Bug ID 1126093: DNSSEC Key creation failure with internal FIPS card.

Last Modified: Dec 07, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Fixed In:
17.1.1, 16.1.4

Opened: Jul 13, 2022

Severity: 2-Critical

Symptoms

You are unable to create dnssec keys that use the internal FIPS HSM. When this issue happens the following error messages appear in /var/log/gtm Jul 20 04:37:47 localhost failed to read password encryption key from the file /shared/fips/nfbe0/pek.key_1, error 40000229 Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0312:3: Failed to initiate session with FIPS card. Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0309:3: Failed to create new DNSSEC Key Generation /Common/abcd:1 due to HSM error.

Impact

DNSSEC deployments with internal FIPS HSMs are impacted.

Conditions

-- Internal FIPS card present. -- Clean installation from an installation ISO file. -- DNSSKEY creation using internal FIPS card.

Workaround

Change the /shared/fips directory permissions. Ex: chmod 700 /shared/fips

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips