Manual Chapter : Software Management

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 12.1.0

BIG-IP APM

  • 12.1.0

BIG-IP Link Controller

  • 12.1.0

BIG-IP Analytics

  • 12.1.0

BIG-IP LTM

  • 12.1.0

BIG-IP PEM

  • 12.1.0

BIG-IP AFM

  • 12.1.0

BIG-IP DNS

  • 12.1.0

BIG-IP ASM

  • 12.1.0
Manual Chapter

Software Management

About software management

You can manage the software images, hotfixes, and boot locations on the BIG-IP® system using the Configuration utility. You can also enable the automatic software update feature.

Importing a software image

If you previously downloaded a BIG-IP® software image file (ISO) to a management workstation, you can upload that file to the BIG-IP system.
You can use the Configuration utility to import an ISO that you have stored on a management workstation.
  1. On the Main tab, click System > Software Management > Image List .
    The Image List screen displays a list of existing image files.
  2. Click Import.
    The New Image screen opens.
  3. For the Software Image setting, click Browse.
  4. Click Import.
    A progress indicator displays as the BIG-IP system uploads the file.
    Note: Be sure that you do not navigate away from the screen until the image import process is complete.

Installing a software image

You can use the Configuration utility to install an ISO that you have imported to the BIG-IP® system.
  1. On the Main tab, click System > Software Management > Image List .
    The Image List screen displays a list of existing image files.
  2. For the Available Images setting, select the ISO to install.
    The Install Software Image screen opens.
  3. For the Select Disk setting, select the disk on which to install the software (for example, MD1 or HD1).
    Note: You can install software only on inactive volumes. To install software to the active volume, you must boot to a different volume.
  4. For the Volume set name setting, select the volume on which to install the software.
  5. Click Install.
    A progress indicator displays as the BIG-IP system installs the software image.

Importing a hotfix image

If you previously downloaded a BIG-IP® hotfix file to a management workstation, you can upload that file to the BIG-IP system.
You can use the Configuration utility to import a hotfix that you have stored on a management workstation.
  1. On the Main tab, click System > Software Management > Hotfix List .
    The Hotfix List screen displays a list of existing hotfix files.
  2. Click Import.
    The Upload Hotfix screen opens.
  3. For the Software Image setting, click Browse.
  4. Click Import.
    A progress indicator displays as the BIG-IP system uploads the file.
    Note: Be sure that you do not navigate away from the screen until the image import process is complete.

Installing a hotfix image

You can use the Configuration utility to install a hotfix that you have imported to the BIG-IP® system.
  1. On the Main tab, click System > Software Management > Hotfix List .
    The Hotfix List screen displays a list of existing hotfix files.
  2. For the Available Images setting, select the hotfix to install.
    The Install Software Hotfix screen opens.
  3. For the Select Disk setting, select the disk on which to install the software (for example, MD1 or HD1).
    Note: You can install software only on inactive volumes. To install software to the active volume, you must boot to a different volume.
  4. For the Volume set name setting, select the volume on which to install the software.
  5. Click Install.
    A progress indicator displays as the BIG-IP system installs the hotfix.

Booting to a different volume

You can use the Configuration utility to boot to a different software volume (target boot location) on the BIG-IP® system.
  1. On the Main tab, click System > Software Management > Boot Locations .
    The Boot Locations List screen displays a list of available boot locations.
  2. For the Boot Location setting, click a software volume name (the target boot location).
  3. For the General Properties setting for the target boot location, select whether to copy the configuration from the current boot location to the target boot location.
  4. Click Activate.
    The system reboots to the selected software volume.

Configuring update check

You can use the Configuration utility to configure whether the BIG-IP® system automatically checks for updated software.
  1. On the Main tab, click System > Software Management > Update Check .
  2. For the Automatic Update Check setting:
    • Select Enabled if you want the system to check for updates automatically.
    • Select Disabled if you want to check for updates manually.
  3. Click Apply Settings to save your changes.
  4. Optional: Click Check Now to manually check for updates.

About Liveinstall signature checking in ccmode

For each full release ISO, vADC OVA, and hotfix ISO, a corresponding signature file will be available with the .sig extension. The signature file is handled exactly like an ISO. When the ccmode feature is turned on, the installation process requires you to download the ISO file, as well as the iso.sig.

The signature file is located in iso-name.384.sig, and uses the 307 key/384 hash signature. If an older key (2048 key/256 has signature) is also found, the system will attempt to validate the signature created by the larger key size (the 307 key/384 hash signature).

When you run the ccmode script to put the sensor into a Common Criteria configuration, a db variable called liveinstall.checksig is automatically enabled. This feature compares the ISO file against a sys software signature file, which is meant to catch integrity issues with the product.

Note: This feature can only be controlled through tmsh.

Signature validation is the first step performed during the liveinstall process, so if the corresponding signature file for the selected software is not in the library, the installation will not begin.

Important: If liveinstall.checksig is enabled, software installs will fail if the user copies only the ISO to the /shared/images directory. It is important to download both the ISO and the iso.sig files to the /shared/images directory.

In the event of liveinstall failure, two error messages can occur:

Signature file not found
This means you have not downloaded the corresponding iso.sig file with the ISO. The best way to verify if the iso.sig is present is to run the command list sys software signature. The command show sys software will not show the iso.sig files.
Archive signature test failed
This might happen if:
  • The product ISO is in /shared/images.
  • The iso.sig is present in /shared/images.
  • When the iso.sig file was compared against the product ISO, the comparison failed.
In these instances, you will need to re-download the ISO and iso.sig files and try again.

Downloading the .sig file

If you are running your machine in ccmode, you will need to download an iso.sig file in addition to the ISO file that you normally download.
  1. In a browser, open the F5® Downloads page (https://downloads.f5.com).
  2. From the Downloads Overview page, click Find a Download.
    The Select a Product Line screen displays.
  3. Download the version's base ISO file, such as version 11.5, and its associated signature file. The signature file is located in iso-name.384.sig.
    The signature file has the same name as the ISO file with an additional .sig extension.
  4. In tmsh, type: modify sys db liveinstall.checksig value enable
    You do not need a .sig file to install versions earlier than 11.5.
  5. Type install sys software image and press Tab.
    Tab completion will only list the ISO files that have a corresponding iso.sig file present at the time the command was run.

About Liveinstall signature checking in ccmode

For each full release ISO, vADC OVA, and hotfix ISO, a corresponding signature file will be available with the .sig extension. The signature file is handled exactly like an ISO. When the ccmode feature is turned on, the installation process requires you to download the ISO file, as well as the iso.sig.

When you run the ccmode script to put the sensor into a Common Criteria configuration, a db variable called liveinstall.checksig is automatically enabled. This feature compares the ISO file against a sys software signature file, which is meant to catch integrity issues with the product.

Note: This feature can only be controlled through tmsh.

Signature validation is the first step performed during the liveinstall process, so if the corresponding signature file for the selected software is not in the library, the installation will not begin.

Important: If liveinstall.checksig is enabled, software installs will fail if the user copies only the ISO to the /shared/images directory. It is important to download both the ISO and the iso.sig files to the /shared/images directory.

In the event of liveinstall failure, two error messages can occur:

Signature file not found
This means you have not downloaded the corresponding iso.sig file with the ISO. The best way to verify if the iso.sig is present is to run the command list sys software signature. The command show sys software will not show the iso.sig files.
Archive signature test failed
This might happen if:
  • The product ISO is in /shared/images.
  • The iso.sig is present in /shared/images.
  • When the iso.sig file was compared against the product ISO, the comparison failed.
In these instances, you will need to re-download the ISO and iso.sig files and try again.

Downloading the .sig file

If you are running your machine in ccmode, you will need to download an iso.sig file in addition to the ISO file that you normally download.
  1. In a browser, open the F5® Downloads page (https://downloads.f5.com).
  2. From the Downloads Overview page, click Find a Download.
    The Select a Product Line screen displays.
  3. Download the version's base ISO file, such as version 11.5, and its associated signature file.
    The signature file has the same name as the ISO file with an additional .sig extension.
  4. In tmsh, type: modify sys db liveinstall.checksig value enable
    You do not need a .sig file to install versions earlier than 11.5.
  5. Type install sys software image and press Tab.
    Tab completion will only list the ISO files that have a corresponding iso.sig file present at the time the command was run.