Bug ID 677485: Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP BIG-IQ(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1

Fixed In:
14.0.0, 13.1.1.2

Opened: Aug 08, 2017
Severity: 3-Major

Symptoms

After initially configuring a DSC cluster, iControl-REST on BIG-IP systems might fail to decrypt the secure values due to a stale BIG-IP master key in its cache, and returns the secure values encrypted by the BIG-IP master key. BIG-IQ is unable to decrypt these secure values and fails to discover the BIG-IP system.

Impact

Discovery fails due to secure value decryption error.

Conditions

-- DSC cluster. -- iControl REST. -- BIG-IP system with stale BIG-IP master key in its cache. -- BIG-IQ attempts to decrypt the secure values.

Workaround

Restart iControl-REST server on the BIG-IP system. On BIG-IP v12.0.0 and later: -- In TMSH, run the following command: restart sys service restjavad -- On the console, run the following command: bigstart restart restjavad On BIG-IP v11.x.x: -- In TMSH, run the following command: restart sys service icrd -- On the console, run the following command: bigstart restart icrd

Fix Information

The system now enforces obtaining the BIG-IP master key if the first decryption fails to proceed properly.

Behavior Change