Forum Discussion
CumulonimbusBehavior of masterkey on rSeries
Is there any difference in regards to the usage of the masterkey on rSeries?
I mean is this still different/dedicated for the F5OS and all the tenants? Or is there just ONE masterkey, which needs to be adjusted on F5OS level?
Reason why I'm asking, I want to load a bigip.conf file from an iSeries on a Tenant of a rSeries. I performed the procedure with f5mku commands to have the same masterkey on the new rSeries Tenant and it will also be displayed correctly.
But when I try to load/verify the configuration (load sys config partition { xyz } verify) I still get the error message:
Decryption of the field (pvalue) for object (xxx 1 PASSWORD=) failed while loading configuration that is encrypted with a different master key.
Is there anything else I should double check?
Thank you!
Regards,
Stefan :)
Dear Jeffrey,
thank you for the quick answer!
My BigDB.dat file doesn't contain an encrypted value in the section [Configsync.password] at all, so I don't followed they other steps.
I then realized that on the second tenant of the HA-cluster the load sys config command works fine without any issues.
And finally the root cause on the primary tenant was somehow related to a time sync problem. I noticed that NTP was not working correctly due to wrong/mistyped NTP-servers (DNS-names).
Once corrected the load sys config command was working fine on this tenant as well. Do you maybe have an explanation for this behavior?
Finally we can summarize: there is NO special behavior for the masterkey on rSeries. As already mentioned in this F5 article replacing the masterkey with the f5mku command is sufficient.
Thank you anyway!
Regards,
Stefan
4 Replies
- Jeff_Granieri
Employee
Hi Stefan_Klotz Have you checked this K article https://my.f5.com/manage/s/article/K000152642 sometimes password's/secrets used within the config aren't encrypted properly with the current master key. You may need to adjust the config/BigDB.dat file. Worth a try.
- Stefan_Klotz
Dear Jeffrey,
thank you for the quick answer!
My BigDB.dat file doesn't contain an encrypted value in the section [Configsync.password] at all, so I don't followed they other steps.
I then realized that on the second tenant of the HA-cluster the load sys config command works fine without any issues.
And finally the root cause on the primary tenant was somehow related to a time sync problem. I noticed that NTP was not working correctly due to wrong/mistyped NTP-servers (DNS-names).
Once corrected the load sys config command was working fine on this tenant as well. Do you maybe have an explanation for this behavior?
Finally we can summarize: there is NO special behavior for the masterkey on rSeries. As already mentioned in this F5 article replacing the masterkey with the f5mku command is sufficient.
Thank you anyway!
Regards,
Stefan - Jeff_Granieri
I don't have an explanation, but I do know NTP out of sync can cause all sorts of issues!
- Stefan_Klotz
I noticed that the default masterkey of all tenants within the same rSeries appliance is identical, which sounds like it is somehow inherit from the F5OS???
I double checked the F5OS, but there the command f5mku is not valid.
So is my assumption correct and if yes, can I change the masterkey directly on F5OS-level?
Or is this totally independent and has nothing to do with F5OS?
Thank you!
Regards,
Stefan
