Bug ID 619873: Secure Vault: Key cleanup for 5000-, 7000-series, and i-Series platforms

Last Modified: Dec 15, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.5.2

Opened: Sep 30, 2016
Severity: 3-Major

Symptoms

Outdated and unused unit key is left on some devices after an upgrade from an older version. - This occurs with 5000- and 7000-series platforms after upgrade from an older version to v13.0.0. - This occurs with iSeries platforms after upgrade from an older version to v12.1.4.1 or a later v12.1.x software version.

Impact

1) Unit key on disk is preferred over unit key in hardware. 2a) Potential config load failures when installing v13.0.0 hotfixes on 5000- and 7000- series devices. 2b) Potential config load failures when installing v12.1.x point releases or hotfixes on iSeries devices.

Conditions

One of the following sets of conditions: -- Running on 5000- and 7000-series platforms. -- Upgrading from a version earlier than v13.0.0 to v13.0.0. -- Installing v13.0.0 hotfixes Or: -- Running on iSeries platforms. -- Upgrading from v12.1.4 or earlier, to 12.1.4.1 or a later 12.1.x version. -- Installing v12.1.x point releases or engineering hotfixes.

Workaround

NOTES: -- Impacts 5000- and 7000-series platforms on v13.0.x. -- Impacts iSeries platforms on v12.1.4.1 or a later v12.1.x software version. On or before upgrade to v13.0.0 or its associated hotfixes, perform the following procedure: 1) Set master key to a known value: modify sys crypto master-key prompt-for-password 2) Save config: tmsh save sys config 3) Remove the old unit key: rm /config/bigip/kstore/.unitkey 4) Load config: tmsh load sys config 5) Save config: tmsh save sys config

Fix Information

Unit key is no longer left on platforms after upgrade from an older version.

Behavior Change