Last Modified: Mar 17, 2021
See more info
Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 11.6.4, 11.6.5, 22.214.171.124, 126.96.36.199, 188.8.131.52, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Opened: Nov 13, 2015
Related AskF5 Article: K21145434
When you install Thales on the BIG-IP, by default both slot protection and module protection are enabled for the customer to use. Some costumers use both, some use only one. When a customer has both enabled but is only choosing to use module, the customer still needs to input OCS passphrase even if they use module protected key. As a result of this issue, you may encounter one or more of the following symptoms: Client SSL connections are failing. In the /var/log/ltm file, you may observe log messages similar to the following example: crit tmm1: 01260010:2: FIPS acceleration device failure: cannot locate key The BIG-IP system is unable to connect to the remote Thales HSM. In the /shared/nfast/log/hardserver.log file, you may observe log messages similar to the following example: nFast server: Remote server error: Operating system call failed: connect to `INET/192.168.10.100/9004', Connection timed out
Both the Token (OCS) and Module keys must be entered when prompted for Thales HSM slot password. If the Token (OCS) password is not entered, the BIG-IP systems will fail to connect to the Thales HSM, and client SSL connections will fail.
This issue occurs when all of the following conditions are met: The BIG-IP system is configured to use a Thales HSM to protect Secure Sockets Layer (SSL) keys. Both the Module and Token (OCS) key protection methods are configured. Only the Module key protection method is currently enabled.
User inputs OCS passphrase (which may be configured at a different application) on the BIG-IP.
Thales HSM no longer requires both the Token (OCS) and Module keys must be entered when prompted for Thales HSM slot password, when only Module key protection is enabled.