Bug ID 689351: Unclear fipskey event

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Opened: Oct 18, 2017
Severity: 4-Minor

Symptoms

The "fipskey" utility generates erroneous dlopen errors in /var/log/daemon.log when trying to open pkcs11_nethsm.so

Impact

Erroneous error messages.

Conditions

Randomly reproduced by running "fipskey export 1 /var/tmp/otters" (even on a VE). Regardless of the error on the command-line, it will log the above in /var/log/daemon.log. It may occur due to FIPS appliance (built-in FIPS card), and various system utilities (e.g. mcpd) invoke "fipskey" directly. (MCPD invokes fipskey to re-generate DNSSEC-related FIPS keys.) Those operations succeed, but leave erroneous error messages in the log file while the FIPS library is starting up, and looking for a viable/functional FIPS shared library. (It keeps looking for a viable library even after logging a dlopen() error return value).

Workaround

N/A

Fix Information

None

Behavior Change