Forum Discussion

Ossar_178453's avatar
Ossar_178453
Icon for Altostratus rankAltostratus
Mar 26, 2015

Saving a UCS prompts me for a password

Hello,

When saving a UCS on a specific device, but no other device, prompts me for a password. I do not know what the password is for and it does not matter what I input, it works just fine. What is going on here?

 tmsh save sys ucs /tmp/unit2.ucs
Saving active configuration...
Enter password: 
/tmp/unit2.ucs is saved.

Reapplying said UCS works fine, except that it prompts for a password again, probably for the UCS (/var/local/ucs/cs_backup.ucs) that any load operation triggers

application delivery
LTM
security

8 Replies

Sort By
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Mar 26, 2015

    Hi Ossar,

    using a passphrase helps to protect opening the .ucs file (a zipped tarball) by unauthorized users revealing configuration and ssl private keys.

    By default the command does not ask for a passphrase.

    The passphrase is optional and would be set on CLI by using i.e. the following syntax: 
    save sys ucs  passphrase

    I haven´t seen this behavior before. Wondering, what TMOS version you are using: 

    tmsh show sys version | head -n 8

    Thanks, Stephan

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Mar 27, 2015

    Hi,

     

    I suspect that it can be caused by setting in System ›› Preferences named Archive Encryption. It can be set to On and then it forces encryption what in turn is forcing entering passphrase. Just did quick test and with Archive Encryption On whenever you issuing tmsh save sys ucs archivename you have to enter passphrase. Set it to Off or On Request and passphrase issue should be gone.

     

    Piotr

     

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Mar 27, 2015

    Hi Ossar,

    there used to be a configuration option in TMOS v10.

    The DB key was "Config.Encryption". Values as described by Piotr (+1): 
    [Config.Encryption]  
default=on_request  
type=enum  
realm=common  
enum=|on|on_request|off|  
display_name=Config.Encryption

    It seems to be converted in v11 and maybe you can revert this setting.

    Would you please try a "tmsh list sys db configsync.password" on one of your working units and on the device with the passphrase issue.

    Any difference?

    You can try to reset to default: 
    tmsh modify sys db configsync.password value unused  
tmsh save sys config

    Thanks, Stephan

  • Ossar_178453's avatar
    Ossar_178453
    Icon for Altostratus rankAltostratus
    Mar 30, 2015

    I think all of you are missing the point.

    On the UCS save I input "123". On the UCS load of the created archive I input "456". It still loads fine.

    The password prompt is for something else in the archive. The prompt on the load operation is probably due to the fact that a load operation is actually a save of /var/local/ucs/cs_backup.ucs and then a load of the archive specified. The password prompt is for the cs_backup.ucs.

    There is no config.encryption db value in v11, and trying to list it:

     list sys db config.encryption
01020036:3: The requested BIGdb variable (config.encryption) was not found.

    I even tried applying a UCS from a different unit, void of this problem, but it still asks for a password on a subsequent load operation.