You can use the Thales nShield Connect to store and manage token- module-, and softcard-protected keys.
For additional information about using Thales nShield Connect, refer to the Thales website:https://www.thales-esecurity.com/products-and-services/products-and-services /hardware-security-modules/general-purpose-hsms/nshield-connect
There are three types of key protection available for use with the BIG-IP® system and Thales Connect:
All options are equally secure, and the main difference is the authorization requirement. As a general rule, if you have no particular security or regulatory requirement, you can default to softcard protection. Thales prefers the use of physical tokens for authorization. In the case of Operator Cards, Thales recommends making a 1/N card set, where N is greater than the total number of nShield Connects. For more information about card sets, refer to the Thales user guides.
The implementation process involves configuring a key protection type, and then creating and loading a token-, module-, or softcard-protected key and certificate, and creating a client SSL profile to use the key and certificate.
On the BIG-IP® system, you can choose among the Thales-supported types of key protection: module, softcard, and OCS. By default, the installation script sets up the appliance to create and use module-protected keys. F5 recommends that you keep only one set of cardset files (cards* or softcard*) in the $NFAST_KMDATA/local directory.
In this release, only one type of key protection (PKCS#11 slot) can be configured for active use. You need to configure the key protection type for a slot by enabling the type you want, and disabling the others.
|module||The module-protected key option is enabled by default. To enable this protection type, no further action is required, and you can proceed to the next section.|
Note: The softcard passphrase used in the ppmk command must match the passphrase used for setting up the Thales nShield Connect client on the BIG-IP system (used in the command tmsh create/modify sys crypto fips external-hsm password <password>).
Note: If OCS is configured with a passphrase for Thales HSM, the user must enter it when prompted for Thales HSM slot password, even if the user only wants to use module keys.
fipskey.nethsm --genkey -o <output_file> -c token
fipskey.nethsm --genkey -o <output_file> -c module
fipskey.nethsm --genkey -o <output_file> -c softcard
This example loads the external HSM key named my_key.key from a local key file stored in the /config/ssl/ssl.key/ directory:install sys crypto key my_key.key from-local-file /config/ssl/ssl.key/my_key.key The Thales client software maps the local key to the appropriate protected key.
This example loads the certificate named my_key.crt from a local certificate file stored in the /config/ssl/ssl.crt/ directory:install sys crypto cert my_key.crt from-local-file /config/ssl/ssl.crt/my_key.crt