Bug ID 632001: For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.1, 12.1.2

Fixed In:
13.0.0, 12.1.3

Opened: Dec 06, 2016

Severity: 3-Major

Symptoms

fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected. This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.

Impact

Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.

Conditions

Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.

Workaround

Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.

Fix Information

fipskey.nethsm will now default to making a module-protected key regardless of the presence of OCS or softcard files in .../kmdata/local. Scripts that export or generate token or softcard protected keys will now need to explicitly set the protection type via the -c or the --protect option in all situations.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips