Last Modified: Oct 16, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1
Fixed In:
13.0.0, 12.1.2, 11.6.1 HF1, 11.5.4 HF2
Opened: Oct 21, 2015 Severity: 3-Major Related Article:
K60132231
1) If you change a client-ssl profile to a different cert/key, delete the original cert/key, create a new cert/key with the same name as the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip retains a copy of the original key. 2) If you change a client-ssl profile to a different cert/key, then create a new cert/key with a different name from the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the config-sync operation may fail and the peer's client-ssl profile will still use the original cert/key instead of the new one.
1) An abandoned FIPS key is left behind. 2) The systems may be out-of-sync, and one system's client-ssl profile uses one cert/key pair, while the other systems' same client-ssl profile uses a different cert/key pair.
1) High Availability failover systems with FIPS configured with Manual Sync. 2) High Availability failover systems without FIPS configured with Manual Sync.
1) For the first scenario, you can use either of the following workarounds: -- Run an extra config-sync before the second change of the client-ssl profile. -- Delete the FIPS key by-handle on the peer systems. 2) For the second scenario, you can use the following workaround: -- Perform another config-sync operation in the GUI with the 'Overwrite Configuration' checkbox checked. Note: If you also deleted your original cert/key pair, perform the following procedure: 1. Go onto the peer systems. 2. Manually delete those cert/key files that were copied during the first config-sync operation. 3. Look for the corresponding cert/key files in these two directories: /config/filestore/files_d/Common_d/certificate_d: /config/filestore/files_d/Common_d/certificate_key_d: 4. Delete the cert/key files in those directories.
Systems now have the same cert/key after successful config-sync of High Availability configurations.