Bug ID 718277: Deployed guests inoperative after host and guest master-key reset without rebooting host after host master-key is reset.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP vCMP(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Opened: May 03, 2018
Severity: 3-Major

Symptoms

vCMP guests (ALL Guests) fail to load after reboot of hypervisor when the host master-key is changed and then the guests' master-keys are changed before first rebooting the hypervisor.

Impact

Deployed guests cannot decrypt their configurations and so are inoperative.

Conditions

-- Issue the following command on vCMP Host hypervisor system: $ tmsh modify sys crypto master-key prompt-for-password -- Issue the following command on guests deployed on this hypervisor, before rebooting the hypervisor: $ tmsh modify sys crypto master-key prompt-for-password

Workaround

In order to change the host master-key without causing service interruption to deployed vCMP guests (except for the necessary reboot): 1. On the host and with guests deployed, issue the following command: $ tmsh modify /sys crypto master-key prompt-for-password 2. After this interactive command completes, again on the host issue the following command: $ tmsh save sys config && tmsh reboot 3. Wait for the host and guests to come back up, then issue the following command on each guest: $ tmsh modify /sys crypto master-key prompt-for-password

Fix Information

None

Behavior Change