Bug ID 772117

Bug Tracker
ID 772117

Bug ID 772117: Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card

Last Modified: Jul 13, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0, 14.1.2.5

Opened: Apr 12, 2019

Severity: 3-Major

Symptoms

A key being overwritten is not removed from the FIPS card, so it becomes an abandoned key in the FIPS card, which cannot be used and properly tracked by the BIG-IP system. An abandoned key appears similar to the following: [root@big8:Active:Standalone] config # tmsh show sys crypto fips ------------------------------------------- FIPS 140 Hardware Device ------------------------------------------- === private keys (1) ID MOD.LEN(bits) d3d8ecc5a489c64b8dfd731945d59950 2048 <==== properly tracked and configured key in BIG-IP /Common/fffff.key e35e900af8b269d2f10b20c47e517fd1 2048 <==== no name, abandoned

Impact

It leads to orphan keys on the FIPS card, meaning that the keys are not present in the BIG-IP configuration as a configured key, so the key cannot be used by the BIG-IP system.

Conditions

The issue is seen when all the following conditions are met: 1. High availability (HA) setup formed by multiple BIG-IP systems with FIPS cards. 2. An Administrator of one of the BIG-IP systems deletes its FIPS key, and creates another FIPS key using the same name. 3. high availability (HA) sync occurs from another BIG-IP system (with the older config) back to the first BIG-IP system (i.e., the operation overwrites the newly created FIPS key with the old FIPS key).

Workaround

Manually delete the abandoned key from the FIPS card using the following command. tmsh delete sys crypto fips key <key-id> For example, for the abandoned key specified earlier, use the following command: tmsh delete sys crypto fips key "e35e900af8b269d2f10b20c47e517fd1"

Fix Information

Now, the overwritten key is successfully removed, so there is no longer an abandoned key present on the FIPS card.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips