cm trust-domain
cm trust-domain(1) BIG-IP TMSH Manual cm trust-domain(1)
NAME
trust-domain - Manages a CM trust domain by providing control of object
failover.
MODULE
cm
SYNTAX
Manage the trust-domain component within the cm module using the syntax
shown in the following sections. The trust-domain name 'Root' is
optional beginning with version 13.0.0. The 'create cm trust-domain'
command is not allowed beginning version 13.0.0.
MODIFY
modify trust-domain [Root]
options:
add-device {
[ ca-device [true | false] | non-ca-device [true | false] ]
device-ip [string]
device-port [port_number]
device-name [string]
username [string]
password [string]
sha1-fingerprint [string]
}
devices delete {
[ device names ]
}
remove-device [string]
deprecated since v13.0.0:
ca-devices [add | delete | modify | replace-all-with] {
[ device_name | ip address ]
}
md5-fingerprint [string]
name [string]
non-ca-devices [add | delete | modify | replace-all-with] {
[ device_name | ip address ]
}
password [string]
serial [string]
sha1-fingerprint [string]
username [string]
DISPLAY
list trust-domain
list trust-domain [ [ [name] | [glob] | [regex] ] ... ]
show running-config trust-domain
show running-config trust-domain [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
ca-cert
ca-cert-bundle
ca-key
ca-devices
non-ca-devices
non-default-properties
one-line
partition
recursive
status
trust-group
DELETE/RESTART
restart trust-domain
delete trust-domain
options:
keep-current-certificate-authority
import-user-defined-cert [string]
import-user-defined-key [string]
DESCRIPTION
You can use the trust-domain component to manage the behavior of
objects during fail over.
DELETE/RESTART operations
When applied to a trust-domain these operations reset the trust and
make this device standalone.
EXAMPLES
Adds a certificate authority:
modify trust-domain add-device { ca-device true device-ip 192.168.1.245
device-name myDevice1 device-port 1234 username admin password admin }
Adds a non-authoritative certificate:
modify trust-domain add-device { ca-device false ip 192.168.1.248
device-name myDevice2 username admin password admin sha1-fingerprint
ab7012e8d834e639f497b2b1c9f1e855a4dbe232}
Removes a device from the trust domain:
modify trust-domain devices delete { myDevice1 myDevice2}
Resets the trust and makes this device standalone:
restart cm trust-domain
or
delete cm trust-domain
EXAMPLES (deprecated since V13.0.0)
Adds a certificate authority:
modify trust-domain Root ca-devices add { 192.168.1.245 } name
myDevice1 username admin password admin
Adds a non-authoritative certificate:
modify trust-domain Root non-ca-devices add { 192.168.1.245 } name
myDevice1 username admin password admin
Removes a device from the trust domain:
modify trust-domain Root ca-devices delete { myDevice1 }
OPTIONS
add-device
Adds a device to the trust domain.
device-ip
Device IP address when adding new device.
device-port
Device port number if other than 443 when adding new device.
This parameter is optional.
device-name
Device name when adding new device.
username
Specifies the user name required to log on to a device when
adding the device to the trust domain.
password
Specifies the password corresponding to the username
required to log on to a device when adding the device to the
trust domain.
sha1-fingerprint
Specifies the SSL certificate (DER format) sha1 fingerprint
when verifying the identity of a new device. This field is
optional.
app-service
Displays the application service to which the object belongs. The
default value is none. Note: If the strict-updates option is
enabled on the Application Service that owns the object, you
cannot modify or delete the object. Only the Application Service
can modify or delete the object.
ca-cert
Displays the certificate authority device trust certificate.
ca-cert-bundle
Displays the bundled certificate authority device trust
certificates used to authenticate incoming connections.
ca-devices
Create and modify operations are deprecated since v13.0.0. List
operation is still supported. Set of certificate authority devices
in the trust domain.
ca-key
Displays the certificate authority device trust key. This key only
displays for certificate authorities.
devices
Removes one or more devices from the trust domain. It takes the
name of the device as the identifier.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
import-user-defined-cert
Specifies the certificate to import and use as the trust domain's
new certificate authority. You must also use the import-user-
defined-key option to specify the corresponding key. This option
cannot be specified alongside keep-current-certificate-authority.
import-user-defined-key
Specifies the key to import and use as the trust domain's new
certificate authority key. You must also use the import-user-
defined-cert option to specify the corresponding certificate. This
option cannot be specified alongside keep-current-certificate-
authority.
keep-current-certificate-authority
By default, resetting trust will generate a new certificate
authority. Adding this option to the delete command will instead
keep the current certificate authority. This option cannot be
specified alongside import-user-defined-cert or import-user-
defined-key.
md5-fingerprint
Deprecated since v13.0.0. Specifies the SSL certificate
fingerprint when verifying the identity of a new device.
name Deprecated since v13.0.0. Option used to specify the name of a new
device.
non-ca-devices
Create and modify operations are deprecated since v13.0.0. List
operation is still supported. Set of subordinate devices in the
trust domain.
password
Deprecated since v13.0.0. Specifies the password for a new device.
recursive
Displays all objects of the specified type and the folder that
contains the object.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
remove-device
Removes a single device from the trust domain. It takes the name
of the device as the identifier.
serial
Deprecated since v13.0.0. Specifies the SSL certificate serial
number when verifying the identity of a new device.
sha1-fingerprint
Deprecated since v13.0.0. Specifies the SSL certificate
fingerprint when verifying the identity of a new device.
signature
Deprecated since v13.0.0. Specifies the SSL certificate signature,
when verifying the identity of a new device.
status
Displays the status of the trust domain.
trust-group
Displays the device group associated with the trust domain.
username
Deprecated since v13.0.0. Specifies the user name required to log
on to a device when adding the device to the trust domain.
SEE ALSO
delete, edit, glob, list, modify, regex, restart, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2016. All rights reserved.
BIG-IP 2016-10-11 cm trust-domain(1)