Last Modified: Nov 07, 2022
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4
Fixed In:
12.0.0, 11.6.0 HF5, 11.5.2
Opened: May 21, 2014 Severity: 4-Minor Related Article:
K16722
FIPS exported keys get created only on the unit on which the FIPS key is created or imported. This FIPS exported key does not get created on the HA peer.
The UCS created on such a HA peer does not contain the FIPS .exp key files. Restoring such a UCS does not recover the FIPS keys. If a FIPS unit is returned to F5 Networks for a replacement unit, the recovery of FIPS keys is not straightforward on the new unit, or might not be possible.
HA setup with multiple FIPS devices.
Manually copy the .exp file from the peer or generate the UCS on the peer and load it manually. You can use the command line to scp copy all FIPS exported keys from /config/ssl/ssl.cavfips/ from one HA peer to the other and also vice versa, so that each of them have all the FIPS exported key files.
FIPS exported keys now get created on the HA peer as well as on the unit on which the FIPS key is created or imported.