The Thales nShield Connect is an external HSM that is available for use with BIG-IP® systems. Because it is network-based, you can use the Thales nShield Connect solution with all BIG-IP platforms, including VIPRION® Series chassis and BIG-IP Virtual Edition (VE).
The Thales nShield Connect architecture includes a component called the Remote File System (RFS) that stores and manages the encrypted key files. The RFS can be installed on the BIG-IP system or on another server on your network.
The BIG-IP system is a client of the RFS, and all BIG-IP systems that are enrolled with the RFS can access the encrypted keys from this central location.
Only RSA-based cipher suites use the network HSM.
After you install the Thales nShield Connect client on the BIG-IP system, the keys stored in the Thales HSM and the corresponding certificates are available for use with Access Policy Manager® and Application Security Manager™.
For additional information about using Thales nShield Connect, refer to the Thales website: (https://www.thales-esecurity.com).
Before you can use Thales nShield Connect with the BIG-IP® system, you must make sure that these requirements are in place:
Additionally, before you begin the installation process, make sure that you can locate these items on the installation DVD that ships with the Thales hardware unit:
The implementation process involves preparation of the Thales nShield Connect device.
Before you can set up the Thales nShield Connect components on a BIG-IP® system, you must obtain the Thales 64-bit Linux ISO CD and copy files from the CD to specific locations on the BIG-IP system using secure copy (SCP). F5 Networks has tested these integration steps with Thales security World Software for Linux 64bit. For questions about Thales components, consult your Thales representative.
|File to copy from the CD||Location to place file on BIG-IP|
nethsm-thales-rfs-install.sh --hsm_ip_addr=192.168.13.59 --rfs_interface=eth0
The RFS interface option is the interface the BIG-IP uses to connect to the HSM.
To use the Thales nShield Connect device with the BIG-IP system, you must first set up the Thales client on the BIG-IP system. For the enrollment to work properly, the IP address of the BIG-IP system must be a client of the networked HSM. In the case of the VIPRION® system and connecting over the admin interfaces, each blade and the chassis IP address need to be added as a client. You set up the IP address using the front panel of the nShield Connect device, or by pushing the client configuration. For details about how to add, edit, and view clients, refer to the Thales documentation.
If you are setting up the Thales client on a VIPRION® system, you run the configuration script only on the primary blade, and then the system propagates the configuration to the additional active blades.
nethsm-thales-install.sh --hsm_ip_addr=<nShield_Connect_device_IP_address> --rfs_ip_addr=<remote_RFS_server_IP_address> --rfs_username=<remote_RFS_server_username_for_SSH_login>
The following example sets up the client where the Thales nShield Connect device has an IP address of 192.168.13.59, the remote RFS has an IP address of 192.168.13.58, the user name for an SSH login to the RFS is root, and the Thales client interface is the management interface:
nethsm-thales-install.sh --hsm_ip_addr=192.168.13.59 --rfs_ip_addr=192.168.12.58 --rfs_username=root
nethsm-thales-install.sh --hsm_ip_addr=<nShield_Connect_device_IP_address> --rfs_interface=<local_RFS_server_interface>
The following example sets up the client where the Thales nShield Connect device has an IP address of 22.214.171.124 and the RFS is installed on the BIG-IP system using the eth0 interface:
nethsm-thales-install.sh --hsm_ip_addr=126.96.36.199 --rfs_interface=eth0
In addition, the RFS installed on the BIG-IP system may use the TMM interface (namely a VLAN):
nethsm-thales-install.sh --hsm_ip_addr=10.20.20.1 --rfs_interface=<VLAN_name>
chmod 755 -R /opt/nfast/bin chown -R nfast:nfast /opt/nfast/kmdata/ chmod 700 -R /opt/nfast/kmdata/tmp/nfpriv_root chown -R root:root /opt/nfast/kmdata/tmp/nfpriv_root
Server: : serial number CB9E-745E-F901 A1D0-2DBE-AD98 5286-D07F-7601 mode operational