Forum Discussion
CirrostratusAfter upgrade from 10.4.x to 11.4.X FIPS keys not loading
After upgrade from 10.4.x to 11.4.X FIPS keys not loading. Below is the error i get
/usr/libexec/bigpipe daol
Reading configuration from /config/bigpipe/low_profile_base.conf.
Reading configuration from /config/bigpipe/config_base.conf.
Reading configuration from /config/bigpipe/bigip_sys.conf.
Reading configuration from /config/bigpipe/bigip_base.conf.
Reading configuration from /config/bigpipe/base_monitors.conf.
Reading configuration from /config/bigpipe/profile_base.conf.
Reading configuration from /config/bigpipe/daemon.conf.
Reading configuration from /config/bigpipe/bigip.conf.
Reading configuration from /config/bigpipe/bigip_local.conf.
Loading the configuration ...
BIGpipe unknown operation error:
01070712:3: validate_file_contents:(/Common/keyname.key) : unable to import key (/Common/keyname.key) in FIPS card - sys/validation/FileObject.cpp, line 4999
9 Replies
- nitass
Employee
is there any error when running fips-util -v labelcheck?
root@(B6900-R69-S7)(cfg-sync Standalone)(Active)(/Common)(tmos) run util fips-util -v labelcheck root@(B6900-R69-S7)(cfg-sync Standalone)(Active)(/Common)(tmos) 
AneshSorry the box is currently off network and i have no access to it, can you tell me what the above command checks and if i do get an error by running the above command what should be the expected action i should take?
- nitass
can you tell me what the above command checks and if i do get an error by running the above command what should be the expected action i should take?
if fips is initialized and security domain is configured, the command will return nothing. i do not have list of error but hope it would give more clue.
- Anesh
Thankd for your reply
i came across this solution https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15577.html and i think it would apply to this scenario since i see the ssl key names are greater than 32 characters. But i don't understand the workaround mentioned.
Do i have to Re-intialize FIPS and then rename the keys to less than 32 characters and convert the keys to FIPS again.
- nitass
Do i have to Re-intialize FIPS and then rename the keys to less than 32 characters and convert the keys to FIPS again.
i understand only installing the exp key (tmsh install sys crypto key) because fips should be initialized already.
- Anesh
i ran the command run util fips-util -v labelcheck but it gives me no error
- Anesh
Nov 23 02:43:19 notice mcpd[14531]: 01071038:5: Unit key hash from key header: Nov 23 02:43:20 notice mcpd[14531]: 01071038:5: Unit key hash computed from read key: Nov 23 02:43:20 notice mcpd[14531]: 01071038:5: Unit key read from the hardware. Nov 23 02:43:31 err mcpd[14531]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(modulus values...), FIPS:APPLICATION ERROR. Nov 23 02:43:31 err mcpd[14531]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: import_key_file: failed to open key file /config/ssl/ssl.cavfips/:Common:.exp. Nov 23 02:43:31 err mcpd[14531]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: delete_duplicate_labels: couldn't find key label for handle (259), (null). Nov 23 02:43:31 err mcpd[14531]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(modules values..), FIPS:APPLICATION ERROR. Nov 23 02:43:31 err mcpd[14531]: 01070712:3: Caught configuration exception (0), validate_file_contents:(/Common/.key) : unable to import key (/Common/.key) in FIPS card - sys/validation/FileObject.cpp, line 4999. - nitass
Nov 23 02:43:31 err mcpd[14531]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: import_key_file: failed to open key file /config/ssl/ssl.cavfips/:Common:.exp.
does the exp file exist?
- Anesh
by removing stale key(not associated with any profile), the configuration was able to load
