Before any BIG-IP® devices on a local network can be members of a Sync-Failover device group to synchronize configuration data or fail over to one another, they must establish a trust relationship known as device trust. Device trust between any two BIG-IP devices on the network is based on mutual authentication through the signing and exchange of x509 certificates.
Devices on a local network that trust one another constitute a trust domain. A trust domain is a collection of BIG-IP devices that trust one another.
The trust domain is represented by a system-generated device group named device_trust_group, which the system uses internally to synchronize trust domain information across all devices. You cannot delete this special device group from the system.
Within a local trust domain, in order to establish device trust, you designate each BIG-IP® device as either a peer authority or a subordinate non-authority.
A certificate signing authority can sign x509 certificates for another BIG-IP device that is in the local trust domain. For each authority device, you specify another device as a peer authority device that can also sign certificates. In a standard redundant system configuration of two BIG-IP devices, both devices are typically certificate signing authority devices.
A peer authority is another device in the local trust domain that can sign certificates if the certificate signing authority is not available. In a standard redundant system configuration of two BIG-IP devices, each device is typically a peer authority for the other.
A subordinate non-authority device is a device for which a certificate signing authority device signs its certificate. A subordinate device cannot sign a certificate for another device. Subordinate devices provide an additional level of security because in the case where the security of an authority device in a trust domain is compromised, the risk of compromise is minimized for any subordinate device. Designating devices as subordinate devices is recommended for device groups with a large number of member devices, where the risk of compromise is high.
The devices in a BIG-IP® device group use x509 certificates for mutual authentication. Each device in a device group has an x509 certificate installed on it that the device uses to authenticate itself to the other devices in the group.
Device identity is a set of information that uniquely identifies that device in the device group, for the purpose of authentication. Device identity consists of the x509 certificate, plus this information:
When a BIG-IP® device joins the local trust domain and establishes a trust relationship with peer devices, the device and its peers exchange their device properties and device connectivity information. This exchange of device properties and IP addresses is known as device discovery.
For example, if a device joins a trust domain that already contains three trust domain members, the device exchanges device properties with the three other domain members. The device then has a total of four sets of device properties defined on it: its own device properties, plus the device properties of each peer. In this exchange, the device also learns the relevant device connectivity information for each of the other devices.
Before you begin this task, verify that:
You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.
By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices Bigip_1, Bigip_2, and Bigip_3 each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device Bigip_1 and add devices Bigip_2 and Bigip_3 to the local trust domain; there is no need to repeat this process on devices Bigip_2 and Bigip_3.
This table lists possible problems that might occur when you are attempting to add a BIG-IP® device to a local trust domain. Each problem shows a recommended action.
|Another device with the same name already exists in the trust domain.||Change the name of the device that you are adding to the trust domain.|
|The version of BIG-IP software on the device does not match the version of the devices in the trust domain.||Make sure that the BIG-IP version on the device you are adding exactly matches the version on the devices in the trust domain, including the hotfix version (if any).|
|The exact time reported on the device you are adding is out of sync with the time on the other devices in the trust domain.||Make sure that you have a Network Time Protocol (NTP) server configured for the device.|
|There is no config sync address configured on the device.||On the device you are adding, configure a config sync IP address. We recommend that you specify the self IP address associated with the device's internal VLAN.|
You can use a Reset Device Trust wizard in the BIG-IP® Configuration utility to manage the certificate authority of a BIG-IP device in a local trust domain. Specifically, you can: