Bug ID 1429897: NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60

Last Modified: Jun 25, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,

Opened: Dec 11, 2023

Severity: 3-Major


With nShield software v12.60 when creating a new nShield key on BIG-IP which is a client of an external RFS the new key is not automatically uploaded to RFS. It works fine with nShield software v12.40 and new keys are committed to RFS without 'rfs-sync -c'. If we generate a new HSM key with fipskey.nethsm (a wrapper for /opt/nfast/bin/generatekey) the key is committed to RFS.


Upgrading to higher versions of BIG-IP software will cause issues due to the usage of nshield v12.60 in them.


--> Configure BIG-IP with an external HSM. Use nShield software v12.60.x. --> Create a new nethsm key using TMSH or WebUI.


Use 'rfs-sync -c' after creating a new key.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips