Bug ID 435555: Cannot load UCS from different BIG-IP system using Secure Vault

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.0.0

Opened: Oct 28, 2013
Severity: 2-Critical
Related Article:
K15835

Symptoms

If a BIG-IP system uses in Secure Vault to encrypt secure fields, you cannot load that UCS to another BIG-IP system.

Impact

UCS load fails.

Conditions

This occurs when a UCS originates on a BIG-IP system whose secure fields are encrypted using Secure Vault. The reason is that the Master Key to the Secure Vault has been encrypted with the Unit key of the originating BIG-IP system. The Unit key is unique to each system.

Workaround

None

Fix Information

Although in this case, you cannot load a UCS from one device to another without intervention, the admin can now change the master key and then successfully load the configuration onto a different device. 1. Before taking the UCS to a different system, set the master key from a passphrase using the following command: tmsh modify sys crypto master-key prompt-for-password. 2. On the system where the UCS will be restored, load the UCS. (Here, it fails to load due to encrypted attributes which cannot be decrypted.) 3. On the new system with the failed UCS load, set the master key using the previously specified passphrase, by running the command: tmsh modify sys crypto master-key prompt-for-password. 4. Load the configuration with the command: tmsh load sys config. The configuration loads and the encrypted attributes are accessible.

Behavior Change