This table describes configuration options for FIPS system recovery.
|Configure a device group||Configure the BIG-IP® devices in a device group with the FIPS HSMs synchronized. In the event of a system failure, the standby unit becomes active and handles incoming traffic. Contact F5® to arrange a Return Material Authorization (RMA) for the failed BIG-IP device and then follow the steps for implementing a replacement unit to recover the failed BIG-IP device.|
|Configure an additional unit for recovery||Fully configure a third unit, add it to the security domain, and synchronize the configurations. Remove the unit from the network and store it in a secure location. If the BIG-IP® system in production is damaged or destroyed, you can use the backup unit to reconstitute the security domain.|
|Save the keys on a disk||Generate the private keys outside of the FIPS HSM. Copy the
non-FIPS protected keys to a secure external location as a
backup. Then convert the non-FIPS into FIPS keys on the BIG-IP
system. The keys on the BIG-IP system are now protected by the
FIPS HSM. If there is a catastrophic system failure, use the
non-FIPS protected backup keys to repopulate the FIPS HSM.
This method for backup is not FIPS-compliant.