Manual Chapter :
Returned Material Data Security Statement
Applies To:
Show Versions
F5OS-A
- 1.7.0, 1.5.2, 1.5.1, 1.5.0, 1.4.0, 1.3.2, 1.3.1, 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.1, 1.0.0
Returned Material Data Security Statement
Returned material data security
Follow these data security guidelines when returning
equipment to F5 for reprocessing or repair. The guidelines include
reprocessing procedures and optional customer-end procedures.
Memory technologies used in F5 equipment
F5 equipment contains volatile, battery-backed volatile, and
non-volatile memory.
Volatile memory
loses
all traces of data on power down. Battery-backed
volatile memory
retains data as long as battery charge is
maintained. Non-volatile memory
retains
data indefinitely.Volatile memory
Volatile memory loses all traces of data on power down; therefore, customer data that is stored in volatile memory is secure when power is removed from the platform. No further action is required by customers for equipment that includes volatile memory.
Battery-backed volatile
memory
This F5 platform contains a coin battery for
maintaining BIOS settings and the system clock.
All data maintained by the
coin battery is used only for system specific tasks. No customer data is
maintained by the battery-backed volatile memory. No further action is
required by customers for equipment that includes volatile memory.
Non-volatile memory
F5 platforms include various non-volatile memory components.
These non-volatile memory components can be categorized as either user
inaccessible or user accessible.
Inaccessible non-volatile memory components are programmed
during manufacture or software installation. The data stored in user
inaccessible non-volatile memory is used for setting voltage levels,
determining the sequence of operational events, and the managing appliance
operational condition. Data held within user inaccessible, non-volatile memory
represents no data security risk to customers. User inaccessible, non-volatile
memory cannot be modified by appliance users, and therefore, contains no
customer data.
Inaccessible non-volatile memory
This table lists the inaccessible non-volatile
memory in this system.
Description |
Data |
Customer data |
|---|---|---|
Programmable firmware stores |
Firmware |
No |
System SEEPROM |
Platform ID, serial number, part
number, and so on. |
No |
PHY EEPROMs |
PHY MAC address |
No |
Accessible non-volatile memory
This table lists the accessible non-volatile
memory in this system. Not all platform variants include all of these non-volatile
memory items.
Description |
Data |
Customer data |
Data security method |
|---|---|---|---|
Hard disk drive (HDD) |
F5 product software, customer
configuration, and log files |
Yes |
Standard reprocessing or customer
removal |
Solid-state drive (SSD), if
present |
F5 product software, customer
configuration, and log files |
Yes |
Standard reprocessing or customer
removal |
Always-On Management (AOM) Flash
chip (soldered-down flash chip) |
AOM boot code and customer custom
configuration |
Yes |
Standard reprocessing or customer
action |
FIPS software or hardware security module (HSM),
if present |
FIPS security domain and private
keys |
Yes |
Standard reprocessing or customer
action |
Data removal from F5 rSeries systems
F5 rSeries systems use an encryption key, also called the
primary key, to encrypt and decrypt highly sensitive passphrases contained in
the configuration database.
Before you return a F5 rSeries system to F5 for
reprocessing or repair, you should reset the encryption key to remove any
sensitive data from your system.
Reset the encryption key on a F5 rSeries system before
returning the system to F5
If you are still able to access the
CLI of your F5 rSeries system, you should reset the encryption key (or primary
key) before you return the system to F5 for reprocessing or repair.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set the primary key with a new passphrase on the system.system aaa primary-key set passphrase <known-pass> confirm-passphrase <known-passphrase> salt <known-salt> confirm-salt <known-salt>Be sure to make note of the salt and passphrase, as these are needed to restore the configuration on a replacement system.A response similar to this example displays:Key migration is initiated. Use 'show system aaa primary-key state status' to get status
- Display the status of the primary key migration process on the system.show system aaa primary-key state stateA summary similar to this example displays:appliance-1# show system aaa primary-key state status system aaa primary-key state status "COMPLETE Initiated: Wed Feb 9 01:37:53 2022"
- Display the primary key hash on the system.show system aaa primary-key state hashA summary similar to this example displays:appliance-1# system aaa primary-key state hash YTkPNw5nxY/nqgfyNjdHZUZ WD1tfvxNY30+VAbSstzheCnE6Vy6aADftJKrVWY5W5w3UaQeRnwkT0NeFkb5Svg== syscon-2-active#Be sure to make note of the primary key hash, as it is needed to restore the configuration on a replacement system.
- Change to config mode.configThe CLI prompt changes to include(config).
- Back up the system configuration.system database config-backup name <file-name>.xmlSystem configuration backup files are located inconfigs/.In this example, you back up the configuration to a file named "backup1.xml":appliance-1(config)# system database config-backup name backup1.xml result Database backup successful.
- Export the configuration backup file from the system to an HTTPS server.file export local-file configs/backup1.xml remote-file /tmp/<file-name>.xml remote-host <ip-address> username rootThe system requests the password for the remote root account, and a summary similar to this example displays:Value for 'password' (<string>): ******* result File transfer is initiated.(configs/backup1.xml)
When you receive your replacement
rSeries system from F5, you can migrate the backup configuration to the new
system. For more information, see
F5 rSeries
Systems: Administration and Configuration
at Documentation - F5OS-A and F5 rSeries.
