From 170ade83bfc66ee2ef2d453e1daad174e0d3d548 Mon Sep 17 00:00:00 2001 From: Jim McCarron Date: Tue, 9 Apr 2024 18:13:48 -0400 Subject: [PATCH 1/5] add primary key --- ..._f5os_configuration_backup_and_restore.rst | 62 ++++++++++++++++++- docs/velos_security.rst | 21 ++++++- 2 files changed, 79 insertions(+), 4 deletions(-) diff --git a/docs/velos_f5os_configuration_backup_and_restore.rst b/docs/velos_f5os_configuration_backup_and_restore.rst index 05949bc..b2b4491 100644 --- a/docs/velos_f5os_configuration_backup_and_restore.rst +++ b/docs/velos_f5os_configuration_backup_and_restore.rst @@ -21,20 +21,73 @@ At the chassis partition level, the F5OS configuration contains data that includ • Portgroups of the assigned slots/nodes/blades • Virtual Local Area Networks (VLANs) +• Interfaces/LAGs • Logging setup • Authentication servers • Product license • HA setup +• Tenant configuration + +Note: The tenant configuration contains tenant name, type, image, management IP address, gateway, VLANs, assigned vCPUs, memory, storage size, and so on. It does not include the BIG-IP configuration within the tenant. To create a backup copy of the BIG-IP configuration of the tenant, you must perform the backup in the tenant itself. For information, refer to: + +`K13132: Backing up and restoring BIG-IP configuration files with a UCS archive _` To perform a complete backup of the VELOS system, you must: -• Back up the configuration data at the system controller and at each chassis partition. -• Back up any deployed tenants using the tenants’ backup mechanism (i.e. a UCS). +• Back up the F5OS configuration data at the system controller layer +• Back up the F5OS configuration data at each chassis partition +• Back up any deployed tenants using the tenant's backup mechanism (i.e. a UCS). More detail is covered in the following solution article: `K50135154: Back up and restore the F5OS-C configuration on a VELOS system `_ +Setting the Primary Key on F5OS +=============================== + +The F5 VELOS system uses a primary key to encrypt highly sensitive passwords/passphrases in the configuration database, such as: + +• Tenant unit keys used for TMOS Secure Vault +• The F5OS API Service Gateway TLS key +• Stored iHealth credentials +• Stored AAA server credentials + +The primary key is randomly generated by F5OS during initial installation. You should set the primary key to a known value prior to performing a configuration backup. If you restore a configuration backup on a different VELOS device, e.g. during an RMA replacement, you must first set the primary key passphrase and salt on the destination device to the same value as the source device. If this is not done correctly, the F5OS configuration restoration may appear to succeed but produce failures later when the system attempts to decrypt and use the secured parameters. + +You should periodically change the primary key for additional security. If doing so, please note that a configuration backup is tied to the primary key at the time it was generated. If you change the primary key, you cannot restore older configuration backups without first setting the primary key to the previous value, if it is known. More details are provided in the solution article below. + + +.. code-block:: bash + + syscon-1-active(config)# system aaa primary-key set passphrase + Value for 'passphrase' (): ************** + Value for 'confirm-passphrase' (): ************** + Value for 'salt' (): ************** + Value for 'confirm-salt' (): ************** + response Info: Key migration is initiated. Use 'show system aaa primary-key state status' to get status + + syscon-1-active(config)# + +You can view the status of the primary-key being set with the **show system aaa primary-key state status** CLI command. + +.. code-block:: bash + + syscon-1-active# show system aaa primary-key state status + system aaa primary-key state status "IN_PROGRESS Initiated: Tue Apr 9 19:46:14 2024" + + syscon-1-active# show system aaa primary-key state status + system aaa primary-key state status "COMPLETE Initiated: Tue Apr 9 19:46:14 2024" + syscon-1-active# + +Note that the hash key can be used to check and compare the status of the primary-key on both the source and the replacement devices if restoring to a different device. To view the current primary-key hash, issue the following CLI command. + +.. code-block:: bash + + syscon-1-active# show system aaa primary-key state + system aaa primary-key state hash aNSWX6Xl8+dFx94JMRbySD/d/AJ8RarqJ+fedD#57bDxRF0cTgGFcZvMY415eDeAJjZlXp1qGuKI7CDmxNrnhw== + system aaa primary-key state status "COMPLETE Initiated: Tue Apr 9 19:46:14 2024" + syscon-1-active# + Backing Up the System Controller Database ========================================= @@ -1599,6 +1652,11 @@ You can use the **System Settings -> File Utilities** page to import archives fr Restoring Chassis Partitions from Database Backups ================================================== +Once the archived chassis partition configs have been copied into the partition, you can then restore them using the procedures in this section. + +Restoring Chassis Partitions from Database Backups via CLI +---------------------------------------------------------- + To restore a configuration database backup within a chassis partition, use the **system database config-restore** command inside the chassis partition. Note that a newly restored chassis partition will not have any tenant images loaded so tenants will show a **Pending** status until the proper image is loaded for that tenant. .. code-block:: bash diff --git a/docs/velos_security.rst b/docs/velos_security.rst index 1f8511e..2e3c56a 100644 --- a/docs/velos_security.rst +++ b/docs/velos_security.rst @@ -194,14 +194,31 @@ To set the primary-key issue the following command in config mode. .. code-block:: bash - system aaa primary-key set passphrase confirm-passphrase salt confirm-salt + syscon-1-active(config)# system aaa primary-key set passphrase + Value for 'passphrase' (): ************** + Value for 'confirm-passphrase' (): ************** + Value for 'salt' (): ************** + Value for 'confirm-salt' (): ************** + response Info: Key migration is initiated. Use 'show system aaa primary-key state status' to get status + + syscon-1-active(config)# + +You can view the status of the primary-key being set with the **show system aaa primary-key state status** CLI command. + +.. code-block:: bash + + syscon-1-active# show system aaa primary-key state status + system aaa primary-key state status "IN_PROGRESS Initiated: Tue Apr 9 19:46:14 2024" + syscon-1-active# show system aaa primary-key state status + system aaa primary-key state status "COMPLETE Initiated: Tue Apr 9 19:46:14 2024" + syscon-1-active# Note that the hash key can be used to check and compare the status of the primary-key on both the source and the replacement devices if restoring to a different device. To view the current primary-key hash, issue the following CLI command. .. code-block:: bash syscon-2-active# show system aaa primary-key - system aaa primary-key state hash sj2GslitH9XYbmW/cpY0TJhMWkU+CpvAU9vqoiL4aZcfE6qnSUDU3PWx+lCZO5KrqVzlWu/3mRugCNniNyQhSA== + system aaa primary-key state hash sj2GslitH9XY14h/cpY0TJhMWkU+CpvAU9vxxiL4aZcfE6qnSUDU3PWx+lCZO5KrqVzlWu/3mRugCNniNyQhSA== system aaa primary-key state status NONE syscon-2-active# From 92eeac1770c1b3dd4b8513ceff0f32f0fa09ba6a Mon Sep 17 00:00:00 2001 From: Jim McCarron Date: Tue, 9 Apr 2024 19:12:00 -0400 Subject: [PATCH 2/5] test commit --- docs/velos_f5os_configuration_backup_and_restore.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/velos_f5os_configuration_backup_and_restore.rst b/docs/velos_f5os_configuration_backup_and_restore.rst index b2b4491..ec4fee9 100644 --- a/docs/velos_f5os_configuration_backup_and_restore.rst +++ b/docs/velos_f5os_configuration_backup_and_restore.rst @@ -88,6 +88,8 @@ Note that the hash key can be used to check and compare the status of the primar system aaa primary-key state status "COMPLETE Initiated: Tue Apr 9 19:46:14 2024" syscon-1-active# + test + Backing Up the System Controller Database ========================================= From f4069ad6e9ad8e30ea3c3ccc6335879d0756d11b Mon Sep 17 00:00:00 2001 From: Jim McCarron Date: Tue, 9 Apr 2024 19:13:45 -0400 Subject: [PATCH 3/5] remove test --- docs/velos_f5os_configuration_backup_and_restore.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/velos_f5os_configuration_backup_and_restore.rst b/docs/velos_f5os_configuration_backup_and_restore.rst index ec4fee9..6fc0c19 100644 --- a/docs/velos_f5os_configuration_backup_and_restore.rst +++ b/docs/velos_f5os_configuration_backup_and_restore.rst @@ -88,7 +88,6 @@ Note that the hash key can be used to check and compare the status of the primar system aaa primary-key state status "COMPLETE Initiated: Tue Apr 9 19:46:14 2024" syscon-1-active# - test Backing Up the System Controller Database ========================================= From 6e152a787333246a0b8029bf97830c8a45e14e91 Mon Sep 17 00:00:00 2001 From: Jim McCarron Date: Tue, 9 Apr 2024 19:37:40 -0400 Subject: [PATCH 4/5] tenant backup --- ..._f5os_configuration_backup_and_restore.rst | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/docs/velos_f5os_configuration_backup_and_restore.rst b/docs/velos_f5os_configuration_backup_and_restore.rst index 6fc0c19..14632a6 100644 --- a/docs/velos_f5os_configuration_backup_and_restore.rst +++ b/docs/velos_f5os_configuration_backup_and_restore.rst @@ -56,6 +56,7 @@ The primary key is randomly generated by F5OS during initial installation. You s You should periodically change the primary key for additional security. If doing so, please note that a configuration backup is tied to the primary key at the time it was generated. If you change the primary key, you cannot restore older configuration backups without first setting the primary key to the previous value, if it is known. More details are provided in the solution article below. +**IMPORTANT: Be sure to make note and save the salt and passphrase in a safe location, as these will be needed to restore the configuration on a replacement system.** .. code-block:: bash @@ -697,7 +698,31 @@ If you are using Postman, instead of clicking **Send**, click on the arrow next Backing up Tenants ================== -Backup all tenants using a UCS archive or other mechanism so that they can be restored after the system controller and chassis partitions are restored. Another alternative to UCS backup/restore of tenants is using Declarative Onboarding and AS3. If tenants are configured using DO and AS3 initially, and the declarations are saved, they can be replayed to restore a tenant. BIG-IQ could be used for this purpose as AS3 and DO declarations can be sent through BIG-IQ. +Back up all tenants using a UCS archive or other mechanism so that they can be restored after the F5OS layer has been restored. Another alternative to UCS backup/restore of tenants, is using Declarative Onboarding and AS3. If tenants are configured using DO and AS3 initially, and the declarations are saved, they can be replayed to restore a tenant. BIG-IQ could be used for this purpose as AS3 and DO declarations can be sent through BIG-IQ. + +UCS Backup is covered in the following solution article on askf5: + +`K13132: Backing up and restoring BIG-IP configuration files with a UCS archive `_ + +The following video provides a demo of backing up UCS files from the BIG-IP webUI; this is the same for VELOS tenants. + +.. raw:: html + + + + +You can also use BIG-IQ to back up VELOS tenants. + +`BIG-IP Backup File Management from BIG-IQ `_ + + +The following video provides a demo of backing up UCS files from the BIG-IQ webUI, this is the same for VELOS tenants. + +.. raw:: html + + + + Resetting the System (Not for Production) ========================================= From 9d4e4c8cb5fb7c2e9ad8647d623aa2ef8e75a8e9 Mon Sep 17 00:00:00 2001 From: Jim McCarron Date: Tue, 9 Apr 2024 20:17:49 -0400 Subject: [PATCH 5/5] tenant backup --- docs/velos_f5os_configuration_backup_and_restore.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/velos_f5os_configuration_backup_and_restore.rst b/docs/velos_f5os_configuration_backup_and_restore.rst index 14632a6..3fe985e 100644 --- a/docs/velos_f5os_configuration_backup_and_restore.rst +++ b/docs/velos_f5os_configuration_backup_and_restore.rst @@ -704,6 +704,8 @@ UCS Backup is covered in the following solution article on askf5: `K13132: Backing up and restoring BIG-IP configuration files with a UCS archive `_ +As with any UCS backup and restore it is critical that you set and save the tenants master key, as you will need it when restoring the UCS if it contains encrypted configuration elements. + The following video provides a demo of backing up UCS files from the BIG-IP webUI; this is the same for VELOS tenants. .. raw:: html