Bug ID 662639: Policy Sync fails when policy object include FIPS key

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3

Opened: May 02, 2017
Severity: 3-Major

Symptoms

Policy sync failed with a vague error: err mcpd[5597]: 01071600:3: APM PSync: Atom attribute (fips_exported_key) data type (blob) in class (certificate_key_file_object) object name (/Common/fips1.key) blob value is not empty - no handler for blob Object dump: **certificate_key_file_object:/Common/fips1.key ...

Impact

Feature failure for specific configurations.

Conditions

-- Sync-only device group configuration. -- FIPS cards in use. -- On one device: + Create FIPS key and certificate: 1. Go to System::Certificate Management::Traffic Certificate Management::SSL Certificate List::Create. 2. For 'Security Type' field of 'Key Properties' section, select 'FIPS'. + Create a rewrite profile: 1. Go to Access Policy :: Portal Access :: Rewrite :: Create New Profile. 2. Under 'JavaPatcher Settings' select 'Signer' and 'Signer Key' to the one created above (e.g., 'fips1.crt' and 'fips1.key', respectively). + Create an access profile. + Create a virtual server and attach the access profile and rewrite profile to it. (Note: You must also include other dependent settings, such as a connectivity profile.) 3. Start a policy sync from the device.

Workaround

None.

Fix Information

Now APM policy sync succeeds even when policy includes FIPS key.

Behavior Change