Manually SSL Device Certificates Exchanges For iQuery
*For Device Certificate that is using Self-Signed Certificate Only
Manually Exchanges SSL Device Certificates (without “bigip_add” script)
Removes the requirement of:
- Running bigip_add script
- Establishing TCP port 22 for SSH connection from GTM205 to LTM201
Import Peer Device Certificate (Figure 2,3)
- GTM205: import LTM201’s device certificate
- DNS ›› GSLB : Servers : Trusted Server Certificates [Import]
- Import Method: Replace
- Certificate Source: <paste LTM201 device certificate to here>
- LTM201: import GTM205’s device certificate
- System ›› Certificate Management : Device Certificate Management : Device Trust Certificates [Import]
- Import Method: Replace
- Certificate Source: <paste GTM205 device certificate to here>
Manually Exchanges SSL Device Certificates (without “gtm_add” script)
Removes the requirement of:
- Running “the original” gtm_add script
- Establishing TCP port 22 for SSH connection from GTM205, GTM207 to LTM201
- Establishing TCP port 22 for SSH connection between GTM205 and GTM207
Import Peer Device Certificate (Figure 4,5)
- GTM205: import GTM205,GTM207’s device certificate
- DNS ›› GSLB : Servers : Trusted Server Certificates [Import]
- Import Method: Append
- Certificate Source: <paste GTM205, GTM207 device certificate to here>
- GTM205: import GTM207’s device certificate
- System ›› Certificate Management : Device Certificate Management : Device Trust Certificates [Import]
- Import Method: Append
- Certificate Source: <paste GTM207 device certificate to here>
- GTM207: import LTM201,GTM205,GTM207’s device certificate
- DNS ›› GSLB : Servers : Trusted Server Certificates [Import]
- Import Method: Replace
- Certificate Source: <paste LTM201, GTM205, GTM207 device certificate to here>
- GTM207: import GTM205’s device certificate
- System ›› Certificate Management : Device Certificate Management : Device Trust Certificates [Import]
- Import Method: Replace
- Certificate Source: <paste GTM205 device certificate to here>
- LTM201: import GTM207’s device certificate (optional)
- System ›› Certificate Management : Device Certificate Management : Device Trust Certificates [Import]
- Import Method: Append
- Certificate Source: <paste GTM207 device certificate to here>
- This is optional, because after GTM205 and GTM207 become cluster
- > If LTM201 doesn’t trust GTM207
- > GTM205 will push GTM207 device certificate to LTM201 via iQuery (TCP 4353)
Sync the BIG-IP master key inside the GTM sync group
*Get the BIG-IP master key from GTM205 and use it on GTM207
- GTM205
- [root@gtm205:Active:Standalone] config # f5mku -K
- d2Jata2aPuDCu7924wQaoQ==
- GTM207
- [root@gtm207:Active:Standalone] config # f5mku -K
- EbGJWO0/aZLw+5g0E80poA==
- [root@gtm207:Active:Standalone] config # f5mku -r d2Jata2aPuDCu7924wQaoQ==
- Rekeying Master Key…
- [root@gtm207:gtmd DOWN:Standalone] config # f5mku -K
- d2Jata2aPuDCu7924wQaoQ==
Run the “modified gtm_add script” (Figure 6)
*You still need to run the modified script, because gtm_add isn’t only used for certificate exchange, it is also used to run some process (ex: iqsyncer, etc)
- Download the script “gtm_add_without_ssh.pl”
- Upload the script to GTM /var/tmp
- cd /var/tmp
- perl gtm_add_without_ssh.pl
- Are you absolutely sure you want to do this? [y/n] y
- Enter the IP address of a remote GTM BIG-IP from which you want to copy the configuration: 100.0.0.21
iQuery Certificate Trust (Figure 7)
- Result
0 Comments