Applies To:

Show Versions Show Versions

Manual Chapter: About FIPS hardware-based HSMs
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The BIG-IP 6900, 8900, 10000, 11000, and 11050 platforms are available with a FIPS-certified hardware security module (HSM) as a factory-installed option.

The internal HSM and the BIG-IP key management software provide FIPS 140 level 2 support. This level of support provides security benefits, such as:

  • Private keys are stored in the internal HSM where they are protected from physical and software attacks.
  • Private keys can never be extracted in plain text format.
Important: Because of hardware differences, it is not possible to synchronize security domains between the newer platforms (10000/11000/11050 platforms) and older platforms (6900/8900 platforms).

About setting up the BIG-IP systems

You can configure a device group using two platforms with a FIPS card installed in each unit. When setting up a FIPS solution on a device group, you install the two systems and connect to a serial console.

After you have set up the systems, you can create the FIPS security domain by initializing the HSM and creating a security officer (SO) password.

Initializing the HSM in the 6900/8900 platforms

You must initialize the hardware security module (HSM) installed in each unit (internal HSM) before you can use it. When you are creating a device group using more than one FIPS platform, you initialize the HSM on one unit, and then initialize the HSM on a peer unit using the same security domain name that you used on the first unit.
Note: You can initialize the HSM and create the security domain before you license the system and create a traffic management configuration.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. View information about the HSM. run util fips-util info A summary similar to this example displays: Label: F5FIPS HSM Serial Number: 8100298 Hardware ID: 0x0 Firmware Version: 4.7.1 Total FLASH: 14286412 Free FLASH: 14286412 Total SRAM: 16984956 Free SRAM: 16981884
  4. Initialize the HSM and set a security officer (SO) password. run util fips-util -f init
    Important: Running the fipsutil init command deletes all keys in the FIPS HSM and makes any previously exported keys unusable.
    Note: F5 recommends that you choose a strong value for the SO password.
    The initialization process begins. When prompted, type an SO password. NFB Initialization Process WARNING - all private keys in NFB will be erased after SO password is entered! Any configuration objects dependent on FIPS keys will cause the configuration fail to load. Passwords must be at least 7 characters in length. Enter no password if you instead wish to cancel. New SO Password: Re-enter new SO Password:
  5. When this message displays, type a security domain name. Initializing NFB... The security domain name must be the same on all FIPS machines. Please enter your security domain name: Keep the security domain name and password in a secure location. You need the domain name and password when you initialize the HSM on the peer unit. This information is also required when replacing a unit (for RMA or other reasons).
    Important: The domain name cannot be extracted or displayed by the software or hardware after you set it.
    When the initialization process completes successfully, this message displays: The FIPS device has been initialized.
  6. Enable the HSM device by either rebooting the unit or restarting all services. restart sys service all
    Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
After you complete the initialization process on the first unit, you can initialize the peer system and add it to the security domain of the first unit.

Initializing the HSM in the 10000/11000/11050 platforms

You must initialize the hardware security module (HSM) installed in each unit (internal HSM) before you can use it. When you are creating a device group using more than one FIPS platform, you initialize the HSM on one unit, and then initialize the HSM on a peer unit using the same security domain name that you used on the first unit.
Note: You can initialize the HSM and create the security domain before you license the system and create a traffic management configuration.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. View information about the HSM. run util fips-util info A summary similar to the following displays: Label: f5site09 Model: NITROX XL CN16XX-NFBE Serial Number: k8vjumsaportsaks FIPS state: 2 MaxSessionCount: 10240 SessionCount: 1 MaxPinLen: 14 MinPinLen: 7 TotalPublicMemory: 467348 FreePublicMemory: 62876 TotalUserKeys: 3996 AvailableUserKeys: 3996 Loging failures: user: 0 officer: 0 HW version: 2.0 Firmware version: CN16XX-NFBE-FW-1.2-101022
  4. Initialize the HSM and set a security officer (SO) password. run util fips-util -f init
    Note: The initialization process takes a few minutes to complete.
    The initialization process begins. When prompted, type an SO password. WARNING: This erases all keys from the FIPS 140 device. Any configuration objects dependent on FIPS keys will cause the configuration fail to load. ==================== WARNING ================================ The FIPS device will be reset to factory default state. All keys and user identities currently stored in the device will be erased. Any configuration objects dependent on FIPS keys will cause the configuration fail to load. Press <ENTER> to continue or Ctrl-C to cancel Resetting the device ... The FIPS device is now in factory default state. Enter new Security Officer password (min. 7, max. 14 characters): Re-enter Security Officer password:
  5. When the following message displays, type a security domain name. NOTE: security domain label must be identical on peer FIPS devices in order to be able to synchronize with them. Enter security domain label (max. 50 chars, default: F5FIPS): Keep the security domain name and password in a secure location. You need the domain name and password when you initialize the internal HSM on the peer unit. This information is also required when replacing a unit (for RMA or other reasons).
    Important: The domain name cannot be extracted or displayed by the software or hardware after you set it.
    Initializing new security domain (f5site09)... Creating crypto user and crypto officer identities Waiting for the device to re-initialize ... Creating key encryption key (KEK) The FIPS device has been initialized.
  6. Enable the HSM device using one of the following options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
After you complete the initialization process on the first unit, you can initialize the peer system and add it to the security domain of the first unit. Optionally, you can use the same SO password that you used on the first unit.

Synchronizing the HSMs

Before you can synchronize the FIPS hardware security modules (HSMs), you must ensure that the target HSM:

  • Is already initialized
  • Has an identical security domain label
  • Does not contain existing keys

The target device must also be reachable using SSH from the source device.

Synchronizing the HSMs enables you to copy keys from one HSM to another. This is also required to synchronize BIG-IP configuration in a device group.
Note: You only need to perform the synchronization process during the initial configuration of a pair of devices. After the two devices are in sync, they remain in sync.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Synchronize the Master Symmetric key used to encrypt/decrypt keys when they are imported/exported into the HSM, where <hostname> is the address or hostname of the synchronization target. run util fips-card-sync <hostname>

About managing FIPS keys using the Configuration utility

You can use the Configuration utility to create FIPS (internal HSM) keys, import existing keys into the system, and convert existing keys to FIPS keys.

Creating FIPS keys using the Configuration utility

You can use the Configuration utility to create FIPS keys.
  1. On the Main tab, click System > File Management > SSL Certificate List. This displays the list of certificates installed on the system.
  2. Click Create. The New SSL Certificate screen opens.
  3. In the Name field, type a unique name for the certificate.
  4. From the Issuer list, specify the type of certificate that you want to use.
    • To request a certificate from a CA, select Certificate Authority.
    • For a self-signed certificate, select Self.
  5. Configure the Common Name setting and any other settings as needed.
  6. In the Key Properties area, select a key size from the Size list.
  7. From the Security Type list, select FIPS.
  8. Click Finished.

Importing keys using the Configuration utility

You can use the Configuration utility to import existing keys into the system.
  1. On the Main tab, click System > File Management > SSL Certificate List. This displays the list of certificates installed on the system.
  2. Click Import.
  3. From the Import Type list, select Key.
  4. For the Key Name setting, click Create New.
  5. In the Key Name field, type a name for the key.
  6. From the Key Source setting, click either Upload File or Paste Text.
    • If you click Upload File, type a file name or click Browse and select a file.
    • If you click Paste Text, copy the text from another source and paste the text into the Key Source screen.
  7. Click Import.
After you import the key, you can convert it to a FIPS key.

Converting a key to FIPS using the Configuration utility

You can use the Configuration utility to convert an existing key to a FIPS key.
  1. On the Main tab, click System > File Management > SSL Certificate List. This displays the list of certificates installed on the system.
  2. Click a certificate name. This displays the properties of that certificate.
  3. On the menu bar, click Key. This displays the type and size of the key associated with the certificate.
  4. Click Convert to FIPS to convert the key to a FIPS key. The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannot be reversed.

About managing FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to create FIPS (internal HSM) keys, import existing keys into the BIG-IP system, and convert existing keys to FIPS keys.

Creating FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to create FIPS keys.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Create a basic key. create sys crypto key <key_object_name> security-type fips For information about additional options for this command, view the sys crypto key man page: help sys crypto key
    Note: The key creation process takes a few minutes to complete. If you are using a 4096 bit key, F5 recommends that you create the key externally and then import it.

Importing FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to import existing keys into the system.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Import a key. install sys crypto key <key_object_name> from-local-file <path_to_key_file> security-type fips This example imports an internal HSM key named mykey from a local key file stored in the /shared/tmp directory: install sys crypto key mykey from-local-file /shared/tmp/mykey.pem security-type fips

Converting a key to FIPS using tmsh

You can use the Traffic Management Shell (tmsh) to convert a key to a FIPS key.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Convert an existing key to FIPS. install sys crypto key <key_object_name> security-type fips

FIPS system recovery options

Option Description
Configure a device group Maintain a device group so that in the event of a failure, the standby unit becomes active and handles the incoming traffic. After you configure failover properly, you need to synchronize FIPS HSM and key information for the security domain every time you synchronize the configuration of the device group.
Configure an additional unit for recovery Fully configure a third unit, add it to the security domain, and synchronize the configurations. Remove the unit from the network and store it in a secure location. If the BIG-IP system in production is damaged or destroyed, you can use the backup unit to reconstitute the security domain.
Save the keys on a disk Copy and save the keys to a disk. Generate the keys in software, copy the keys to a disk, and then store the disk in a secure location. If there is a catastrophic system failure, import the keys into the internal HSM and use these backup keys to create the security domain.
CAUTION:
This method for backup is not FIPS-compliant.

Recovering HSM information after a system failure

Before you recover hardware security module (HSM) information, ensure that the BIG-IP software is configured and then install your saved UCS file on the new replacement system. For information about backup and recovery of a BIG-IP system UCS file, see http://support.f5.com.
If one unit of a device group fails, the failover unit becomes active and maintains the HSM information. After you replace the failed unit in a device group, you need to restore the HSM information on the replacement unit.
  1. Connect the currently active unit to the replacement unit.
  2. On the replacement unit, initialize the FIPS card. fipsutil -f init
    CAUTION:
    Be sure to run this command sequence on the replacement unit. If you run it on the currently active unit, you will overwrite your existing FIPS unit and lose all of your keys.
    Note: Be sure that you use the same security domain that you specified when you initially set up the currently active unit.
  3. On the currently active unit, copy information from the currently active unit to the replacement unit. fipscardsync peer
    CAUTION:
    Be sure to run this command sequence from the currently active unit. If you run this command from the replacement unit, you will lose the original FIPS information.
  4. On the currently active unit, copy the full configuration to the replacement system using either the Configuration utility or tmsh.
    Important: Synchronizing the configuration also synchronizes the keys stored in the HSM.
The replacement system is now ready to function as the failover unit in a device group.

Other FIPS platform management tmsh commands

This table lists other tmsh commands that you can use to manage your FIPS platform.

Command Description
show sys crypto fips Lists keys in the FIPS card.
list sys crypto key Lists keys in the BIG-IP configuration.
delete sys crypto key <key_object_name> Deletes a key from the BIG-IP configuration and the FIPS card.
delete sys crypto fips by-handle <key_handle> Deletes a key from the FIPS card only. Key handles are obtained using the show sys crypto fips command sequence.
CAUTION:
Use this command sequence only in the rare circumstance when you need to delete keys that no longer have configuration objects from the card (for example, keys that do not show up when you run the list sys crypto key command sequence).
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)