For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

methenyr_60478's avatar
methenyr_60478
Icon for Nimbostratus rankNimbostratus
Oct 25, 2010

Licensing Wizard Error - FIPS

I am in the process of activating a license on our SCOM server, when I get to the screen to enter the License text from the F5 licensing site and select Next to move forward I get a popup error that s...
management
microsoft
scom
Julian_Balog_34's avatar
Julian_Balog_34
Historic F5 Account
Oct 26, 2010
The problem appears to be with the way the cryptographic services are set up on in your environment. And the issue could be local to the SCOM server or could be controlled by a domain wide security policy. The error that you get is basically stating that the encryption algorithm attempted on the client side for communicating with the F5 Licensing Server is not standards based (Federal Information Processing Standards / FIPS compliant).

 

 

The F5 Management Pack Licensing Wizard (which is the client in the licensing scenario), attempts to create an MD5 hash of a local dossier file, created during the licensing/setup process, which is then sent out to the F5 Licensing Server for storing it with the license key. When the MD5 hash is being attempted by the Licensing Wizard, you get the FIPS compliance error, reported by the underlying .NET Framework libraries (on your local system). This problem occurs because the MD5 algorithm is not FIPS compliant.

 

 

We can try to troubleshoot this over a remote session (using GoToMeeting), or if you provide us more information about the error and your system settings, we can try to pinpoint the possible cause and suggest a fix / workaround. Most probably the workaround would be to to DISABLE (temporarily) the FIPS compliant encryption algorithm requirement on your system.

 

 

Please check / provide the following information (you can send this information directly to to managementpack(at)f5(dot)com:

 

 

- send us the setup.log file, in the %Program Files%\F5 Networks\Management Pack\log folder.

 

- run the SystemInformation.ps1 diagnostic script and send us the output (see this article: http://devcentral.f5.com/wiki/default.aspx/MgmtPack/GeneralTroubleshooting.html)

 

- check the following registry keys (if present and their values):

 

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled (DWORD value): what is the value?

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy (DWORD value): what is the value?

 

 

(You should have either one or the other of these keys (depending on the Windows Server OS version).

 

 

- check the if the FIPS compliance policy in your local security policy: gpedit > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing.

 

 

My personal suggestion would be to disable (temproarily the FIPS compliance policy, while you attempt to license the F5 product.

 

 

Let me know your thoughts.

 

Julian