Forum Discussion
Ganesh_Garg
Nimbostratus
NimbostratusSSL passphrase lost
Is there any way to retrieve or decrypt the SSL passphrase from F5 as I lost the passphrase. From the article SOL14912, it seems that the retrieval is not possible.
Nick_SchmalenbeI used the HTTP monitor trick described here, it worked perfectly :) The monitor needed to have username as well as password set, to send any Authorization: Basic request header.
- Kai_Wilke
MVP
;-)
Cheers, Kai
- Kai_Wilke
Hi Ganesh,
the passphrase is encrypted using the device master key. As long the master key of your device group hasn't changed or (at least) you've created a backup of the master-key, you will be able to restore entire UCS archives or even partial configurations containing secure strings.
https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9420.html
https://devcentral.f5.com/articles/working-with-masterkeys
With this knowledge in mind, you can also fairly easily decrypt a specific secure-string back to plaintext without even knowing the cryptography behind. Just
the related configuration, grep the containingtsmh /list
secure-string and create for an example a new HTTP health-monitor containing the exported secure-string as password (via$M$
). Attach the monitor to a node of your choice and then use tcpdump/wireshark to sniff the password (aka. B64 credentials) on the wire...tmsh load sys config merge from-terminalCheers, Kai
- paiva_x
You helped me a lot too. Thanks!
Vijay_ECirrus
I would say not possible but I have never explored the options of trying to retrieve it.
