Bug ID 1429897: NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60

Last Modified: Jun 25, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3

Opened: Dec 11, 2023

Severity: 3-Major

Symptoms

With nShield software v12.60 when creating a new nShield key on BIG-IP which is a client of an external RFS the new key is not automatically uploaded to RFS. It works fine with nShield software v12.40 and new keys are committed to RFS without 'rfs-sync -c'. If we generate a new HSM key with fipskey.nethsm (a wrapper for /opt/nfast/bin/generatekey) the key is committed to RFS.

Impact

Upgrading to higher versions of BIG-IP software will cause issues due to the usage of nshield v12.60 in them.

Conditions

--> Configure BIG-IP with an external HSM. Use nShield software v12.60.x. --> Create a new nethsm key using TMSH or WebUI.

Workaround

Use 'rfs-sync -c' after creating a new key.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips