Bug ID 463696: FIPS keys might not be recoverable from UCS

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.0.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.2

Opened: May 21, 2014

Severity: 4-Minor

Related Article: K16722

Symptoms

FIPS exported keys get created only on the unit on which the FIPS key is created or imported. This FIPS exported key does not get created on the HA peer.

Impact

The UCS created on such a HA peer does not contain the FIPS .exp key files. Restoring such a UCS does not recover the FIPS keys. If a FIPS unit is returned to F5 Networks for a replacement unit, the recovery of FIPS keys is not straightforward on the new unit, or might not be possible.

Conditions

HA setup with multiple FIPS devices.

Workaround

Manually copy the .exp file from the peer or generate the UCS on the peer and load it manually. You can use the command line to scp copy all FIPS exported keys from /config/ssl/ssl.cavfips/ from one HA peer to the other and also vice versa, so that each of them have all the FIPS exported key files.

Fix Information

FIPS exported keys now get created on the HA peer as well as on the unit on which the FIPS key is created or imported.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips