Last Modified: Oct 04, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4
Opened: Dec 28, 2021 Severity: 3-Major
The BIG-IP downloads an f5_api_com.crt certificate file when a production BIG-IP license is installed, but a subsequent "load sys config" reverts to the pre-certificate config, and deletes (tidies up) the file.
F5_api_com.crt certificate file is not present on the BIG-IP system.
-- Activate a BIG-IP license in either the GUI or tmsh (this causes the f5 API certificate to be downloaded and installed into the config) -- Run 'tmsh load sys config' -- Observe that the f5_api_com.crt object is no longer present in the BIG-IP config.
- Ensure that "tmsh save sys config" is run after installing a new BIG-IP license. - If the certificate has been removed from the BIG-IP configuration, but is still present in the filesystem, you can import it with the expected name (f5_api_com.crt): "tmsh create sys file ssl-cert f5_api_com.crt source-path file:///config/ssl/ssl.crt/f5_api_com.crt" - If the certificate has been lost, you can re-activate the license, to cause a new API certificate to be pulled down from the F5 license server.
None