Bug ID 713793

Bug Tracker
ID 713793

Bug ID 713793: Loading sys config using merge does not work for client SSL profiles with passphrase-protected key

Last Modified: Jul 13, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1

Opened: Apr 05, 2018

Severity: 3-Major

Symptoms

BIG-IP system posts an error similar to the following when merging configuration of a client SSL profile: 010717e7:3: Client SSL profile (/Common/test): cert-key-chain and profile cert, key or chain options cannot be specified together.

Impact

Unable to merge configuration.

Conditions

This occurs when the SSL key of the client SSL profile is passphrase-protected.

Workaround

To work around this issue, remove the cert/key/chain/passprase outside of the cert-key-chain block before issuing the following command: load sys config from-terminal merge. In particular, use the following text as the configuration: root@(big4)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config from-terminal merge Enter configuration. Press CTRL-D to submit or CTRL-C to cancel. ltm profile client-ssl test { app-service none cert-key-chain { test12345 { cert test12345 key test12345 passphrase $M$SIwDQYJKoZIhvcNAQEBBQABOC== } } inherit-certkeychain false } In this example, this is the text to replace:: root@(big4)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config from-terminal merge Enter configuration. Press CTRL-D to submit or CTRL-C to cancel. ltm profile client-ssl test { app-service none cert test12345 cert-key-chain { test12345 { cert test12345 key test12345 passphrase $M$EAAaOBsTCBrjAzBggrBgEFBQc== } } chain none inherit-certkeychain false key test12345 passphrase $M$S/4S5uRf8leryRGv5MX9DAAvK== } Loading configuration... 010717e7:3: Client SSL profile (/Common/test): cert-key-chain and profile cert, key or chain options cannot be specified together. Unexpected Error: Loading configuration process failed.

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips