Bug ID 795285: Key creation on non-existing NetHSM partition stays in create-fail loop for CloudHSM

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP MA-VE(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3

Opened: Jun 18, 2019
Severity: 3-Major

Symptoms

Using CloudHSM in AWS (BIG-IP Virtual Edition (VE)), the ltm log contains the following messages (where 'test partition' is the name of the your partition): -- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM. -- err pkcs11d[9859]: 01680048:3: C_CloseSession: pkcs11_rv=0x000000b3, CKR_SESSION_HANDLE_INVALID . -- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM. -- err pkcs11d[9859]: 01680048:3: C_CloseSession: pkcs11_rv=0x000000b3, CKR_SESSION_HANDLE_INVALID . -- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM. -- err pkcs11d[9859]: 01680040:3: netHSM: Failed to find partition with label 'testpartition' on the netHSM.

Impact

pkcs11d tries to create the key and fails nonstop.

Conditions

-- Use CloudHSM in AWS. -- Create a key on a nonexistent NetHSM partition.

Workaround

To recover, you must reboot VE. Note: Restarting pkcs11d or the cloudhsm.client service does not resolve the issue.

Fix Information

None

Behavior Change