Symptoms

The REST call to install a key from a local file fails when the user is external (e.g., LDAP), even when its role is Administrator.

Impact

Key install operation fails.

Conditions

This issue occurs when all of the following conditions are met: -- The BIG-IP system is configured to allow access to external LDAP users. -- The external LDAP user is assigned an Administrator role. -- The external LDAP user uses the tm/sys/crypto/key iControl REST command to import a key from a local file. For example, you use the tm/sys/crypto/key iControl REST command with external LDAP user f5user that is assigned with the Administrator role, as follows: restcurl -u f5user:f5user -X POST https://localhost/tm/sys/crypto/key -d '{"command":"install","name":"/Common/my-key.key","from-local-file":"/var/config/rest/downloads/my_key.key"}'

Workaround

To work around this issue, you can use the sys/file/ssl-key iControl REST command to import a key file instead. To do so, perform the following procedure: Impact of workaround: Performing the following procedure should not have a negative impact on your system. Log in to the command line on the system from which you want to import the key file. Note: The system must be able to support the command line version of the curl command. Import the key file using the following command syntax: curl -k -u <username:password> -H "Content-Type: application/json" -X POST https://<BIG-IP device>/tm/sys/file/ssl-key/ -d '{"name":"<key file name>","source-path":"<full path to key file>"}' For example: curl -k -u f5user:f5user -H "Content-Type: application/json" -X POST https://localhost/tm/sys/file/ssl-key/ -d '{"name":"f5user1.key","source-path":"file:///shared/my_key.key"}' Note: Ensure that the key file name includes the file suffix, as the tm/sys/file/ssl-key iControl REST command does not automatically append .key in the key name.

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips