Bug ID 619873: Secure Vault: Key cleanup for 5000- and 7000-series platforms

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Sep 30, 2016
Severity: 3-Major

Symptoms

Outdated and unused unit key is left on 5000- and 7000-series platforms after upgrade from an older version to v13.0.0.

Impact

1) Unit key on disk is preferred over unit key in hardware. 2) Potential config load failures when upgrading from pre-v13.0.0 to v13.0.0, or installing v13.0.0 hotfixes on these devices.

Conditions

-- Running on 5000- and 7000-series platforms. -- Upgrading from a version earlier than v13.0.0 to v13.0.0. -- Installing v13.0.0 hotfixes

Workaround

NOTE: Impacts only 5000- and 7000-series platforms. On or before upgrade to v13.0.0 or its associated hotfixes, perform the following procedure: 1) Set master key to a known value: modify sys crypto master-key prompt-for-password 2) Save config: tmsh save sys config 3) Remove the old unit key: rm /config/bigip/kstore/.unitkey 4) Load config: tmsh load sys config 5) Save config: tmsh save sys config

Fix Information

Unit key is no longer left on 5000- and 7000-series platforms after upgrade from an older version.

Behavior Change