Forum Discussion

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Aug 24, 2021

Does f5mku rekeying work across different BIGIP versions?

Title. We're replacing units running v11.5.5 that are going in end-of-life with new hardware that does not support v11.5.5, so I can't work with UCS or SCF files.

Some of the configuration objects like Radius monitor passwords are encrypted and I'm wondering if rekeying f5mku master key on the new unit and copy/pasting those objects in encrypted format will succesfuly import those objects.

 

I wanted to test this method before prompting customer to update every objects password .. it failed in my lab, has anyone had this issue before and managed to succesfully migrate configurations?

application delivery
BIG-IP
encrypted objects
LTM
upgrade

5 Replies

Sort By
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Aug 24, 2021

    Hi C.A. Valli,

     

    Can you try this?

    https://support.f5.com/csp/article/K03773000

     

    If not successful;

    • Install BIG-IP v11.5.5 Virtual Edition(VE) and use trial key.
    • Create ucs on end-of-life device.
    • Load ucs on VE. (Don't forget to change f5mku.)
    • Upgrade the VE to version you need.
    • Create ucs on VE.
    • Load ucs on new device.
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Nov 10, 2021

    Hi C.A. Valli,

     

    It occurred to me that trial licenses can not use for v11.x.

    While investigate another question, I saw a way based on vulnerability for before v13.1.

    https://cdn.f5.com/product/bugtracker/ID670893.html

  • wlopez's avatar
    wlopez
    Icon for Cirrocumulus rankCirrocumulus
    Sep 01, 2021

    If you have an old HA cluster you can extract the master key from any of the old F5s with:

    f5mku -K

    Example:

    [root@f5bigip:Active:Disconnected] config # f5mku -K

    aVNFRwSdF2Q38L9fw7jzlC==

     

    You can then reset the master key on the new F5 device:

    f5mku -r aVNFRwSdF2Q38L9fw7jzlC==

     

    After that you should be able to load the UCS file without getting the encrypted object errors.

     

    I've done these between different BigIP versions (12.x-->14.x, 14.x-->15.x) and from hardware to VE and viceversa. I don't remember doing it from version 11.x, but I guess it should work ass well since that command existed in that version.

     

    Hope that helps.

    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP
      Nov 10, 2021

      F5MKU rekeying was possible but the problem is that I could not run v11.5 on (required for ucs file import) since it was not supported on new hardware.

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Nov 10, 2021

    Thank you  and t  for your answers.

     

    I honestly did not think about Enes's suggestion of doing it twice by using a BIG-IP VE. That might have worked. I'll upvote the answer for visibility anyways, hoping this might help anyone in the future.

     

    In the end, we resetted object's password due to urge. Not a big deal.