Bug ID 463696: FIPS keys might not be recoverable from UCS

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.2

Opened: May 21, 2014
Severity: 4-Minor
Related Article:
K16722

Symptoms

FIPS exported keys get created only on the unit on which the FIPS key is created or imported. This FIPS exported key does not get created on the HA peer.

Impact

The UCS created on such a HA peer does not contain the FIPS .exp key files. Restoring such a UCS does not recover the FIPS keys. If a FIPS unit is returned to F5 Networks for a replacement unit, the recovery of FIPS keys is not straightforward on the new unit, or might not be possible.

Conditions

HA setup with multiple FIPS devices.

Workaround

Manually copy the .exp file from the peer or generate the UCS on the peer and load it manually. You can use the command line to scp copy all FIPS exported keys from /config/ssl/ssl.cavfips/ from one HA peer to the other and also vice versa, so that each of them have all the FIPS exported key files.

Fix Information

FIPS exported keys now get created on the HA peer as well as on the unit on which the FIPS key is created or imported.

Behavior Change