Manual Chapter : Migrate system configuration from one system to another

Applies To:

Show Versions Show Versions

F5OS

  • 1.1.1, 1.1.0
Manual Chapter

Migrate system configuration from one system to another

Before you can migrate the system configuration onto another VELOS system, you need to have completed the initial configuration of management IP addresses on the new system, and it must be in stable running condition. You also must be able to log in to the existing system.
The VELOS system uses an
encryption key
, also called the primary key, to encrypt and decrypt highly sensitive passphrases contained in the configuration database.
In the case of an RMA (return merchandise authorization) or other situations when aligning multiple systems, you may need to migrate the system controller configuration from one system (the source) to another one (the destination). Such a migration requires that you set the same encryption key on both systems so that the encrypted elements are moved successfully along with the configuration. You perform this procedure from the system controller CLI or using RESTCONF APIs.
To migrate the system controller configuration and encryption key from one system to another from the CLI:
  1. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Set the primary key with the same passphrase on both the source and destination devices.
    system aaa primary-key set passphrase <known_pass> confirm-passphrase <known_pass> salt <known_salt> confirm-salt <known_salt>
    Response info:
    Key migration is initiated. Use 'show system aaa primary-key state status' to get status
  4. Check the status of the primary key on both the source and destination devices.
    show system aaa primary-key state status
    Example response info:
    system aaa primary-key state status "COMPLETE Initiated: Thu Feb 18 01:37:53 2021"
  5. Check the primary key hash on both the source and destination devices.
    show system aaa primary-key state hash
    For example:
    syscon-2-active# show system aaa primary-key state hash system aaa primary-key state hash YTkPNw5nxY/nqgfyNjdHZUZ WD1tfvxNY30+VAbSstzheCnE6Vy6aADftJKrVWY5W5w3UaQeRnwkT0NeFkb5Svg== syscon-2-active#
  6. On the source device, save the system controller configuration.
    system database config-backup name backup1.xml
    System controller configuration backup files are located in
    /mnt/var/confd/configs
    .
  7. Export the configuration backup file from the source device to an HTTPS server.
    file export local-file /mnt/var/confd/configs/backup1.xml remote-file /tmp/backup1.xml remote-host 172.27.21.75 username root
    The system requests the password for the remote root account.
    Value for 'password' (<string>): ******* result File transfer is initiated.(/mnt/var/confd/configs/backup1.xml)
  8. Import the configuration backup onto the destination device from the HTTPS server.
    file import local-file /mnt/var/confd/configs/backup1.xml remote-file /tmp/backup1.xml remote-host 172.27.21.75 username root Value for 'password' (<string>): *******
  9. Load the configuration backup onto the destination device.
    system database config-restore name backup1.xml
    system database config-restore name backup1.xml response Succeeded.
    If the migration fails for any reason, the system automatically restores the previous configuration.
  10. Reset the primary key with a different password on both the source and destination devices (not required but recommended for security).
    system aaa primary-key set passphrase <known_pass> confirm-passphrase <known_pass> salt <known_salt> confirm-salt <known_salt>
  11. Commit the configuration changes.
    commit
  12. Leave config mode.
    exit
The destination device now has the same system controller configuration as the original source device, including a unique encryption key.