Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

undo commit #3

Merged
merged 1 commit into from
Apr 9, 2024
Merged

undo commit #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 60 additions & 2 deletions docs/velos_f5os_configuration_backup_and_restore.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,20 +21,73 @@ At the chassis partition level, the F5OS configuration contains data that includ

• Portgroups of the assigned slots/nodes/blades
• Virtual Local Area Networks (VLANs)
• Interfaces/LAGs
• Logging setup
• Authentication servers
• Product license
• HA setup
• Tenant configuration

Note: The tenant configuration contains tenant name, type, image, management IP address, gateway, VLANs, assigned vCPUs, memory, storage size, and so on. It does not include the BIG-IP configuration within the tenant. To create a backup copy of the BIG-IP configuration of the tenant, you must perform the backup in the tenant itself. For information, refer to:

`K13132: Backing up and restoring BIG-IP configuration files with a UCS archive <https://support.f5.com/csp/article/K13132>_`

To perform a complete backup of the VELOS system, you must:

• Back up the configuration data at the system controller and at each chassis partition.
• Back up any deployed tenants using the tenants’ backup mechanism (i.e. a UCS).
• Back up the F5OS configuration data at the system controller layer
• Back up the F5OS configuration data at each chassis partition
• Back up any deployed tenants using the tenant's backup mechanism (i.e. a UCS).

More detail is covered in the following solution article:

`K50135154: Back up and restore the F5OS-C configuration on a VELOS system <https://support.f5.com/csp/article/K50135154>`_

Setting the Primary Key on F5OS
===============================

The F5 VELOS system uses a primary key to encrypt highly sensitive passwords/passphrases in the configuration database, such as:

• Tenant unit keys used for TMOS Secure Vault
• The F5OS API Service Gateway TLS key
• Stored iHealth credentials
• Stored AAA server credentials

The primary key is randomly generated by F5OS during initial installation. You should set the primary key to a known value prior to performing a configuration backup. If you restore a configuration backup on a different VELOS device, e.g. during an RMA replacement, you must first set the primary key passphrase and salt on the destination device to the same value as the source device. If this is not done correctly, the F5OS configuration restoration may appear to succeed but produce failures later when the system attempts to decrypt and use the secured parameters.

You should periodically change the primary key for additional security. If doing so, please note that a configuration backup is tied to the primary key at the time it was generated. If you change the primary key, you cannot restore older configuration backups without first setting the primary key to the previous value, if it is known. More details are provided in the solution article below.


.. code-block:: bash

syscon-1-active(config)# system aaa primary-key set passphrase
Value for 'passphrase' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'confirm-passphrase' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'salt' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'confirm-salt' (<string, min: 6 chars, max: 255 chars>): **************
response Info: Key migration is initiated. Use 'show system aaa primary-key state status' to get status

syscon-1-active(config)#

You can view the status of the primary-key being set with the **show system aaa primary-key state status** CLI command.

.. code-block:: bash

syscon-1-active# show system aaa primary-key state status
system aaa primary-key state status "IN_PROGRESS Initiated: Tue Apr 9 19:46:14 2024"

syscon-1-active# show system aaa primary-key state status
system aaa primary-key state status "COMPLETE Initiated: Tue Apr 9 19:46:14 2024"
syscon-1-active#

Note that the hash key can be used to check and compare the status of the primary-key on both the source and the replacement devices if restoring to a different device. To view the current primary-key hash, issue the following CLI command.

.. code-block:: bash

syscon-1-active# show system aaa primary-key state
system aaa primary-key state hash aNSWX6Xl8+dFx94JMRbySD/d/AJ8RarqJ+fedD#57bDxRF0cTgGFcZvMY415eDeAJjZlXp1qGuKI7CDmxNrnhw==
system aaa primary-key state status "COMPLETE Initiated: Tue Apr 9 19:46:14 2024"
syscon-1-active#

Backing Up the System Controller Database
=========================================

Expand Down Expand Up @@ -1599,6 +1652,11 @@ You can use the **System Settings -> File Utilities** page to import archives fr
Restoring Chassis Partitions from Database Backups
==================================================

Once the archived chassis partition configs have been copied into the partition, you can then restore them using the procedures in this section.

Restoring Chassis Partitions from Database Backups via CLI
----------------------------------------------------------

To restore a configuration database backup within a chassis partition, use the **system database config-restore** command inside the chassis partition. Note that a newly restored chassis partition will not have any tenant images loaded so tenants will show a **Pending** status until the proper image is loaded for that tenant.

.. code-block:: bash
Expand Down
21 changes: 19 additions & 2 deletions docs/velos_security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,14 +194,31 @@ To set the primary-key issue the following command in config mode.

.. code-block:: bash

system aaa primary-key set passphrase <passphrase string> confirm-passphrase <passphrase string> salt <salt string> confirm-salt <salt string>
syscon-1-active(config)# system aaa primary-key set passphrase
Value for 'passphrase' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'confirm-passphrase' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'salt' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'confirm-salt' (<string, min: 6 chars, max: 255 chars>): **************
response Info: Key migration is initiated. Use 'show system aaa primary-key state status' to get status

syscon-1-active(config)#

You can view the status of the primary-key being set with the **show system aaa primary-key state status** CLI command.

.. code-block:: bash

syscon-1-active# show system aaa primary-key state status
system aaa primary-key state status "IN_PROGRESS Initiated: Tue Apr 9 19:46:14 2024"
syscon-1-active# show system aaa primary-key state status
system aaa primary-key state status "COMPLETE Initiated: Tue Apr 9 19:46:14 2024"
syscon-1-active#

Note that the hash key can be used to check and compare the status of the primary-key on both the source and the replacement devices if restoring to a different device. To view the current primary-key hash, issue the following CLI command.

.. code-block:: bash

syscon-2-active# show system aaa primary-key
system aaa primary-key state hash sj2GslitH9XYbmW/cpY0TJhMWkU+CpvAU9vqoiL4aZcfE6qnSUDU3PWx+lCZO5KrqVzlWu/3mRugCNniNyQhSA==
system aaa primary-key state hash sj2GslitH9XY14h/cpY0TJhMWkU+CpvAU9vxxiL4aZcfE6qnSUDU3PWx+lCZO5KrqVzlWu/3mRugCNniNyQhSA==
system aaa primary-key state status NONE
syscon-2-active#

Expand Down
Loading