Last Modified: Mar 30, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
17.0.0
Fixed In:
17.0.0.1
Opened: Jul 21, 2022 Severity: 1-Blocking
Restricted storage ID is not synced to standby device. Following is an example: [root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/39cf9918-dbf6-4097-8817-bfe9ae436f62 { "code": 404, "message": "shared/restricted-store/storage/39cf9918-dbf6-4097-8817-bfe9ae436f62", "restOperationId": 6888310, "errorStack": [], "kind": ":resterrorresponse" }
- On Standby device edit SSLO iApp block configuration and then deployment will be failed. - Decryption of the restricted Properties on standby device will not work.
The sync SSL Orchestrator iApp block configuration with restricted property through HA Migration.
Use the following steps: 1. GET on shared/restricted-store/storage to find the restricted ID for the corresponding iApp template. Following is an example: Active: ======= [root@bigip1:Active:In Sync] config # restcurl shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17 { "id": "c6fe376d-ac88-42bd-8b57-fac96709bb17", "encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN", "generation": 1, "lastUpdateMicros": 1666691181977380, "kind": "shared:restricted-store:storage:restrictedstorestate", "selfLink": "https://localhost/mgmt/shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17" } Standby: ======== 2. Make sure storage is not synced in Standby. Following is an example: [root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17 { "code": 404, "message": "shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17", "restOperationId": 6888310, "errorStack": [], "kind": ":resterrorresponse" } [root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/ { "items": [], "generation": 4, "kind": "shared:restricted-store:storage:restrictedstorecollectionstate", "lastUpdateMicros": 1666684046568524, "selfLink": "https://localhost/mgmt/shared/restricted-store/storage" } 3. POST on shared/restricted-store/storage with "ID" and "encryptedData" details from Active machine. Following is an example: [root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/ -X POST -d '{"id": "c6fe376d-ac88-42bd-8b57-fac96709bb17", "encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN"}' { "id": "c6fe376d-ac88-42bd-8b57-fac96709bb17", "encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN", "generation": 1, "lastUpdateMicros": 1666692760785557, "kind": "shared:restricted-store:storage:restrictedstorestate", "selfLink": "https://localhost/mgmt/shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17" } 4. Make sure Storage created with same ID as Active in the standby. Following is an examlpe: [root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/ { "items": [ { "id": "c6fe376d-ac88-42bd-8b57-fac96709bb17", "encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN", "generation": 1, "lastUpdateMicros": 1666692760785557, "kind": "shared:restricted-store:storage:restrictedstorestate", "selfLink": "https://localhost/mgmt/shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17" } ], "generation": 5, "kind": "shared:restricted-store:storage:restrictedstorecollectionstate", "lastUpdateMicros": 1666692760786844, "selfLink": "https://localhost/mgmt/shared/restricted-store/storage" } 5. Decrypt the restricted Properties using Block-Id and restrictedId Following is an example: [root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/crypto -X POST -d '{"operation": "DECRYPT", "salt": "3100c16e-1c9d-4aff-bdfd-780fbe14dce6", "id": "c6fe376d-ac88-42bd-8b57-fac96709bb17"}'{ "data": { "list": [ { "id": "T_1666691134763633", "type": "STRING", "value": "password" }, { "id": "T_1666691134763447", "type": "STRING", "value": "password" } ] }, "generation": 0, "lastUpdateMicros": 0 } 6. In webUI, edit the same template on standby and deploy the application. Deployment is successful and no error observed.
None