Bug ID 834573: Use netHSM and FIPS full-box license together

Last Modified: Mar 01, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Opened: Oct 04, 2019

Severity: 3-Major

Symptoms

Installation of safenet client 6.2.2 triggers FIPS140-2 integrity failure which causes device to fail to boot

Impact

After applying the FIPS full-box license and the system is required to reboot, the system will halt.

Conditions

When Safenet client 6.x is installed and FIPS full-box license is also applied.

Workaround

1) Make a copy of your nethsm-safenet-install.sh cp /usr/bin/nethsm-safenet-install.sh /shared/ 2) open /shared/nethsm-safenet-install.sh, search for this code block. make the code change following "--->" below elif [ $software_version -eq 620 ] || [ $software_version -eq 622 ] ||\ [ $software_version -eq 710 ] ; then # Input appropriate answers for the 6.2 software install. #output=`echo -e "y\n1\nn\n1\n2\n3\ni" | sh $install_file` ---> comment out this line output=`echo -e "y\n1\nn\n2\n3\ni" | sh $install_file` ---> add this line result=$? 3) Use your edited /shared/nethsm-safenet-install.sh to install safenet to your box ***--- Result ---*** ======================================================= ....L.... /usr/lib/libCryptoki2_64.so --> /shared/safenet/lunasa/lib/libCryptoki2_64.so 1 critical file(s) modified ======================================================= Integrity Check Result: [ FAIL ] Contact F5 Networks Technical Support. 4) Copy the library file that is needed and configuration to safe location cp /usr/safenet/lunaclient/lib/libCryptoki2_64.so /shared/tmp/ cp /etc/Chrystoki.conf /shared/tmp/ 5) Uninstall the libcryptoki rpm rpm -e --nodeps libcryptoki 6) Copy the two files back to the correct locations cp /shared/tmp/libCryptoki2_64.so /usr/safenet/lunaclient/lib/libCryptoki2_64.so cp /shared/tmp/Chrystoki.conf /etc/Chrystoki.conf 7) Re-recreate all the needed links mount -o remount,rw /usr/ ln -sf /shared/safenet/lunasa/lib/libCryptoki*.so /usr/lib/ ln -sf //usr/safenet/lunaclient/lib/libCryptoki2_64.so /usr/lib/libCryptoki_64.so.2 ln -sf //usr/safenet/lunaclient/lib/libCryptoki2_64.so /usr/lib/libCryptoki_64.so.6.2.2 mount -o remount,ro /usr/ 8) Restart everything and run sys-eicheck.py bigstart restart pkcs11d /usr/libexec/sys-eicheck.py ***--- Result ---*** BIG-IP Integrity Check Report - Non-critical file modifications do not result in failure. - Critical file modifications result in failure. Unrecognized format of the line: Unsatisfied dependencies for htl_client-6.2.2-4.x86_64: Unrecognized format of the line: libcryptoki is needed by (installed) htl_client-6.2.2-4.x86_64 Unrecognized format of the line: Unsatisfied dependencies for safenet-softtoken_client-6.2.2-4.x86_64: Unrecognized format of the line: libcryptoki is needed by (installed) safenet-softtoken_client-6.2.2-4.x86_64 Unrecognized format of the line: Unsatisfied dependencies for vtl-6.2.2-4.x86_64: Unrecognized format of the line: libcryptoki is needed by (installed) vtl-6.2.2-4.x86_64 ... 20 non-critical files(s) modified ======================================================= 0 critical file(s) missing ======================================================= 0 critical file(s) modified ======================================================= Integrity Test Result: [ PASS ]

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips