Bug ID 553795: Differing cert/key after successful config-sync

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF1, 11.5.4 HF2

Opened: Oct 21, 2015
Severity: 3-Major
Related AskF5 Article:
K60132231

Symptoms

1) If you change a client-ssl profile to a different cert/key, delete the original cert/key, create a new cert/key with the same name as the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip retains a copy of the original key. 2) If you change a client-ssl profile to a different cert/key, then create a new cert/key with a different name from the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the config-sync operation may fail and the peer's client-ssl profile will still use the original cert/key instead of the new one.

Impact

1) An abandoned FIPS key is left behind. 2) The systems may be out-of-sync, and one system's client-ssl profile uses one cert/key pair, while the other systems' same client-ssl profile uses a different cert/key pair.

Conditions

1) High Availability failover systems with FIPS configured with Manual Sync. 2) High Availability failover systems without FIPS configured with Manual Sync.

Workaround

1) For the first scenario, you can use either of the following workarounds: -- Run an extra config-sync before the second change of the client-ssl profile. -- Delete the FIPS key by-handle on the peer systems. 2) For the second scenario, you can use the following workaround: -- Perform another config-sync operation in the GUI with the 'Overwrite Configuration' checkbox checked. Note: If you also deleted your original cert/key pair, perform the following procedure: 1. Go onto the peer systems. 2. Manually delete those cert/key files that were copied during the first config-sync operation. 3. Look for the corresponding cert/key files in these two directories: /config/filestore/files_d/Common_d/certificate_d: /config/filestore/files_d/Common_d/certificate_key_d: 4. Delete the cert/key files in those directories.

Fix Information

Systems now have the same cert/key after successful config-sync of High Availability configurations.

Behavior Change