systems provide support for Service Provider Disaggregation (SP-DAG) features.
For information on configuring service provider features for your BIG-IP tenant, see these documents at K000130285: F5 Product Manuals Index:
  • BIG-IP Service Provider: Administration
  • BIG-IP Service Provider: Diameter Administration
  • BIG-IP Service Provider: Generic Message Administration
  • BIG-IP Service Provider: Message Routing Administration
  • BIG-IP Service Provider: SIP Administration

Key migration overview

The
rSeries
system uses an
encryption key
, also called the primary key, to encrypt and decrypt highly sensitive passphrases contained in the configuration database. You follow a
key migration
process to set the encryption key on the system to a known value so that same key can be can set on another machine using same passphrase and salting.

Reset the primary key

You might consider resetting (or rotating) the encryption key periodically on a system for additional security.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Reset the primary key.
    system aaa primary-key set
  4. Commit the configuration changes.
    commit
The encryption key is reset (or refreshed) on the system.

Migrate system configuration from one system to another from the CLI

Before you can migrate the system configuration onto another
rSeries
system, you must have completed the initial configuration of management IP address on the new system, and it must be in stable running condition. You also must be able to log in to the existing system.
In the case of a Return Material Authorization (RMA) or other situations when aligning multiple systems, you might need to migrate the system configuration from one system (the source) to another one (the destination). Such a migration requires that you set the same encryption key on both systems so that the encrypted elements are moved successfully along with the configuration. You can migrate the system configuration from the CLI. The new device must also have a license applied.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Set the primary key with the same passphrase on both the source and destination systems.
    system aaa primary-key set passphrase <
    known-pass
    > confirm-passphrase <
    known-pass
    > salt <
    known-salt
    > confirm-salt <
    known-salt
    >
    Be sure to make note of the salt and passphrase, as these are needed to restore the configuration on a replacement system.
    The system shows a message confirming that key migration has started:
    Key migration is initiated. Use 'show system aaa primary-key state status' to get status
  4. Return to user (operational) mode.
    end
  5. Check the status of the primary key on both the source and destination systems.
    show system aaa primary-key state status
    A summary similar to this example displays:
    system aaa primary-key state status "COMPLETE Initiated: Thu Dec 2 01:12:34 2021"
  6. Check the primary key hash on both the source and destination systems.
    show system aaa primary-key state hash
    A summary similar to this example displays:
    system aaa primary-key state hash YTkPNw5nxY/nqgfyNjdHZUZ WD1tfvxNY30+VAbSstzheCnE6Vy6aADftJKrVWY5W5w3UaQeRnwkT0NeFkb5Svg==
    Be sure to make note of the primary key hash, as it is needed to restore the configuration on a replacement system.
  7. On the source system, save the system configuration.
    system database config-backup name <
    file-name
    >.xml
    System configuration backup files are located in
    configs/
    .
  8. Export the configuration backup file from the source system to an HTTPS server.
    file export local-file configs/<
    file-name
    >.xml remote-file /<file-path>/<
    filename
    >.xml remote-host <
    ip-address
    > username root
  9. When prompted, enter the password for the remote root account.
  10. Import the configuration backup onto the destination system from the HTTPS server.
    file import local-file configs/backup1.xml remote-file /tmp/backup1.xml remote-host <
    ip-address
    > username root
  11. When prompted, enter the password for the remote root account.
  12. Load the configuration backup onto the destination system.
    system database config-restore name <
    filename
    >.xml
    If the migration fails for any reason, the system automatically restores the previous configuration.
  13. Reset the primary key with a different password on both the source and destination systems (not required but recommended for security).
    system aaa primary-key set passphrase <
    known-pass
    > confirm-passphrase <
    known-pass
    > salt <
    known-salt
    > confirm-salt <
    known-salt
    >
The destination system now has the same configuration as the original source system, including a unique encryption key.

Complete backup and restore overview

Before you can perform a backup and restore, you must disable appliance mode, if it is enabled. There are a number of tasks recommended to perform a complete backup and restore of the
rSeries
system and tenants on that same system.
If you want to move a system configuration from one system to another, you also need to perform a key migration. For more information, see Key migration overview.

Tenant configuration backup

To back up the configuration for your tenants, log in to each tenant and back up the configuration using the method recommended for that tenant.
For
BIG-IP
tenants
Create and save an archive (or UCS file), and then export the UCS backups to an external location. For more information, see the section titled "About managing archives using the Configuration utility" in
BIG-IP System: Essentials
at K000130285: F5 Product Manuals Index.

Back up configuration from the CLI

When the system is configured for your environment, you can log in to the CLI and back up the configuration.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Create a backup of the configuration.
    system database config-backup name backup1.xml
    System configuration backup files are located in
    configs/
    .
  4. Export the configuration backup file onto an external system for safe keeping.
    file export local-file configs/backup1.xml remote-file /tmp/backup1.xml remote-host 192.51.100.75 username root
    The system requests the password for the remote root account.
    Value for 'password' (<string>): ******* result File transfer is initiated.(configs/backup1.xml)
You now have a backup of the system configuration that you can restore, if needed.

Reset system configuration to factory defaults from the CLI

Be sure that you have a backup of the existing system and tenant configuration before you go back to the defaults. You must also disable appliance mode, if it is enabled.
Resetting the configuration to factory defaults from the CLI might be useful if you are testing, performing an RMA, or for any other reason want to restore the system to its initial factory default settings.
Be sure you do this using a console connection because resetting the system to the default values removes the management network.
This procedure clears all existing configuration and regenerates the default configuration.
  1. Connect to the system using a management console or console server.
    The default baud rate and serial port configuration is 19200/8-N-1.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Reset the system to the default configuration.
    system database reset-to-default proceed yes
    This command deletes all configuration on the system, including passwords.
  5. Commit the configuration changes.
    commit
The system now has the default configuration. You need to perform initial configuration and can run the Setup wizard for a guided experience of setting management IP addresses, DNS, and other required settings. For more information on initial configuration, see
F5 rSeries Systems: Getting Started
at techdocs.f5.com/en-us/hardware/f5-rseries-systems-getting-started.html.

Restore system configuration from the CLI

If you want to restore a previously-saved system configuration, you can log in to the system where you want to load the configuration backup file and restore the saved configuration from the CLI. You must perform a reset-to-default operation before restoring the configuration.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Import the configuration backup onto the destination system from the external system.
    file import local-file configs/<
    file-name
    >.xml remote-file /<file-path>/<
    filename
    >.xml remote-host <
    ip-address
    > username root
  4. When prompted, enter the password for the remote root account.
  5. Load the configuration backup onto the system .
    system database config-restore name <
    filename
    >.xml
    In this example you restore from a backup file named backup1.xml:
    appliance-1(config)# system database config-restore name backup1.xml A clean configuration is required before restoring to a previous configuration. Please perform a reset-to-default operation if you have not done so already. Proceed? [yes/no]:
    If the restore operation fails, the system automatically uses the previous configuration.
  6. Commit the configuration changes.
    commit
  7. Reboot the system.
    system reboot
After you restore the system configuration and reboot the system, you can restore any saved tenant configurations.

Restore tenant configuration

To restore the configuration for your tenants, log in to each tenant and restore the configuration using the method recommended for that tenant. You must upload the required tenant images to start the tenant after a restore on another system. The tenant will not start without the proper image on the system.
For
BIG-IP
tenants
Restore an archive (or UCS file) from an external location. For more information, see the section titled "Restore data from an archive using the Configuration utility" in
BIG-IP System: Essentials
at K000130285: F5 Product Manuals Index .
For
BIG-IP Next
tenants
For information about
BIG-IP Next
tenant configuration restore, see the
F5
Beta portal.

Trusted Platform Module (TPM) overview

A Trusted Platform Module (TPM) is a hardware device that implements security functions to provide the ability to determine a trusted computing environment, allowing for an increased assurance of trust that a device behaves for its intended purpose. The TPM chain of custody provides assurance that the software loaded on your platform at startup time has the same signature as the software that is loaded by F5 when the system is manufactured.
These measurements include taking hashes of most of the BIOS code, BIOS settings, TPM settings, tboot, Linux Initrd, and Linux kernel (initial
rSeries
release only validates BIOS) so that alternative versions of the measured modules cannot be easily produced and so that the hashes lead to identical measurements. You can use these measurements to validate against known good values.
For the initial
rSeries
release, local attestation is done automatically at boot time and can be displayed in the CLI.
The TPM implements protected capabilities and locations that protect and report integrity measurements using Platform Configuration Registers (PCRs). The TPM also includes additional security functionality, including cryptographic key management, random number generation, and the sealing of data to system state.
Your TPM-equipped
rSeries
system comes with functionality to aid in local attestation and confirming chain of custody for the device locally without the need for doing it manually.
If your system has been breached, consult your security team immediately.

Local attestation overview

You can perform local attestation on your
rSeries
system of the Trusted Platform Module (TPM) chain of custody using the Platform Configuration Register (PCR) values to confirm that the firmware is unmodified.

Available local attestation system integrity states

This table lists the available local attestation system integrity states for the Trusted Platform Module (TPM).
State
Description
Not Supported
Indicates that the system does not have the capability to perform System Integrity Measurements.
Pending
Indicates that the system is not yet ready to produce a System Integrity Measurement and evaluate the reference values.
Valid
Indicates that the solicited System Integrity Measurement matches one of the sets of reference values in the local System Integrity Reference Repository (SIRR).
Invalid
Indicates that the System Integrity Measurement has been taken without error, but the values do not match any set of acceptable values in the local System Integrity Reference Repository. This could mean that the SIRR is out of date or that the system has been tampered with.
Unavailable
Indicates that an error has occurred.

Display the local attestation status from the CLI

You can display and verify the current local attestation status of the system from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Display the current local attestation status of the appliance.
    show components component state tpm-integrity-status
    A message similar to this example displays:
    appliance-1# show components component state tpm-integrity-status TPM INTEGRITY NAME STATUS --------------------- platform Valid

FIX protocol overview

F5
r5000 and r10000 systems provide support for Financial Information eXchange (FIX) protocol connections for electronic trading between financial institutions. This enables tenants running on the system to manage electronic trading traffic for both low-latency and intelligent load balancing.
For information on configuring the FIX profile for your BIG-IP tenant, see BIG-IP Local Traffic Manager: Configuring for Electronic Trading at support.f5.com.

Enable FIX Low Latency from the CLI

Before you can enable FIX Low Latency (LL) protocol for your system, you must have acquired the Advanced Protocols and FIX Low Latency add-on keys (two sets of 7 characters separated by a hyphen) with your software license.
If your software license already includes the FIX LL add-on keys, they are activated for tenants on your
F5
r5000/r10000/r12000 Series system automatically when you initially register the license. If you purchase these add-on keys later, you can install the keys from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Install the add-on keys.
    appliance-1(config)# system licensing install add-on-keys [ C123456-7890123 ] This license installation triggers a system reboot; data-plane and management connectivity will be disrupted. Proceed? [yes/no]: yes result License installed successfully.
This system shows a message confirming that the installed license enables the add-on keys, and the system reboots automatically.

Docker services restart and status

It provides the capability to manage the platform services lifecycle, such as service restart and viewing status through the ConfD CLI.
The docker restart commands should only be used for debugging or troubleshooting purposes only and not recommended for any other purposes

Restarting docker services from the CLI

To restart the docker services, follow the steps below:
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Restart the docker services.
    system diagnostics os-utils docker restart node <
    node name
    > service <
    service name
    >
  4. Enter 'yes' to proceed.
    This example shows restarting the docker service for
    platform monitor
    :
    appliance-1(config)# system diagnostics os-utils docker restart node ? Possible completions: platform appliance-1(config)# system diagnostics os-utils docker restart node platform service ? Possible completions: alert-service appliance_orchestration_manager authentication-mgr confd-key-migration-mgr diag-agent diag-data fips-service firewall_manager http-server ihealth-service lcd-webserver name-service-ldap nic-manager node-agent otel-collector platform-diag platform-hal platform-monitor platform-stats qat-support-pod qkviewd snmp-trapd snmpd swdiag-agent system-common system-vconsole system_L2 system_TPOB system_api_svc_gateway system_audit_service system_confgen system_control system_host_config system_image_agent system_lacpd system_lacpd_proxy system_license_service system_lldpd system_network_manager system_platform-mgr system_platform-stats-bridge system_rsyslogd system_tmstat_merged system_tmstat_zmq system_user_manager system_velocity_rsyslogd upgrade-service vanquish-gui appliance-1(config)# system diagnostics os-utils docker restart node platform service platform-monitor Restarting container affects configuration and data path. Do you want to proceed? [yes/no] yes result platform-monitor restarted successfully
    The below list of services are restricted from docker restart.
    • firmware-fpga
    • firmware
    • platform-fwu
    • tcpdump
    • dma-agent
    • line-dma-agent
    • system_latest_vers
    • selinux_labeler
    • system_datapath_cp_proxy

Viewing docker services status from the CLI

To view the status of docker services, follow the steps below:
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Run the below command to view the docker status.
    show system diagnostics os-utils docker nodes node <
    node name
    > services service <
    service name
    >
    This example shows the status of
    platform monitor
    :
    appliance-1# show system diagnostics os-utils docker nodes node platform services service platform-monitor RESTART NAME STATUS STARTED AT COUNT -------------------------------------------------------------------- platform-monitor running 2024-07-16T11:27:54.736179846Z 0

Rollback to previous version of software from the CLI

If you want to restore previous version of software and system configuration during and post upgrade, you can log in to the system where you want to restore the previous version of software and system configuration from the CLI.
You can restore previous version of the software from F5OS v1.8.0 and later versions.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Initiate system rollback
    system rollback initiate
    This example rollback the software to the previous version and configuration:
    appliance-1(config)# system rollback initiate Initiating system rollback to the state created with version 1.8.0-7818 on 2024-03-27 04:44:31:00:00 This causes system to reboot and restore rollback version configuration Proceed? [yes/no]: yes response System rollback initiated successfully
  4. Commit the configuration changes.
    commit