Bug ID 462523: BIG-IP software installation (liveinstall) signature validation cannot use ISO files from vCMP hypervisor

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: May 15, 2014
Severity: 3-Major

Symptoms

When signature verification for BIG-IP ISO images is enabled, a vCMP guest cannot install images stored on the hypervisor (block-device-image or block-device-hotfix), Common Criteria Mode enables this feature by default, but it can also be manually enabled, as described in K15225: Enabling signature verification for BIG-IP ISO image files

Impact

Installation will fail. Running tmsh show sys software will show a status similar to: "failed (Repository must be a file for signature validation ; /tmp/lind_util.<random letters>.)"

Conditions

BIG-IP system has signature validation enabled (the liveinstall.checksig DB key is set to "enable"), and administrator tries to install software from the hypervisor (using block-device-image or block-device-hotfix in tmsh).

Workaround

To work around this issue, you can disable automatic image verification and do image verification manually before installing. Impact of workaround: this will have no impact to the system. To disable automatic image verification, run the following tmsh command: tmsh modify sys db liveinstall.checksig value "disable" To manually verify the image, please see K24341140: Verifying BIG-IP software images using .sig and .pem files, available at https://support.f5.com/csp/article/K24341140

Fix Information

None

Behavior Change