F5 Logo MyF5
Search
  1. MyF5 Home
  2. VELOS Systems: Administration and Configuration
  3. Additional System Tasks
Manual Chapter : Additional System Tasks

Applies To:

Show Versions Show Versions

F5OS-C

  • 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0
Manual Chapter

Additional System Tasks

Save the configuration of the system controller

When the system is configured for your environment, it is a good idea to save the configuration as a backup. You can save the VELOS system configuration from the system controller CLI.
  1. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Save the system controller configuration.
    system database config-backup name backup1.xml
    System controller configuration backup files are located in
    /mnt/var/confd/configs
    .
    Consider exporting the configuration backup onto a separate system. Later if you need it, you can import it back to this system.
  4. Export the configuration backup file from the source device to an HTTPS server.
    file export local-file /mnt/var/confd/configs/backup1.xml remote-file /tmp/backup1.xml remote-host 172.27.21.75 username root
    The system requests the password for the remote root account. 
    Value for 'password' (<string>): *******
result File transfer is initiated.(/mnt/var/confd/configs/backup1.xml)
  5. Import the configuration backup onto the destination device from HTTPS server.
     
    file import local-file /mnt/var/confd/configs/backup1.xml remote-file 
/tmp/backup1.xml remote-host 172.27.21.75 username root
Value for 'password' (<string>): *******
  6. To return the system to the state it was in when the backup was made, load the configuration backup onto the system.
    system database config-restore name backup1.xml
    system database config-restore name backup1.xml
  response Succeeded.
    If the restore operation fails, the system automatically uses the previous configuration.
  7. Leave config mode
    exit
You have a backup of the system configuration on the system controller that you can restore on the system if needed.

Disable appliance mode from the CLI

You can disable appliance mode on the system controllers from the CLI. While it is recommended that you enable appliance mode most of the time, some tasks, such as restoring the default configuration or running the Setup utility, require use of the root account (which is unavailable in appliance mode).
  1. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Check whether the system is in appliance mode:
    show system appliance-mode state
    If appliance mode is enabled, proceed to disable it. Otherwise, skip the next step.
  4. Disable appliance mode:
    system appliance-mode config disabled
  5. Commit the configuration changes.
    commit
  6. Leave config mode.
    exit

Revert to default configuration of the system controller

You may want to back up the existing system configuration of the system controller before you go back to the default. You also have to have disabled appliance mode if enabled.
If you are testing, performing an RMA, or for any reason want to restore the system to its initial factory default settings, you can do that from the system console. Understand that this procedure clears all existing configuration, and regenerate the default configuration.
  1. Connect to a management console or console server of the active system controller.
    The default baud rate and serial port configuration is 19200/8-N-1.
  2. Log in as the root user.
  3. Log in to the admin account.
    su admin
  4. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  5. Reset to the default configuration of the system controller.
    system database config reset-default-config true
    This command deletes all configuration on the system controller including IP addresses, passwords, all partition configuration, and tenant images.
  6. Commit the configuration changes.
    commit
  7. Log out as the admin user.
    exit
    You are returned to the root account
  8. Reboot the system.
    reboot
  9. Log in to the standby system controller as root and reboot the standby controller.
The system controller now has the default configuration. You need to perform initial configuration and can run the Setup wizard (velos-setup-wizard) to set management IP addresses, DNS, and other required settings. For more information on initial configuration, see
VELOS Systems: Getting Started
 at support.f5.com.

Save the configuration of a chassis partition

When you finish comfiguring a chassis partition, it is a good idea to save the configuration as a backup. You can save a chassis partition configuration from the partition CLI.
  1. Log in to the command line interface (CLI) of the chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Save the chassis partition configuration.
    system database config-backup name partitionbackup1.xml
    Chassis partition configuration backup files are located in
    /var/F5/partition/configs/
    .
  4. Consider exporting the configuration backup onto a separate system. Later if you need it, you can import it back to this system.
  5. To return the system to the state it was in when the backup was made, load the configuration backup onto the system.
    system database config-restore name partitionbackup1.xml
    system database config-restore name partitionbackup1.xml
  response Succeeded.
    If the restore operation fails, the system automatically uses the previous configuration.
  6. Leave config mode
    exit
You have a backup of the chassis partition configuration that you can restore on the system if needed.

Revert to default configuration of the partition

If you want to preserve the chassis partition configuration, back up the existing system configuration of the partition and any tenants before you restore the default. Then export the backup to an HTTPS server where it will be available if you need it later.
If you want to restore a chassis partition to its default configuration, you can do that from the partition CLI.
  1. Log in to the command line interface (CLI) of the chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Clear all existing configuration and regenerate the default configuration.
    system database reset-to-default proceed yes 
    system database reset-to-default proceed yes 
  result Database reset-to-default successful.
The chassis partition now has the default configuration as if it was just created. You need to reconfigure it as needed and deploy tenants.

Migrate system configuration from one system to another

Before you can migrate the system configuration onto another VELOS system, you need to have completed the initial configuration of management IP addresses on the new system, and it must be in stable running condition. You also must be able to log in to the existing system.
The VELOS system uses an
encryption key
, also called the primary key, to encrypt and decrypt highly sensitive passphrases contained in the configuration database.
In the case of an RMA (return merchandise authorization) or other situations when aligning multiple systems, you may need to migrate the system controller configuration from one system (the source) to another one (the destination). Such a migration requires that you set the same encryption key on both systems so that the encrypted elements are moved successfully along with the configuration. You perform this procedure from the system controller CLI or using RESTCONF APIs.
To migrate the system controller configuration and encryption key from one system to another from the CLI:
  1. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Set the primary key with the same passphrase on both the source and destination devices.
    system aaa primary-key set passphrase <known_pass> confirm-passphrase <known_pass> salt <known_salt> confirm-salt <known_salt>
    Response info: 
    Key migration is initiated. Use 'show system aaa 
primary-key state status' to get status
  4. Check the status of the primary key on both the source and destination devices.
    show system aaa primary-key state status
    Example response info: 
    system aaa primary-key state status 
 "COMPLETE Initiated: Thu Feb 18 01:37:53 2021"
  5. Check the primary key hash on both the source and destination devices.
    show system aaa primary-key state hash
    For example:
    
syscon-2-active# show system aaa primary-key state hash  
system aaa primary-key state hash YTkPNw5nxY/nqgfyNjdHZUZ
WD1tfvxNY30+VAbSstzheCnE6Vy6aADftJKrVWY5W5w3UaQeRnwkT0NeFkb5Svg==
syscon-2-active#
  6. On the source device, save the system controller configuration.
    system database config-backup name backup1.xml
    System controller configuration backup files are located in
    /mnt/var/confd/configs
    .
  7. Export the configuration backup file from the source device to an HTTPS server.
    file export local-file /mnt/var/confd/configs/backup1.xml remote-file /tmp/backup1.xml remote-host 172.27.21.75 username root
    The system requests the password for the remote root account. 
    Value for 'password' (<string>): *******
result File transfer is initiated.(/mnt/var/confd/configs/backup1.xml)
  8. Import the configuration backup onto the destination device from the HTTPS server.
     
    file import local-file /mnt/var/confd/configs/backup1.xml remote-file 
/tmp/backup1.xml remote-host 172.27.21.75 username root
Value for 'password' (<string>): *******
  9. Load the configuration backup onto the destination device.
    system database config-restore name backup1.xml
    system database config-restore name backup1.xml
  response Succeeded.
    If the migration fails for any reason, the system automatically restores the previous configuration.
  10. Reset the primary key with a different password on both the source and destination devices (not required but recommended for security).
    system aaa primary-key set passphrase <known_pass> confirm-passphrase <known_pass> salt <known_salt> confirm-salt <known_salt>
  11. Commit the configuration changes.
    commit
  12. Leave config mode.
    exit
The destination device now has the same system controller configuration as the original source device, including a unique encryption key.

Trusted Platform Module (TPM) overview

A Trusted Platform Module (TPM) is a hardware device that implements security functions to provide the ability to determine a trusted computing environment, allowing for an increased assurance of trust that a device behaves for its intended purpose. TPM Chain of Custody provides assurance that the software loaded on your platform at startup time has the same signature as the software that is loaded by F5 when the system is manufactured.
These measurements include taking hashes of most of the BIOS code, BIOS settings, TPM settings, tboot, Linux Initrd, and Linux kernel (Initial VELOS release only validates BIOS) so that alternative versions of the measured modules cannot be easily produced and so that the hashes lead to identical measurements. You can use these measurements to validate against known good values.
Both of the system controllers, as well as all the blades (BX110) have a TPM chipset. For the initial VELOS release, local attestation is done automatically at boot time and can be displayed in the CLI.
The TPM implements protected capabilities and locations that protect and report integrity measurements using Platform Configuration Registers (PCRs). The TPM also includes additional security functionality, including cryptographic key management, random number generation, and the sealing of data to system state.
Your TPM-equipped VELOS system comes with functionality to aid in attestation and confirming chain of custody for the device locally without the need for doing it manually.
If your system has been breached, consult your security team immediately.

Local attestation overview

You can perform local attestation on your VELOS system of the Trusted Platform Module (TPM) chain of custody using the Platform Configuration Register (PCR) values to confirm that the firmware is unmodified.

Available system integrity states

This table lists the available local attestation system integrity states for the Trusted Platform Module (TPM).
State
Description
Not Supported
Indicates that the system does not have the capability to perform System Integrity Measurements.
Pending
Indicates that the system is not yet ready to produce a System Integrity Measurement and evaluate the reference values.
Valid
Indicates that the solicited System Integrity Measurement matches one of the sets of reference values in the local System Integrity Reference Repository (SIRR).
Invalid
Indicates that the System Integrity Measurement has been taken without error, but the values do not match any set of acceptable values in the local System Integrity Reference Repository. This could mean that the SIRR is out of date or that the system has been tampered with.
Unavailable
Indicates that an error has occurred.

Display the local attestation status of a system controller

You can use the command-line interface (CLI) to display and verify the current local attestation status of a system controller.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Display the current local attestation status of a specified system controller.
    show components component [ controller-1 | controller-2 ] state tpm-integrity-status
    A message similar to this example displays the current status: 
    state tpm-integrity-status Valid

Display the local attestation status of a blade

You can use the chassis partition command-line interface (CLI) to display and verify the current local attestation status of a blade.
  1. Connect using SSH to the partition management IP address.
  2. Log in to the command line interface (CLI) of the chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Display the current local attestation status of a specified blade.
    show components component [ blade-1 | blade-2 | blade-
    n
     ] state tpm-integrity-status
    A message similar to this example displays the current status: 
    state tpm-integrity-status Valid
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information