Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
12.0.0
Opened: Oct 28, 2013 Severity: 2-Critical Related Article:
K15835
If a BIG-IP system uses in Secure Vault to encrypt secure fields, you cannot load that UCS to another BIG-IP system.
UCS load fails.
This occurs when a UCS originates on a BIG-IP system whose secure fields are encrypted using Secure Vault. The reason is that the Master Key to the Secure Vault has been encrypted with the Unit key of the originating BIG-IP system. The Unit key is unique to each system.
None
Although in this case, you cannot load a UCS from one device to another without intervention, the admin can now change the master key and then successfully load the configuration onto a different device. 1. Before taking the UCS to a different system, set the master key from a passphrase using the following command: tmsh modify sys crypto master-key prompt-for-password. 2. On the system where the UCS will be restored, load the UCS. (Here, it fails to load due to encrypted attributes which cannot be decrypted.) 3. On the new system with the failed UCS load, set the master key using the previously specified passphrase, by running the command: tmsh modify sys crypto master-key prompt-for-password. 4. Load the configuration with the command: tmsh load sys config. The configuration loads and the encrypted attributes are accessible.