SSL and Sharepoint. The saga continues… getting current first.

Today’s Issue:

F5 BIGIP LTM 6400 System upgrade from 9.3.1 to 10.0.1

Where we are:

Per F5, importing password-protected SSL Certificates isn’t supported in Product Version 9.3.1, but is in a more recent upgrade.  The documentation on the upgrade process from 9.3.1 to just about anything, is ever so slightly, difficult to follow.

How We Got Here:

I took the one less traveled by…

It turns out going from 9.3.1 to 10.0.1 equates to a bit more than a bounding leap.  There are significant changes (read: completely different) to the file structure, and the documentation is dicey at best for this major change’s upgrade path.

That said, here’s where we went:

Download the ISO for the new version – 10.0.1 – and save locally.  Don’t make the assumption that I did to expand the ISO and burn to CD.  You actually need the ISO itself uploaded to the device, and by the way, you need to be able to do that from a machine running on the same network as and physically connected to the management port (default is 192.168.1.x) which also cannot be on the same network as the production connections.  This presents some challenges for us once the production upgrade is ready to happen… either carry a laptop in, or build a VM with a dedicated physical NIC that can plug into the device itself (more on that later).

So you upload the ISO to the /shared/images folder (you have to create /images) and run a command whose expected output will be that it’s no longer supported (um… okay), and then run a new version of the command (did the old one actually do something or can we just skip this next time?), and then the big changes begin… pick an install location (no idea how you would find additional locations indicating a choice, but they apparently do exist).  Takes about 10 minutes conservatively.  The next step is where things got hairy for us, making the choice between migrating from partitions to volumes or not.  They make it sound like it’s no big deal, just a formatting change, but in retrospect, nothing’s really there after you switch to volumes.  So if you do, BACK IT ALL UP FIRST, AND  SAVE IT WHERE YOU CAN GET TO IT!

We ran the upgrade, changing over to Volumes, inserting the “-–nosaveconfig” switch and everything.  Takes about 20-30 minutes, and reboots twice during this process.  Now, unexpectedly I have an LTM with 10.0.1 on it, but no configuration.  Good thing we tested this on another device first.  Luckily I have a copy of the running UCS that I had uploaded to the test device from the production archive before we went, so I tried dropping this on (totally expecting it not to work), and it didn’t work.

But you said…

Fired off a case to F5 looking for some help.  Either you can’t really upgrade directly (as I suspected), or we did something really wrong (which I feared), and we’d have to start over.  First thing the guy asks me was “did you use the ‘nosaveconfig’ switch?” Well of course I did, the manual told me to on page A-4.  His quizzical response of “it did?” certainly left me feeling a bit unnerved.

After a bit of discussion over the phone, the gist of it is:

  • If you want to upgrade to v10 using the partition format scheme you can also carry forward your configuration automatically… just use: image2disk –instslot=HD<slot_number> <downloaded_filename.iso>
  • If you want to upgrade to v10 using the volumes format you cannot carry your configuration forward automatically, but you can still import the .UCS manually later on… so the manual correctly asks you to run: image2disk –instslot=HD1.2 –nosaveconfig –format=volumes BIGIP- Next, if you just wanted to import correctly that 9.3.1 .UCS into version 10 all you have to do is change the v10 hostname to be exactly what it was before: (case sensitive) then import the UCS again. Now it should say IMPORTING FULL CONFIGURATION and there should be no errors after that.

Turns out that you have several options, none of which appear to be mandatory at this point, but volumes will be the way to go at some point.  If you plan to use the config from your existing UCS, make sure to name the Host exactly the same as before or the config archive won’t work.

So tomorrow’s tests will be:

  1. Change the Host name on the upgraded device to match the old name, and re-apply the UCS from the archive.
  2. Revert the whole thing back to 9.3.1 on Partitions, apply the UCS from the archive to get back to where we were, and validate the whole process again.

Assuming that goes well, next thing to do will be to see if we can now import an SSL Certificate that’s password protected, and then to put the newfangled “templates” to work (closest thing we’re going to get to a wizard, but heck, way better than struggling through the docs).

Following that, schedule some downtime, and off we go!  Also, new tricks & doodads (templates, software management, etc)


0 Responses to “SSL and Sharepoint. The saga continues… getting current first.”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: