Bug ID 633172: External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command

Last Modified: Dec 20, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4

Opened: Dec 12, 2016
Severity: 3-Major
Related AskF5 Article:
K12473201

Symptoms

The REST call to install a key from a local file fails when the user is external (e.g., LDAP), even when its role is Administrator.

Impact

Key install operation fails.

Conditions

This issue occurs when all of the following conditions are met: -- The BIG-IP system is configured to allow access to external LDAP users. -- The external LDAP user is assigned an Administrator role. -- The external LDAP user uses the tm/sys/crypto/key iControl REST command to import a key from a local file. For example, you use the tm/sys/crypto/key iControl REST command with external LDAP user f5user that is assigned with the Administrator role, as follows: restcurl -u f5user:f5user -X POST https://localhost/tm/sys/crypto/key -d '{"command":"install","name":"/Common/my-key.key","from-local-file":"/var/config/rest/downloads/my_key.key"}'

Workaround

To work around this issue, you can use the sys/file/ssl-key iControl REST command to import a key file instead. To do so, perform the following procedure: Impact of workaround: Performing the following procedure should not have a negative impact on your system. Log in to the command line on the system from which you want to import the key file. Note: The system must be able to support the command line version of the curl command. Import the key file using the following command syntax: curl -k -u <username:password> -H "Content-Type: application/json" -X POST https://<BIG-IP device>/tm/sys/file/ssl-key/ -d '{"name":"<key file name>","source-path":"<full path to key file>"}' For example: curl -k -u f5user:f5user -H "Content-Type: application/json" -X POST https://localhost/tm/sys/file/ssl-key/ -d '{"name":"f5user1.key","source-path":"file:///shared/my_key.key"}' Note: Ensure that the key file name includes the file suffix, as the tm/sys/file/ssl-key iControl REST command does not automatically append .key in the key name.

Fix Information

None

Behavior Change