Bug ID 619873: Secure Vault: Key cleanup for 5000-, 7000-series, and i-Series platforms

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
12.1.4.1, 12.1.5, 12.1.5.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.5.2

Opened: Sep 30, 2016

Severity: 3-Major

Symptoms

Outdated and unused unit key is left on some devices after an upgrade from an older version. - This occurs with 5000- and 7000-series platforms after upgrade from an older version to v13.0.0. - This occurs with iSeries platforms after upgrade from an older version to v12.1.4.1 or a later v12.1.x software version.

Impact

1) Unit key on disk is preferred over unit key in hardware. 2a) Potential config load failures when installing v13.0.0 hotfixes on 5000- and 7000- series devices. 2b) Potential config load failures when installing v12.1.x point releases or hotfixes on iSeries devices.

Conditions

One of the following sets of conditions: -- Running on 5000- and 7000-series platforms. -- Upgrading from a version earlier than v13.0.0 to v13.0.0. -- Installing v13.0.0 hotfixes Or: -- Running on iSeries platforms. -- Upgrading from v12.1.4 or earlier, to 12.1.4.1 or a later 12.1.x version. -- Installing v12.1.x point releases or engineering hotfixes.

Workaround

NOTES: -- Impacts 5000- and 7000-series platforms on v13.0.x. -- Impacts iSeries platforms on v12.1.4.1 or a later v12.1.x software version. On or before upgrade to v13.0.0 or its associated hotfixes, perform the following procedure: 1) Set master key to a known value: modify sys crypto master-key prompt-for-password 2) Save config: tmsh save sys config 3) Remove the old unit key: rm /config/bigip/kstore/.unitkey 4) Load config: tmsh load sys config 5) Save config: tmsh save sys config

Fix Information

Unit key is no longer left on platforms after upgrade from an older version.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips