Forum Discussion

MM_F_147944's avatar
MM_F_147944
Icon for Nimbostratus rankNimbostratus
Apr 08, 2016
Solved

how to recover Cookie Encryption Passphrase once forget

HTTP profile cookie Encryption passphrase is forget how to recover, they guy who created this profile is not longer with us and we don't know and this profile is on a critical application , don't hav...
application delivery
BIG-IP
LTM
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Apr 08, 2016

    That's not possible, unless there's a secret backdoor in TMOS.

     

    You can give that guy a call (maybe he remembers?) or use a cracking service provider - they will attempt to retrieve the plain-text format for a fee. Although he's no longer employed with your company, moving on without documenting the general-use passphrases is a lousy move. In some places, this can be considered as a criminal offense.

     

    If you just want to migrate the existing configuration to a new BigIP platform, you can do it while not knowing the passphrase. To do so, you just copy the configuration as-is from /config/bigip.conf file to your new appliance.

     

    If you're not looking to migrate configuration, you will probably have to settle for the impact. You can overwrite the existing passphrase with a new one during a low-activity hour, and send a 'sorry for inconvenience e-email' where you also instruct your users to close the application, and reconnect from a fresh browser session, should they experience any technical issues. If it's a permanent(or long-term) tracking cookie that's being encrypted, users may also have to manually delete their existing cookies.

     

    You should also contact F5 support here.

     

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus

That's not possible, unless there's a secret backdoor in TMOS.

 

You can give that guy a call (maybe he remembers?) or use a cracking service provider - they will attempt to retrieve the plain-text format for a fee. Although he's no longer employed with your company, moving on without documenting the general-use passphrases is a lousy move. In some places, this can be considered as a criminal offense.

 

If you just want to migrate the existing configuration to a new BigIP platform, you can do it while not knowing the passphrase. To do so, you just copy the configuration as-is from /config/bigip.conf file to your new appliance.

 

If you're not looking to migrate configuration, you will probably have to settle for the impact. You can overwrite the existing passphrase with a new one during a low-activity hour, and send a 'sorry for inconvenience e-email' where you also instruct your users to close the application, and reconnect from a fresh browser session, should they experience any technical issues. If it's a permanent(or long-term) tracking cookie that's being encrypted, users may also have to manually delete their existing cookies.

 

You should also contact F5 support here.

 

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Apr 08, 2016
It's a bit difficult case because 3400 cannot be upgraded to v11.5.x and 4000s cannot be downgraded to version 9.4.x. Personally, I would manually create a new profile with same settings, but use a different passphrase. When done, modify the /config/bigip.conf file, and replace the passphrase with a new value (as copied from the /config/bigip.conf file on v9.4.x box). I'm not sure it works since the encryption mechanics of passphrases may have changed since then. Therefore, the old encrypted key may no longer be identified.