Bug ID 953845: After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
16.0.1, 16.0.0.1, 16.0.0, 15.1.2.1, 15.1.2, 15.1.1

Fixed In:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6

Opened: Oct 09, 2020

Severity: 3-Major

Symptoms

When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon. This can occur when using administrative commands such as: -- tmsh run util fips-util init -- fipsutil init -- tmsh run util fips-util loginreset -r -- fipsutil loginreset -r

Impact

BIG-IP is unable to communicate with the onboard HSM.

Conditions

-- Using the following platforms: + i5820-DF / i7820-DF + 5250v-F / 7200v-F + 10200v-F + 10350v-F + vCMP guest on i5820-DF / i7820-DF + vCMP guest on 10350v-F

Workaround

The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot. Immediately before doing this: -- open /config/bigip.conf in a text editor (e.g. vim or nano) -- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.: sys fipsuser f5cu { password $M$Et$b3R0ZXJzCg== }

Fix Information

Fixed an issue with re-initializing the onboard FIPS HSM.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips