Info:
Venafi Trust Protection Platform utilizes the F5 iControl APIs when provisioning. This topic provides additional information about iControl API compatibility and related background information.
More Info:
The following table shows the versions of iControl that have known compatibility issues caused by specific F5 bugs:
iControl Version |
Trust Protection Platform Error | Related F5 Error | Additional Notes |
10.2.0 through 10.2.4-HF3 | Trust Protection Platform does not support SSL Profile Type for F5 version 10.2. If you need to configure F5 server profiles, upgrade F5 to version 10.2.4 or later. | F5 Bug 386512: iControl incorrectly handles SSL certificate and key when working with server SSL profiles. |
This has been fixed in 10.2.4-HF4. For affected versions, the driver uses an older method that exploits an API limit to replace certificate files. New name generation is not supported; therefore, overwrite must be used. SSL Server Profiles are not supported in these versions. |
11.0.0 through 11.2.0 | N/A |
F5 Bug 364825: SSL private keys that are stored in the FIPS module are not synchronized during ConfigSync operations. https://support.f5.com/kb/en-us/solutions/public/13000/900/sol13929.html |
This has been fixed in 11.2.1. |
11.5.4 HF2 | Error - 0107149e:3: Virtual server virtual_server_name has more than one clientssl/serverssl profile with same server name. | F5 Bug 614675: iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" creates invalid profile |
No GA hotfix as of November 2016. To work around this issue, create SSL profiles manually and then use Trust Protection Platform only to update the certificate, key, and chain of existing SSL profiles. |
11.5.4 HF2 and 12.0.0 through 12.1.1 HF2 | Install Private Key (private_key_name) failed with error: Exception caught in Management ::um:iControl:Management/KeyCertificate::key_import_from_pem() 01020066:3: The requested Certificate Key File (private_key_file_name) already exists in partition partition_name. |
F5 Bug 614865: The BIG-IP system may ignore iControl calls to overwrite an existing key or certificate https://support.f5.com/kb/en-us/solutions/public/k/70/sol70340015.html |
No GA hotfix as of November 2016. This issue causes minimal impact on Trust Protection Platform 16.4 because the need to use the "overwrite" functionality has been minimized by comparing certificates when a name collision occurs. https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-hotfix-bigip-12-1-0.html#A614865-1 |
12.0.0 through 12.0.0-HF2 | F5 Onboard Discovery out of memory error: "Exception caught in Management::urn:iControl:Management/ KeyCertificate::certificate_export_to_pem()" |
F5 Bug 564427: iControl SOAP: memory leak in Management::KeyCertificate::get_certificate_list_v2 https://support.f5.com/kb/en-us/solutions/public/k/84/sol84349750.html |
This has been fixed beginning with 12.0.0-HF3. https://support.f5.com/kb/en-us/solutions/public/k/84/sol84349750.html |
12.0.0 |
Install Certificate Chain (ca_bundle_name) failed with error: Unknown error 16908390 | F5 Bug 563760-1: iControl call certificate_add_pem_to_bundle fails with the message that the certificate file already exists in the partition |
This has been fixed beginning with 12.1.0. https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-hotfix-bigip-12-0-0.html#A563760-1 |
The FIPS synchronization issue with versions 11.0.1 through 11.2.0 cannot be detected by Trust Protection Platform. Once provisioned, everything appears to have been installed and synchronized correctly. However, an SSL session on the F5 node that should have been synchronized to will fail, as the private key was not actually installed or updated. This is an issue outside of the control of Trust Protection Platform and it is not an issue in iControl versions 11.2.1 or higher.
Comments