Bug ID 695873: Entry for ssl key removed from tmsh causes tmsh load config to fail

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
14.0.0

Opened: Nov 22, 2017

Severity: 3-Major

Symptoms

As part of phonehome, the licensing process uses an encrypted key which keeps it's passphrase securely in tmsh.

Impact

The bigip.conf will not load without having to edit out the key and certificate entries. Also, phonehome will not work since there is no passphrase for the encrypted key.

Conditions

If the tmsh entry is deleted, then the key can no longer be used and issuing a new registration key will fail to create a new key and the bigip.conf will no longer load.

Workaround

Edit out the section for f5_api_com.key in /config/bigip.conf and run tmsh load sys config. Then remove the key: rm -f /config/ssl/ssl.key/f5_api_com.key and reinstall the license registration key.

Fix Information

The fix will test if the tmsh has a reference to the f5_ap_com.key and delete the actual key during the license process which will then generate a new key and passphrase, thus updating tmsh.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips