Bug ID 599191: One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2

Fixed In:
12.1.2 HF1, 11.5.4 HF3

Opened: Jun 14, 2016
Severity: 4-Minor

Symptoms

When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.

Impact

A stale key is left on the FIPS card. There is no impact to functionality.

Conditions

This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions: - Create a key-cert pair - Associate the new key-cert pair with a clientssl profile - Config sync to the peers - Associate the clientssl profile with the default key and cert - Delete the key and cert - Manual sync

Workaround

Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>

Fix Information

None

Behavior Change