Bug ID 842137: Keys cannot be created on module protected partitions when strict FIPS mode is set

Last Modified: Apr 26, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,, 17.0.0,,, 17.1.0,,,, 17.1.1,,,

Opened: Oct 22, 2019

Severity: 3-Major


When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition. Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.


New Keys cannot be create.


-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition. -- You attempt to create a FIPS key using that partition.


Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config: 1. Generate the key: [root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead. tmsh commands... Generate Key: tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ... For an exhaustive list of options, please consult F5's tmsh documentation. Generate CSR for existing key: tmsh create sys crypto csr <csr_name> key <key name> ... For an exhaustive list of options, please consult F5's tmsh documentation. Generate Self-Signed Certificate for existing key: tmsh create sys crypto cert <cert_name> key <key name> ... For an exhaustive list of options, please consult F5's tmsh documentation. Delete Key: tmsh delete sys crypto key <keyname> str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256] key generation parameters: operation Operation to perform generate application Application pkcs11 protect Protected by module verify Verify security of key yes type Key type RSA size Key size 2048 pubexp Public exponent for RSA key (hex) embedsavefile Filename to write key to workaround plainname Key name workaround x509country Country code x509province State or province x509locality City or locality x509org Organisation x509orgunit Organisation unit x509dnscommon Domain name x509email Email address nvram Blob in NVRAM (needs ACS) no digest Digest to sign cert req with sha256 Key successfully generated. Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4 Directory listing failed: No such file or directory 2. Confirm the presence of the key with the label 'workaround': [root@bigip1::Active:Standalone] config # nfkminfo -l Keys with module protection: key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround' Keys protected by cardsets: ... 3. Install the key: [root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm 4. Install the public certificate: [root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips