Bug ID 468790: Inconsistent SafeNet key deletion in BIG-IP and Safenet HSM

Last Modified: Oct 07, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0, 12.0.0, 11.6.1 HF1

Opened: Jun 24, 2014

Severity: 3-Major

Symptoms

Under some conditions, when deleting a SafeNet key, the key is deleted from HSM but not from the BIG-IP system.

Impact

If this clientSSL profile is currently used by a virtual server, then SSL connection to this virtual server fails since the key is not in HSM.

Conditions

This issue happens when the BIG-IP system satisfies the following conditions: 1. A SafeNet-generated key is in use by a clientSSL profile. 2. Safenet HSM is installed.

Workaround

1. Remove the key/cert from the clientSSL profile, so that they become 'not in use'. 2. Delete the not-in-use key/cert from the BIG-IP system. 2. Configure another key/cert in the clientSSL profile.

Fix Information

In this release, when deleting a SafeNet key, the key is deleted from HSM as well as from the BIG-IP system

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips