Bug ID 643404: 'tmsh system software status' does not display properly in a specific cc-mode situation

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0

Fixed In:
13.1.0, 13.0.0 HF1, 12.1.2 HF1

Opened: Feb 06, 2017
Severity: 4-Minor
Related Article:
K30014507

Symptoms

If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.

Impact

It is difficult to ascertain why the software change cannot be made.

Conditions

Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true: -- The system is in Common Criteria mode (db var Security.CommonCriteria). -- The system is in FIPS compliance mode (db var security.fips140.compliance). -- Signature checking is manually enabled (db var LiveInstall.CheckSig).

Workaround

The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install. To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix Information

The 'tmsh show system software status' now displays the relevant issue, for example: failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso). Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.

Behavior Change