Bug ID 427077: Regenerate trust domain and related device certs and keys

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.1.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF9

Opened: Aug 05, 2013
Severity: 1-Blocking
Related AskF5 Article:
K14979

Symptoms

Occasionally, a UCS file might have one of the following conditions: 1. Missing trust certs (dtca.crt, dtca-bundle.crt), trust key (dtca.key), device cert (dtdi.crt) or missing device key(dtdi.key). 2. Inconsistent configuration of the above file objects. This generally means that the cache-path entry in the config entry for the files in bigip_base.conf are inconsistent with what actually exist in the filestore. These two conditions can can occur as a result of several errors: Loading from a previously defective UCS, an incomplete load from scf files, creating a UCS after a configuration change without performing a config save operation, and others.

Impact

When these conditions are met, the UCS fails to load.

Conditions

This occurs when the dtca/dtdi file are missing or contain configuration inconsistencies.

Workaround

You can mitigate the problem by regenerating the trust-related certs and keys while loading an affected UCS. To do so, run the following command: tmsh load sys ucs <UCS File> reset-trust

Fix Information

An option has been added to the TMSH config installation command that can be used to reset keys and certs associated with the trust domain. The option name is 'reset-trust' and it can be specified on the command line when manually loading a UCS file in TMOS. This command can be used to mitigate the problem of a UCS file not loading because of missing or incorrectly formed trust certs or device keys. To regenerate the trust-related certs and keys while loading an affected UCS, run the following command: tmsh load sys ucs <UCS File> reset-trust. Important: running this command on a device that is part of a trust domain requires the device to rejoin that trust domain.

Behavior Change

An option has been added to the TMSH config installation command that can be used to reset keys and certs associated with the trust domain. The option name is 'reset-trust' and it can be specified on the command line when manually loading a UCS file in TMOS. This command can be used to mitigate the problem of a UCS file not loading because of missing or incorrectly formed trust certs or device keys. To regenerate the trust-related certs and keys while loading an affected UCS, run the following command: tmsh load sys ucs <UCS File> reset-trust. Important: running this command on a device that is part of a trust domain requires the device to rejoin that trust domain.