Bug ID 712534: DNSSEC keys are not generated when configured to use an external FIPS device

Last Modified: Jul 03, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP DNS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 15.0.0

Opened: Mar 28, 2018
Severity: 2-Critical

Symptoms

DNSSEC keys that use an external FIPS device are not generated, and an SELinux denial is reported in /var/log/auditd/audit.log. The logged permission denial should indicate that a process running under the 'mcpd_t' SELinux context was denied the 'execmem' permission.

Impact

DNSSEC keys will not be generated when configured to use the external FIPS device.

Conditions

-- A device is configured with one or more DNSSEC keys that are configured to be generated by an external FIPS device (indicated by the 'use-fips' option being set to 'external'). -- An unpatched version of the Thales client software be in use on the device.

Workaround

Update the version of the Thales client software that is in use on the device.

Fix Information

None

Behavior Change