Bug ID 639619: UCS may fail to load due to Master key decryption failure on EEPROM-less systems

Last Modified: Jul 13, 2024

Affected Product(s):
BIG-IP All, Install/Upgrade(all modules)

Known Affected Versions:
11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1

Fixed In:
15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1, 11.6.4

Opened: Jan 16, 2017

Severity: 3-Major

Symptoms

The following error: 'Symmetric Unit Key decrypt failure - decrypt failure' is logged to /var/log/ltm when attempting to load a UCS. Configuration fails then to load due to a secure attribute decryption failure.

Impact

The configuration fails to load.

Conditions

1. UCS contains secure attributes. 2. UCS contains a '/config/bigip/kstore/.unitkey' file. 3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS. 4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Workaround

Perform the following procedure: 1. Stop the system: # bigstart stop 2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS 3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS 4. Remove the mcp db to forcibly reload the keys: # rm -f /var/db/mcpd.bin # rm -f /var/db/mcpd.info 5. Restart the system and reload the configuration: # bigstart start # tmsh load sys config or # reboot

Fix Information

The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips