Forum Discussion
Does f5mku rekeying work across different BIGIP versions?
Title. We're replacing units running v11.5.5 that are going in end-of-life with new hardware that does not support v11.5.5, so I can't work with UCS or SCF files.
Some of the configuration objects like Radius monitor passwords are encrypted and I'm wondering if rekeying f5mku master key on the new unit and copy/pasting those objects in encrypted format will succesfuly import those objects.
I wanted to test this method before prompting customer to update every objects password .. it failed in my lab, has anyone had this issue before and managed to succesfully migrate configurations?
Hi C.A. Valli,
Can you try this?
https://support.f5.com/csp/article/K03773000
If not successful;
- Install BIG-IP v11.5.5 Virtual Edition(VE) and use trial key.
- Create ucs on end-of-life device.
- Load ucs on VE. (Don't forget to change f5mku.)
- Upgrade the VE to version you need.
- Create ucs on VE.
- Load ucs on new device.
Hi C.A. Valli,
It occurred to me that trial licenses can not use for v11.x.
While investigate another question, I saw a way based on vulnerability for before v13.1.
https://cdn.f5.com/product/bugtracker/ID670893.html
- wlopezCirrocumulus
If you have an old HA cluster you can extract the master key from any of the old F5s with:
f5mku -K
Example:
[root@f5bigip:Active:Disconnected] config # f5mku -K
aVNFRwSdF2Q38L9fw7jzlC==
You can then reset the master key on the new F5 device:
f5mku -r aVNFRwSdF2Q38L9fw7jzlC==
After that you should be able to load the UCS file without getting the encrypted object errors.
I've done these between different BigIP versions (12.x-->14.x, 14.x-->15.x) and from hardware to VE and viceversa. I don't remember doing it from version 11.x, but I guess it should work ass well since that command existed in that version.
Hope that helps.
F5MKU rekeying was possible but the problem is that I could not run v11.5 on (required for ucs file import) since it was not supported on new hardware.
Thank you and t for your answers.
I honestly did not think about Enes's suggestion of doing it twice by using a BIG-IP VE. That might have worked. I'll upvote the answer for visibility anyways, hoping this might help anyone in the future.
In the end, we resetted object's password due to urge. Not a big deal.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com