Last Modified: Apr 28, 2025
Affected Product(s):
F5OS Velos
Fixed In:
F5OS-A 1.1.0, F5OS-A 1.0.1
Opened: Feb 05, 2022 Severity: 2-Critical
The system-api-svc-gateway fails to decrypt the unit key crashes, and is unable to communicate with the tenant.
Communication between the API gateway and the tenant is disrupted. Note: If no key-rotation was ever done, this issue does not occur.
A key migration or rotation is performed in confd: system aaa primary-key
To correct the current unit-key issue, invoke the config command: system database reset-to-default proceed yes To avoid the issue, disable key-rotation. To prevent key rotation, add the line '/tenants/tenant{%x}/config/unit-key' to the file in the confd-key-migration-mgr container: /tenants/tenant{%x}/config/unit-key To do so: ssh as root into the device and do the following: # docker exec -it confd-key-migration-mgr bash bash-4.2# echo "/tenants/platform-self-signed-cert/self-signed-key" >> /etc/confd-key-migration/appliance-secure-elem-manifest bash-4.2# echo "/tenants/tenant{%x}/config/unit-key" >> /etc/confd-key-migration/appliance-secure-elem-manifest bash-4.2# exit # docker restart confd-key-migration-mgr
The system now adds the line to the manifest file. Because the unit-key does not get re-encrypted with the new key, after upgrading to a software version containing the fix, run the config command: system database reset-to-default proceed yes