For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

methenyr_60478's avatar
methenyr_60478
Icon for Nimbostratus rankNimbostratus
Oct 25, 2010

Licensing Wizard Error - FIPS

I am in the process of activating a license on our SCOM server, when I get to the screen to enter the License text from the F5 licensing site and select Next to move forward I get a popup error that s...
management
microsoft
scom
Julian_Balog_34's avatar
Julian_Balog_34
Historic F5 Account
Oct 26, 2010
I agree, the FIPS compliance check should stay OFF even after the licensing wizard is done, because with every start / restart of the F5 Monitoring Service, there is a license validity check performed by the F5 Monitoring Service, which uses the same security API calls (into MD5CryptoServiceProvider) that are causing the failure.

 

 

I haven’t thought about this in the first instance, when I was suggesting the temporary solution. I’m sorry.

 

 

So, if disabling FIPS in not an option for you, we need to find another way to get around this problem. Our possibilities are vey limited, as the F5 Licensing Server accepts only MD5 hashes for the license dossier files. And the MD5 encryption algorithm is not FIPS compliant.

 

 

The F5 Licensing Server accepts only MD5 hashes for dossier files. Such a license dossier file is crafted on your system, through calls into the .NET Framework, by calling into the local MD5CryptoServiceProvider supplier of encrypted hashes. When your local security policy detects this call, it will deny access to the hashing request.

 

 

Everything’s happening locally on your system, while the error occurs.

 

 

The workaround if any, would be to make your system less demanding on allowing security hashes to be created through the MD5 cryptographic provider. Which again, would be the least resistant way of solving this issue, opposed to re-designing the F5 Licensing Server to accept FIPS-compliant hashes, which I agree should be eventually addressed. Currently the F5 Licensing Server handles licensing requests across the entire F5 product line, not only the F5 Management Pack, and I’m sure this is a known issue (or limitation) of the service, and if needed could be escalated to a different group.

 

 

Coming back to our problem, I’ll try to find a less intrusive workaround compared to disabling FIPS. Hopefully one that would be supported by Microsoft and would be in harmony with your options. I’ll work on this and will keep you updated.

 

 

And thanks for your patience. I’ve been through similar frustrations and pains you’re having. I’ll do my best to unblock you.

 

 

julian