Last Modified: Jul 24, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3
Fixed In:
16.1.5
Opened: Dec 11, 2023 Severity: 3-Major
With nShield software v12.60 when creating a new nShield key on BIG-IP which is a client of an external RFS the new key is not automatically uploaded to RFS. It works fine with nShield software v12.40 and new keys are committed to RFS without 'rfs-sync -c'. If we generate a new HSM key with fipskey.nethsm (a wrapper for /opt/nfast/bin/generatekey) the key is committed to RFS.
Upgrading to higher versions of BIG-IP software will cause issues due to the usage of nshield v12.60 in them.
--> Configure BIG-IP with an external HSM. Use nShield software v12.60.x. --> Create a new nethsm key using TMSH or WebUI.
Use 'rfs-sync -c' after creating a new key.
None