Manual Chapter :
Additional System Tasks
Applies To:
Show VersionsF5OS-C
- 1.6.1
Additional System Tasks
Service provider features overview
Service Provider Disaggregation (SP-DAG) is
supported on
VELOS
systems.For information on configuring service provider features for
your BIG-IP tenant, see these documents in the BIG-IP LTM Knowledge Center at support.f5.com/csp/knowledge-center/software/BIG-IP?module=BIG-IP%20LTM:
- BIG-IP Service Provider: Administration
- BIG-IP Service Provider: Diameter Administration
- BIG-IP Service Provider: Generic Message Administration
- BIG-IP Service Provider: Message Routing Administration
- BIG-IP Service Provider: SIP Administration
Configure the DAG hash function from the CLI
You can enable or disable the DAG hash
function from the chassis partition CLI. This enables the use of TEID (tunnel endpoint
identifier) instead of the default L4 port mode for DAG hashing. The setting is applied
to all tenants running in the chassis partition.
- Connect using SSH to the chassis partition management IP address.
- Log in to the command line interface (CLI) of the chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure the DAG hash function.system settings dag config gtp-u teid-hash { enabled | disabled }
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify the DAG hashing configuration.default-1# show system settings dag system settings dag state gtp-u teid-hash enabled
Key migration overview
The
VELOS
system uses an
encryption key
, also called the primary
key, to encrypt and decrypt highly sensitive passphrases contained in the
configuration database. You follow a key
migration
process to set the encryption key on the system to a
known value so that same key can be can set on another machine using same
passphrase and salting.Reset the primary key
You might consider resetting (or rotating) the encryption key
periodically on a system for additional security.
- Log in to the command line interface (CLI) of the system controller using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Reset the primary key.system aaa primary-key set
- Commit the configuration changes.commit
The encryption key is reset (or refreshed) on the system.
Migrate system configuration from one system to
another from the CLI
Before you can migrate the system configuration onto
another
VELOS
system, you must have completed the initial
configuration of management IP addresses on the new system, and it must be in stable
running condition. You also must be able to log in to the existing system.In the case of a Return Material
Authorization (RMA) or other situations when aligning multiple systems, you
might need to migrate the system controller configuration from one system (the
source) to another one (the destination). Such a migration requires that you
set the same encryption key on both systems so that the encrypted elements are
moved successfully along with the configuration. You can migrate the system configuration
from the system controller CLI.
- Log in to the command line interface (CLI) of the system controller using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set the primary key with the same passphrase on both the source and destination systems.system aaa primary-key set passphrase <known-pass> confirm-passphrase <known-pass> salt <known-salt> confirm-salt <known-salt>Be sure to make note of the salt and passphrase, as these are needed to restore the configuration on a replacement system.The system shows a message confirming that key migration has started:Key migration is initiated. Use 'show system aaa primary-key state status' to get status
- Return to user (operational) mode.end
- Check the status of the primary key on both the source and destination systems.show system aaa primary-key state statusA summary similar to this example displays:system aaa primary-key state status "COMPLETE Initiated: Thu Feb 18 01:37:53 2021"
- Check the primary key hash on both the source and destination systems.show system aaa primary-key state hashA summary similar to this example displays:system aaa primary-key state hash YTkPNw5nxY/nqgfyNjdHZUZ WD1tfvxNY30+VAbSstzheCnE6Vy6aADftJKrVWY5W5w3UaQeRnwkT0NeFkb5Svg== syscon-1-active#Be sure to make note of the primary key hash, as it is needed to restore the configuration on a replacement system.
- On the source system, save the system controller configuration.system database config-backup name <file-name>.xmlSystem controller configuration backup files are located inconfigs/.
- Export the configuration backup file from the source system to an HTTPS server.file export local-file configs/<file-name>.xml remote-file /<file-path>/<filename>.xml remote-host <ip-address> username root
- When prompted, enter the password for the remote root account.
- Import the configuration backup onto the destination system from the HTTPS server.file import local-file configs/backup1.xml remote-file /tmp/backup1.xml remote-host <ip-address> username root
- When prompted, enter the password for the remote root account.
- Load the configuration backup onto the destination system.system database config-restore name <filename>.xmlIf the migration fails for any reason, the system automatically restores the previous configuration.
- Reset the primary key with a different password on both the source and destination systems (not required but recommended for security).system aaa primary-key set passphrase <known-pass> confirm-passphrase <known-pass> salt <known-salt> confirm-salt <known-salt>
The destination system now has the same system
controller configuration as the original source system, including the encryption key.
The system controller backup includes general partition management information, software
version used on each partition, and which blades are associated with each partition. It
does not include partition tenants and users or other partition details. This
information is stored in the chassis partition configuration backups. You will still
need to log in to each partition and restore its configuration.
Chassis partition migration note
F5
does not support migrating chassis partition
configurations from one system to another. You can migrate an entire system controller
configuration and then log in to each chassis partition to restore its configuration. If
you attempt to migrate a chassis partition from one system to another independently of
the system controllers, the chassis partition configuration will not be complete.Complete backup and restore overview
Before you can perform a backup and restore, you must
disable appliance mode, if it is enabled. There are a number of tasks
recommended to perform a complete backup and restore of the
VELOS
system controllers, chassis partitions,
and tenants on
that same system.If you want to move a system configuration from one system to
another, you also need to perform a key migration. For more information, see
Key migration overview.
For more information, see
VELOS Systems: Backup, Restore, and
Migration
at Documentation - F5OS-C and
VELOS.Trusted Platform Module (TPM) overview
A Trusted Platform Module (TPM) is a hardware device that implements
security functions to provide the ability to determine a trusted computing environment,
allowing for an increased assurance of trust that a device behaves for its intended
purpose. The TPM chain of custody provides assurance that the software loaded on your
platform at startup time has the same signature as the software that is loaded by F5
when the system is manufactured.
These measurements include taking hashes of most of the BIOS code, BIOS
settings, TPM settings, tboot, Linux Initrd, and Linux kernel (initial
VELOS
release only validates BIOS) so that
alternative versions of the measured modules cannot be easily produced and so that the
hashes lead to identical measurements. You can use these measurements to validate
against known good values.Both of the system
controllers, as well as all the blades (BX110) have a TPM chipset.
For the
initial VELOS
release, local attestation is
done automatically at boot time and can be displayed in the CLI. The TPM implements protected capabilities and locations that protect
and report integrity measurements using Platform Configuration Registers (PCRs). The TPM
also includes additional security functionality, including cryptographic key management,
random number generation, and the sealing of data to system state.
Your TPM-equipped
VELOS
system comes with functionality to aid in local attestation and confirming chain of
custody for the device locally without the need for doing it manually.If your system has been breached, consult your
security team immediately.
Local attestation overview
You can perform local attestation on your
VELOS
system of
the Trusted Platform Module (TPM) chain of custody using the Platform
Configuration Register (PCR) values to confirm that the firmware is
unmodified.Available local attestation system integrity states
This table lists the available local attestation
system integrity states for the Trusted Platform Module (TPM).
State |
Description |
---|---|
Not Supported |
Indicates that the system does not have the
capability to perform System Integrity Measurements. |
Pending |
Indicates that the system is not yet ready to
produce a System Integrity Measurement and evaluate the reference
values. |
Valid |
Indicates that the solicited System Integrity
Measurement matches one of the sets of reference values in the local
System Integrity Reference Repository (SIRR). |
Invalid |
Indicates that the System Integrity
Measurement has been taken without error, but the values do not match
any set of acceptable values in the local System Integrity Reference
Repository. This could mean that the SIRR is out of date or that the
system has been tampered with. |
Unavailable |
Indicates that an error has occurred. |
Display the local attestation status of a system
controller from the CLI
You can display and verify the current
local attestation status of a system controller from the system controller
CLI.
- Connect using SSH to the system controller floating management IP address.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Display the current local attestation status of a specified system controller.show components component [ controller-1 | controller-2 ] state tpm-integrity-statusA message similar to this example displays the current status:syscon-1-active# show components component controller-1 state tpm-integrity-status state tpm-integrity-status Valid
Display the local attestation status of a blade from the CLI
You can display and verify the current
local attestation status of a blade from the chassis partition CLI.
- Connect using SSH to the chassis partition management IP address.
- Log in to the command line interface (CLI) of the chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Display the current local attestation status of a specified blade.show components component [ blade-1 | blade-2 | blade-n} state tpm-integrity-statusA message similar to this example displays the current status:default-1# show components component blade-1 state tpm-integrity-status state tpm-integrity-status Valid