Symptoms

When you install Thales on the BIG-IP, by default both slot protection and module protection are enabled for the customer to use. Some costumers use both, some use only one. When a customer has both enabled but is only choosing to use module, the customer still needs to input OCS passphrase even if they use module protected key. As a result of this issue, you may encounter one or more of the following symptoms: Client SSL connections are failing. In the /var/log/ltm file, you may observe log messages similar to the following example: crit tmm1[6789]: 01260010:2: FIPS acceleration device failure: cannot locate key The BIG-IP system is unable to connect to the remote Thales HSM. In the /shared/nfast/log/hardserver.log file, you may observe log messages similar to the following example: nFast server: Remote server error: Operating system call failed: connect to `INET/192.168.10.100/9004', Connection timed out

Impact

Both the Token (OCS) and Module keys must be entered when prompted for Thales HSM slot password. If the Token (OCS) password is not entered, the BIG-IP systems will fail to connect to the Thales HSM, and client SSL connections will fail.

Conditions

This issue occurs when all of the following conditions are met: The BIG-IP system is configured to use a Thales HSM to protect Secure Sockets Layer (SSL) keys. Both the Module and Token (OCS) key protection methods are configured. Only the Module key protection method is currently enabled.

Workaround

User inputs OCS passphrase (which may be configured at a different application) on the BIG-IP.

Fix Information

Thales HSM no longer requires both the Token (OCS) and Module keys must be entered when prompted for Thales HSM slot password, when only Module key protection is enabled.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips