Bug ID 489750: Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3

Opened: Nov 10, 2014
Severity: 3-Major
Related AskF5 Article:
K16696

Symptoms

11.4.0 onwards, deletion of FIPS keys by-handle is expected to throw error if the BIG-IP config contains that key object. However, if the key name is different from the FIPS-label of the key, such deletion by-handle will delete key from FIPS card without checking BIG-IP config. It will not delete that key from BIG-IP config.

Impact

FIPS key deletion by-handle may not throw expected error when the FIPS handle corresponds to a key in the BIG-IP config and will delete the key from FIPS card without deleting the key in the BIG-IP config.

Conditions

Delete FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.

Workaround

First, FIPS key deletion by-handle should be used only for FIPS key handles that don't have corresponding key objects in the BIG-IP config. If the FIPS key deletion was desired and by-handle deletion is already performed which did not delete the key from BIG-IP config, then follow the below workaround: After executing: 'tmsh delete sys crypto fips by-handle <handle-number>' check if the corresponding key still exists in BIG-IP config by executing: 'tmsh list sys crypto key' If the concerned key did not get deleted, execute: 'tmsh delete sys crypto key <keyname>'

Fix Information

The system now handles the case in which deleting FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.

Behavior Change