Bug ID 1000325: UCS load with 'reset-trust' may not work properly if base configuration fails to load

Last Modified: Aug 03, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0

Opened: Mar 08, 2021
Severity: 3-Major

Symptoms

When loading a UCS archive using the 'reset-trust' option, if the system fails to load the base configuration from the UCS archive, the system may fail to regenerate new device trust certificates and keys. This can result in subsequent issues, including configuration load failures after an upgrade, such as: 01070712:3: Values (/Common/dtca.key) specified for trust domain (/Common/Root): foreign key index (key_fk) do not point at an item that exists in the database. Unexpected Error: Loading configuration process failed.

Impact

-- The system does not regenerate critical device trust keys and certificates. -- After a subsequent upgrade, the BIG-IP system goes to INOPERATIVE state, and reports this error: 01070712:3: Values (/Common/dtca.key) specified for trust domain (/Common/Root): foreign key index (key_fk) do not point at an item that exists in the database. Unexpected Error: Loading configuration process failed.

Conditions

-- Loading a UCS file using the 'reset-trust' option. -- The system fails to load the base configuration (bigip_base.conf) in the UCS archive for any reason. -- The base configuration is corrected, and subsequently loaded (e.g., with 'tmsh load sys config').

Workaround

Remove trust-domain from the bigip_base.conf file and reload the configuration.

Fix Information

None

Behavior Change