Bug ID 584661: Last good master key

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0

Fixed In:
12.1.1

Opened: Mar 31, 2016

Severity: 3-Major

Symptoms

When applying a UCS file to a platform that was different from the one the UCS was taken on, for example after RMA, you get a master key decrypt error because the master key is different.

Impact

UCS load fails when extracting a UCS that came from another system.

Conditions

This can occur either when applying a UCS file to an identical platform you received as an RMA exchange, or while performing the platform-migrate command.

Workaround

None

Fix Information

Secure Vault now stores the last good master key, which allows you to set the master key password to be the same as the other device you are importing from, then load the UCS from the other system. If master key decryption fails, the system will load the master key that was in effect before the UCS load was initiated. If that master key matched the master key from the system where the UCS was taken then encrypted attributes in the UCS can be loaded into the configuration.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips