Bug ID 558072: User still has to input OCS passphrase when only module keys are used

Last Modified: Mar 17, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Nov 13, 2015
Severity: 3-Major
Related AskF5 Article:
K21145434

Symptoms

When you install Thales on the BIG-IP, by default both slot protection and module protection are enabled for the customer to use. Some costumers use both, some use only one. When a customer has both enabled but is only choosing to use module, the customer still needs to input OCS passphrase even if they use module protected key. As a result of this issue, you may encounter one or more of the following symptoms: Client SSL connections are failing. In the /var/log/ltm file, you may observe log messages similar to the following example: crit tmm1[6789]: 01260010:2: FIPS acceleration device failure: cannot locate key The BIG-IP system is unable to connect to the remote Thales HSM. In the /shared/nfast/log/hardserver.log file, you may observe log messages similar to the following example: nFast server: Remote server error: Operating system call failed: connect to `INET/192.168.10.100/9004', Connection timed out

Impact

Both the Token (OCS) and Module keys must be entered when prompted for Thales HSM slot password. If the Token (OCS) password is not entered, the BIG-IP systems will fail to connect to the Thales HSM, and client SSL connections will fail.

Conditions

This issue occurs when all of the following conditions are met: The BIG-IP system is configured to use a Thales HSM to protect Secure Sockets Layer (SSL) keys. Both the Module and Token (OCS) key protection methods are configured. Only the Module key protection method is currently enabled.

Workaround

User inputs OCS passphrase (which may be configured at a different application) on the BIG-IP.

Fix Information

Thales HSM no longer requires both the Token (OCS) and Module keys must be entered when prompted for Thales HSM slot password, when only Module key protection is enabled.

Behavior Change