Last Modified: Aug 07, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
17.0.0.2, 17.0.0.1, 17.0.0, 16.1.3.4, 16.1.3.3, 16.1.3.2, 16.1.3.1, 16.1.3, 16.1.2.2, 16.1.2.1, 16.1.2, 16.1.1, 15.1.8, 15.1.7, 15.1.6.1, 15.1.6, 15.1.5.1, 14.1.5.4, 14.1.5.3, 14.1.5.2, 14.1.5.1, 14.1.5, 14.1.4.6, 13.1.5
Fixed In:
17.1.0
Opened: Aug 12, 2022 Severity: 1-Blocking
FIPS card sync can return error when trying to sync FIPS card in High Availability (HA) setups. HSMs are initialized with old software are not compatible with HSMs which are initialized with recent software release. If one device in HA pair is replaced and new device is initialized with new software, then HSM sync can fail in few scenarios.
HA pair will not be able to sync the FIPS keys which can cause the traffic impact if active device goes down.
- Replacing a device in HA pair.
Following are workaround steps for target device (RMAed or new device in high availability (HA) pair): 1. Downgraded the BIG-IP version to old releases. 2. Execute "tmsh stop sys service all". 3. Execute fipsutil reset. 4. Execute fipsutil init. 5. Execute bigstart restart. 6. Execute the following command to check the FIPS card health: tmsh show sys crypt fips key Following is an example output: ------------------------------------------- FIPS 140 Hardware Device ------------------------------------------- no private keys found 7. Upgrade the BIG-IP version to latest release where active device is present. 8. Reboot to upgraded volume. 9. Execute the fipscardsyn from source device.
The solution is available in the n3fipsutil standalone tool in F5 download site. Path in F5 Download site, Product Family(Group) -- Hardware-Specific Product Line -- FIPS_UTIL Product Container(Name) -- n3fipsutil_1.6 (version can be 1.6 or any later version) Procedure must be executed during maintenance window only, as it disturbs the traffic. HSM partition Configuration Backup on Target device (at new RMAed device) after proper initialization. 1 Download the n3fipsutil file from above path. 2. Stop the services with the command "tmsh stop sys service all". 3. Create an empty directory for backup. 4. Run the file which is downloaded at step 1 with below command: ./n3fipsutil -backup <empty directory created at step 3> [-n partition_name][-host mgmt_ip] -c [-n partition_name] is optional and applicable only in the case where system has custom partition names such as in vCMP cases. [-host mgmt_ip] must be used only at vCMP mode from vCMP Guest. mgmt_ip is the Host management ip address. Note: -c Must be specified as this process only for taking the backup of configuration. 5. Start the services with the command "tmsh restart sys service all". 6. Copy the whole content from the directory which is created at step 3, to the remote secure and reliable location without changing the content from the directory. 7. The backup directory contains the encrypted configuration data of partition, and also contains the keys okbk.key and pokbk.key which are generated during backup process and this data must be secured using best standard practices. HSM partition Configuration Restore on Source device: At unforeseen event or when need to restore the HSM configuration, run the below command for restore the HSM configuration. 1. Download the n3fipsutil file from above path. 2. Copy the backup data from the remote location, which is saved during backup. 3. Stop the services with the command "tmsh stop sys service all". 4. Run the file which is downloaded at step 1 with below command: ./n3fipsutil -restore <directory copied at step 2> [-n partition_name][-host mgmt_ip] -c [-n partition_name] is optional and applicable only in the case where system has custom partition names such as in vCMP cases. [-host mgmt_ip] must be used only at vCMP mode from vCMP Guest. mgmt_ip is the Host management ip address. Note: -c Must be specified as this process only for restoring the configuration. 5. Run the command "fipsutil loginreset -r". Ignore this step, if the BIG-IP versions where fipsutil command does not have the option "loginreset". 6. Start the services with the command "tmsh restart sys service all". 7. Check all available keys on Source device. 8. Run the "fips-card-sync -v -u root <target ip>" from Source device. 9. Once all services started, perform force-full-load-sync from source(Active) device to target(Standby) device to load all the keys in standby. Now both device are having same config and fipscardsync will work as expected. Note: This process is only to manage the HSM configuration from Target to Source device in the case of FIPS Card sync issue.