Applies To:

Show Versions Show Versions

Manual Chapter: Understanding Device Trust
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

What is device trust?

Before any BIG-IP® devices on a local network can synchronize configuration data or fail over to one another, they must establish a trust relationship known as device trust. Device trust between any two BIG-IP devices on the network is based on mutual authentication through the signing and exchange of x509 certificates.

Devices on a local network that trust one another constitute a trust domain. A trust domain is a collection of BIG-IP devices that trust one another and can therefore synchronize and possibly fail over their BIG-IP configuration data, as well as exchange status and failover messages on a regular basis. A local trust domain is a trust domain that includes the local device, that is, the device you are currently logged in to. You can synchronize a device's configuration data with either all of the devices in the local trust domain or to a subset of devices in the local trust domain.
Note: You can add devices to a local trust domain from a single device on the network. You can also view the identities of all devices in the local trust domain from a single device in the domain. However, to maintain or change the authority of each trust domain member, you must log in locally to each device.

Types of trust authority

Within a local trust domain, in order to establish device trust, you designate each BIG-IP® device as either a certificate signing authority or a subordinate non-authority. For each device, you also specify peer authorities.

Certificate signing authorities

A certificate signing authority can sign x509 certificates for another BIG-IP device that is in the local trust domain. For each authority device, you specify another device as a peer authority device that can also sign certificates. In a standard redundant system configuration of two BIG-IP devices, both devices are typically certificate signing authority devices.
Important: For security reasons, F5 Networks recommends you limit the number of authority devices in a local trust domain to as few as possible.

Subordinate non-authorities

A subordinate non-authority device is a device for which a certificate signing authority device signs its certificate. A subordinate device cannot sign a certificate for another device. Subordinate devices provide an additional level of security because in the case where the security of an authority device in a trust domain is compromised, the risk of compromise is minimized for any subordinate device. Designating devices as subordinate devices is recommended for device groups with a large number of member devices, where the risk of compromise is high.

Peer authorities

A peer authority is another device in the local trust domain that can sign certificates if the certificate signing authority is not available. In a standard redundant system configuration of two BIG-IP devices, each device is typically a peer authority for the other.

Device identity

The devices in a BIG-IP® device group use x509 certificates for mutual authentication. Each device in a device group has an x509 certificate installed on it that the device uses to authenticate itself to the other devices in the group.

Device identity is a set of information that uniquely identifies that device in the device group, for the purpose of authentication. Device identity consists of the x509 certificate, plus this information:

  • Device name
  • Host name
  • Platform serial number
  • Platform MAC address
  • Certificate name
  • Subjects
  • Expiration
  • Certificate serial number
  • Signature status
Tip: From the Device Trust: Identity screen in the BIG-IP Configuration utility, you can view the x509 certificate installed on the local device.

Device discovery in a local trust domain

When a BIG-IP® device joins the local trust domain and establishes a trust relationship with peer devices, the device and its peers exchange their device properties and device connectivity information. This exchange of device properties and IP addresses is known as device discovery.

For example, if a device joins a trust domain that already contains three trust domain members, the device exchanges device properties with the three other domain members. The device then has a total of four sets of device properties defined on it: its own device properties, plus the device properties of each peer. In this exchange, the device also learns the relevant device connectivity information for each of the other devices.

Before you configure device trust

Before you configure device trust, you should consider the following:

  • Only version 11.0 systems can join the local trust domain.
  • You can manage device trust when logged in to a certificate signing authority only. You cannot manage device trust when logged in to a subordinate non-authority device.
  • If you reset trust authority on a certificate signing authority by retaining the authority of the device, you must subsequently recreate the local trust domain and the device group.
  • As a best practice, you should configure the config sync, failover, and mirroring addresses on a device before you add that device to the trust domain.

Adding a device to the local trust domain

Prerequisite: Verify that each BIG-IP® device that is to be part of a local trust domain has a device certificate installed on it.
By default, each BIG-IP® device on the local network is a member of a one-member local trust domain. Use this procedure to log into any BIG-IP device on the network and add one or more devices to the local system's local trust domain. You can add a device as either a peer authority device or a subordinate non-authority device. When you perform this task, the local device (that is, the device you are logged in to) discovers the device that you specify during the process.
Note: Any BIG-IP devices that you intend to put into a device group later must first be members of the same local trust domain.
  1. On the Main tab, click Device Management > Device Trust > Local Domain.
  2. In the Peer Authority Devices area or the Subordinate Non-Authority Devices of the screen, click Add.
  3. Type an IP address, administrator user name, and administrator password for the remote BIG-IP device. This IP address can be either a management IP address or a self IP address.
  4. Click Next.
  5. Verify that the certificate of the remote device is correct.
  6. Verify that the name of the remote device is correct.
  7. Verify that the management IP address and name of the remote device are correct.
  8. Click Finished.
You can now add the new member of the local trust domain to a device group.

Managing trust authority for a device

You can use a Reset Device Trust wizard in the BIG-IP® Configuration utility to manage the certificate authority of a BIG-IP device in a local trust domain. Specifically, you can:

  • Retain the current authority (for certificate signing authorities only).
  • Regenerate the self-signed certificate for a device.
  • Import a user-defined certificate authority.
Warning: If you reset trust authority on a certificate signing authority by retaining the authority of the device, you must subsequently recreate the local trust domain and the device group. If you reset trust authority on a subordinate non-authority, the BIG system removes the non-authority device from the local trust domain. You can then re-add the device as an authority or non-authority device.
  1. On the Main tab, click Device Management > Device Trust > Local Domain.
  2. In the Trust Information area of the screen, click Reset Device Trust.
  3. Choose a certificate signing authority option. The system asks you to confirm your choice.
  4. Click Finished.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)