For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MM_F_147944's avatar
MM_F_147944
Icon for Nimbostratus rankNimbostratus
Apr 08, 2016
Solved

how to recover Cookie Encryption Passphrase once forget

HTTP profile cookie Encryption passphrase is forget how to recover, they guy who created this profile is not longer with us and we don't know and this profile is on a critical application , don't hav...
application delivery
BIG-IP
LTM
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Apr 08, 2016

    That's not possible, unless there's a secret backdoor in TMOS.

     

    You can give that guy a call (maybe he remembers?) or use a cracking service provider - they will attempt to retrieve the plain-text format for a fee. Although he's no longer employed with your company, moving on without documenting the general-use passphrases is a lousy move. In some places, this can be considered as a criminal offense.

     

    If you just want to migrate the existing configuration to a new BigIP platform, you can do it while not knowing the passphrase. To do so, you just copy the configuration as-is from /config/bigip.conf file to your new appliance.

     

    If you're not looking to migrate configuration, you will probably have to settle for the impact. You can overwrite the existing passphrase with a new one during a low-activity hour, and send a 'sorry for inconvenience e-email' where you also instruct your users to close the application, and reconnect from a fresh browser session, should they experience any technical issues. If it's a permanent(or long-term) tracking cookie that's being encrypted, users may also have to manually delete their existing cookies.

     

    You should also contact F5 support here.

     

Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Apr 08, 2016

That's not possible, unless there's a secret backdoor in TMOS.

 

You can give that guy a call (maybe he remembers?) or use a cracking service provider - they will attempt to retrieve the plain-text format for a fee. Although he's no longer employed with your company, moving on without documenting the general-use passphrases is a lousy move. In some places, this can be considered as a criminal offense.

 

If you just want to migrate the existing configuration to a new BigIP platform, you can do it while not knowing the passphrase. To do so, you just copy the configuration as-is from /config/bigip.conf file to your new appliance.

 

If you're not looking to migrate configuration, you will probably have to settle for the impact. You can overwrite the existing passphrase with a new one during a low-activity hour, and send a 'sorry for inconvenience e-email' where you also instruct your users to close the application, and reconnect from a fresh browser session, should they experience any technical issues. If it's a permanent(or long-term) tracking cookie that's being encrypted, users may also have to manually delete their existing cookies.

 

You should also contact F5 support here.

 

MM_F_147944's avatar
MM_F_147944
Icon for Nimbostratus rankNimbostratus
Apr 08, 2016
thanks for replying actually replacing 3400 with 4000s Platform, first I thought to configure each and every thing one by one but when I reach to profile find out that Passphrase , If I am going to copy the configuration what will be the procedure as 3400 ios is 9.4.x and new platform has 11.5.x,