Applies To:

Show Versions Show Versions

Manual Chapter: About external HSMs and LTM
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Thales nShield Connect is an external HSM that is available for use with BIG-IP systems. Because it is network-based, rather than hardware-based, you can use the Thales nShield Connect solution with all BIG-IP platforms, including VIPRION Series chassis. You can also use the Thales nShield Connect solution with BIG-IP Virtual Edition (VE).

The Thales nShield Connect architecture includes a component called the Remote File System (RFS) that stores and manages the encrypted key files. The RFS can be installed on the BIG-IP system or on another server on your network.

The BIG-IP system is a client of the RFS, and all BIG-IP systems that are enrolled with the RFS can access the encrypted keys from this central location. The RFS helps automate the key distribution process, but it is not required that you use RFS with this solution.

For additional information about using Thales nShield Connect, see the Thales Customer Support Portal (https://support.thales-esecurity.com/).

Important: If you are installing Thales nShield Connect on a BIG-IP system that will be licensed for Appliance mode, you must install the Thales nShield Connect software prior to licensing the BIG-IP system for Appliance mode.

Prerequisites for implementing BIG-IP and Thales nShield Connect

Before you can use Thales nShield Connect with the BIG-IP system, you must ensure that:

  • The Thales nShield Connect device is installed on your network.
  • The RFS is installed on your network, or you plan to install and set up the RFS on the BIG-IP system.
  • The Thales nShield Connect device, the RFS, and the BIG-IP system can initiate connections with each other through port 9004.
  • You have created the Thales Security World (security architecture).
  • The BIG-IP system is licensed for external interface and network HSM.
  • The BIG-IP system has FIPS 140-2 or FIPS 140-3 compliant ciphers, depending upon your security needs. For information about FIPS compliant ciphers, see Annex A: Approved Security Functions for FIPS PUB 140-2 (http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) and SOL8802 for a complete list of supported ciphers on http://support.f5.com.
  • The BIG-IP system does not contain a FIPS Cavium card.
    Important: You cannot run the BIG-IP system with both internal and external HSMs at the same time.

Additionally, before you begin the installation process, ensure that you have access to:

  • The Thales Security World Software for Linux 64bit (Release 11.40 or higher)
  • The nShield_Connect_User_Guide.pdf

Installing Thales nShield Connect components on the BIG-IP system

Before you can set up the Thales nShield Connect components on a BIG-IP system, you must obtain the Thales 64 bit Linux ISO CD and copy files from the CD to specific locations on the BIG-IP system using secure copy (SCP).

You need to install files from the Thales 64 bit Linux ISO CD to the BIG-IP system.
  1. Log on to the command line of the system using the root account.
  2. Create a directory under /shared named thales_install/amd64/nfast. mkdir /shared/thales_install/amd64/nfast
  3. Copy files from the CD and place them in the specified directories:
    File to copy from the CD Location to place file on BIG-IP
    /linux/libc6_3/amd64/nfast/ctls/agg.tar /shared/thales_install/amd64/nfast/ctls/agg.tar
    /linux/libc6_3/amd64/nfast/hwcrhk/user.tar /shared/thales_install/amd64/nfast/hwcrhk/user.tar
    /linux/libc6_3/amd64/nfast/hwsp/agg.tar /shared/thales_install/amd64/nfast/hwsp/agg.tar
    /linux/libc6_3/amd64/nfast/pkcs11/user.tar /shared/thales_install/amd64/nfast/pkcs11/user.tar
If you are not using an RFS installed on another server in your network, you must set up the RFS on the BIG-IP system. Additionally, you must set up the Thales client on the BIG-IP system.

Setting up the RFS on the BIG-IP system

Before you set up the RFS on the BIG-IP system, ensure that the Thales nShield Connect device is installed on your network and the Thales Security World is set up. Ensure that the RFS is installed on the BIG-IP system as well.
Important: Setting up the RFS on the BIG-IP system is optional. If the RFS is running on another server on your network, do not perform this task.
You can run the Thales Remote File System (RFS) on the BIG-IP system. To set up the RFS, you must run a script on the BIG-IP system.
Note: You only need one RFS on your network to store all HSM keys. All Thales nShield Connect clients use the same RFS to access the HSM keys.
  1. Log on to the command line of the system using the root account.
  2. Set up the RFS. nethsm-thales-rfs-install.sh --hsm_ip_addr=<Thales_nShield Connect device IP address> --rfs_interface=<local interface name> This example sets up the RFS to run on the BIG-IP system, when the IP address of the Thales nShield Connect device has an IP address of 192.27.13.59: nethsm-thales-rfs-install.sh --hsm_ip_addr=192.27.13.59 --rfs_interface=eth0
    Additional Option Description
    -h Displays help
    -v Prints verbose output about operations
    --verbose=<level> Indicates message verbosity level (The default value is zero, and all levels greater than zero indicate verbose output.)
After you set up the RFS on the BIG-IP system, you must set up the Thales nShield Connect client on each BIG-IP system that you want to use with the Thales nShield Connect device.

Setting up the Thales nShield Connect client on the BIG-IP system

Before you set up the Thales client, ensure that the Thales nShield Connect client is installed on the BIG-IP system and that the Security World has been set up. Additionally, ensure that the RFS is installed and set up on either a remote server or on the BIG-IP system on your network.
Note: If the Thales nShield Connect client was installed on a BIG-IP system before the RFS was installed on the network, then you must reinstall the client on the BIG-IP system.
Important: If there is a firewall between the BIG-IP system and the RFS, validate that both systems can initiate a connection through port 9004.
Before you can use the Thales nShield Connect device with the BIG-IP system, you must set up the Thales client on the BIG-IP system.
  1. Log on to the command line of the system using the root account.
  2. Set up the Thales nShield Connect client, using one of these options:
    • Set up the client when the RFS is remote. nethsm-thales-install.sh --hsm_ip_addr=<nShield_Connect_device_IP_address> --rfs_ip_addr=<remote_RFS_IP_address> --rfs_username=<remote_RFS_server_username_for_SSH_login> --interface=<Interface_name_of_Thales_client_on_BIG-IP>

      This example sets up the client where the Thales nShield Connect device has an IP address of 192.27.13.59, the remote RFS has an IP address of 192.27.13.58, the user name for an SSH login to the RFS is root, and the Thales client interface is the default of eth0 :

      nethsm-thales-install.sh --hsm_ip_addr=192.27.13.59 --rfs_ip_addr=192.27.12.58 --rfs_username=root --interface=eth0

    • Set up the client when the RFS is set up on the BIG-IP system: nethsm-thales-install.sh --hsm_ip_addr=<nShield_Connect_device_IP_address> --rfs_interface=<local_RFS_server_interface>

      This example sets up the client where the Thales nShield Connect device has an IP address of 172.27.13.59 and the RFS is installed on the BIG-IP system using the eth0 interface:

      nethsm-thales-install.sh --hsm_ip_addr=172.27.13.59 --rfs_interface=eth0

Generating a key/certificate using Thales nShield Connect

Before you generate a key/certificate, ensure that the Thales nShield Connect client is running on the BIG-IP LTM system.
You can use the fipskey.nethsm utility to generate private keys and self-signed certificates on the BIG-IP system.
  1. Set the external HSM to Thales nShield Connect. fipskey.nethsm --hsm=Thales
  2. Generate a key. fipskey.nethsm --genkey -o <output_file> This example generates three files: /config/ssl/ssl.key/www.siterequest.com.key, /config/ssl/ssl.csr/www.siterequest.com.csr, and /config/ssl/ssl.crt/www.siterequest.com.crt:

    fipskey.nethsm --genkey -o www.siterequest.com

    Additional Option Description
    -o Name applied to .key, .csr, and .crt output files
    Important: This parameter is required.
    -c <token/module/softcard> Type of protection
    -e <hex> Public exponent to use when generating RSA keys only.
    Tip: Do not provide a value for this option, unless advised to do so by F5 Technical Support.
    -g sha1 Digest used to sign key and certificate
    -k <name> Key name
    -m <yes/no> Store key in non-volatile RAM
    -n <integer> Slot to read cards from
    -r <yes/no> Key recovery available
    -s <integer> Size of key/certificate pair in bits
    -t RSA Key type
    -v <yes/no> Verification available
    -C Country identifier
    -D Domain name
    -E Email address to contact about key
    -L Locality identifier
    -O Organization identifier
    -P Province identifier
    -U Organization unit identifier
    The key is saved in /config/ssl/ssl.key/<output_file>.key. The certificate request is saved in /config/ssl/ssl.csr/output_file>.csr. The self-signed certificate is saved in /config/ssl/ssl.crt/<output_file>.crt.
After you generate a key and certificates, you need to import them into the BIG-IP configuration using tmsh.

About key protection

There are three types of key protection available for use with the BIG-IP system and Thales nShield Connect:

  • Module-protected keys are directly protected by the external HSM through the security world and can be used at any time without further authorization.
  • Softcard-protected keys are protected by a softcard and can be used by only an operator who possesses the assigned passphrases.
  • Token-protected keys are protected by a cardset and can be used by only an operator who possesses the Operator Card Set (OCS) token and any assigned passphrases.

Importing external HSM keys using tmsh

You can use the Traffic Management Shell (tmsh) to import existing external HSM keys into the system.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Import a key, by using these parameters install sys crypto key <key_object_name> from-local-file <keyname> This example imports an external HSM key named www.siterequest.com.key from a local key file stored in the /config/ssl/ssl.key/ directory: install sys crypto key www.siterequest.com.key from-local-file /config/ssl/ssl.key/www.siterequest.com.key

Importing existing SSL keys into Thales nShield device for use by the BIG-IP system

You import existing SSL keys when you have pre-existing keys you want the BIG-IP system to use. You need to perform these steps for each key you want to import into the Thales system.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Copy certificate(s) and key(s) you want to import onto the BIG-IP system and place them in the /var/tmp directory on the BIG-IP system. /var/tmp/user.key /var/tmp/user.crt
  3. Ensure adequate permissions are set so that other users on the system are not able to view the .key files copied. chmod 600 /var/tmp/user.key
  4. Import the key into Thales nShield Connect external HSM using the generatekey utility. /opt/nfast/bin/generatekey --import pkcs11 certreq=yes The system interactively prompts you for information.
  5. When prompted to enter the name of the PEM file that contains the RSA key, enter the full path to the key copied to the BIG-IP system (pemreadfile). For example, /var/tmp/user.key.
  6. When prompted to enter the file name where the key will be written, enter the full path to the pseudo key (embedsavefile). This is the pseudo key required by BIG-IP system. For example, /var/tmp/imported_user.key.
  7. When prompted to enter the key name, type a name for the key (plainname). This is the name with which the key is associated in the nShield RFS. No path is required, as plainname is not written to a file on disk. For example, userkey. When the key import is complete, the generatekey utility will generate two files.
    • imported_user.key
    • imported_user_req
  8. Modify the ownership and permissions of the key you created. After successful import, take note of the path to key to modify ownership. chown nfast:nfast /opt/nfast/kmdata/local/key_pkcs11_uced028e5251b7b6891e7e59dec5428d871f92241b-c70e6451e8d793ca80a497267ccb9bc73bd55edb chmod 755 /opt/nfast/kmdata/local/key_pkcs11_uced028e5251b7b6891e7e59dec5428d871f92241b-c70e6451e8d793ca80a497267ccb9bc73bd55edb
    Important: If this step is omitted, you might see permission errors when running rfs-sync.
  9. Sync the nShield generated pseudo-key (embedsavefile) to the RFS. [root@LBHAS64:Active:Standalone] tmp # rfs-sync --update [root@LBHAS64:Active:Standalone] tmp # rfs-sync --commit If the BIG-IP system this procedure is performed on is also the RFS, the rfs-sync commands above will report 0 committed. This is expected behavior, as the keys imported are automatically stored in the RFS directory.
  10. Import the pseudo key and SSL certificate using tmsh for use by BIG-IP client SSL profile using this syntax: tmsh install sys crypto key [name] from-local-file [/path/to/pseudo_key.key] tmsh install sys crypto cert [name] from-local-file [/path/to/real_certificate.crt] For example: tmsh install sys crypto key import.key from-local-file /var/tmp/imported_user.key tmsh install sys crypto cert import.crt from-local-file /var/tmp/user.crt
  11. Save the configuration. tmsh save sys config If you need to import more SSL certificates and keys, repeat all preceding steps for each certificate and key pair.
  12. Create an SSL profile that references the above key and certificate.
  13. Create a virtual server that uses the above SSL profile (or assign to an existing virtual server).
  14. Verify that the virtual server passes traffic correctly.
  15. You can safely remove the certificates and keys from /var/tmp directory used in this procedure as they are no longer required by the BIG-IP system.
    Note: Once the pseudo key has been installed with tmsh, the copy in /var/tmp is no longer used.
    Note: Unless the SSL key file is deleted in a secure manner, it might be possible for someone to recover the file from the disk. Consider using the shred utility (type: man shred at the command line for details) to delete any key files copied to the BIG-IP system once they have been successfully imported into the Thales nShield device.

Importing certificates using tmsh

You can use the Traffic Management Shell (tmsh) to import existing certificates into the system.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Import a certificate. install sys crypto cert <cert_object_name> from-local-file <path_to_cert_file> install sys crypto cert www.siterequest.com.crt from-local-file /config/ssl/ssl.crt/www.siterequest.com.cert

Creating a backup of the Thales RFS

Before you back up the RFS, ensure that the Thales nShield Connect Remote File System (RFS) server is installed on your network.
Back up the /shared/nfast/kmdata/local/ directory of the RFS to recover the RFS state, if needed. The RFS contains all of the Thales nShield Connect keys.
  1. If the RFS is not installed on the BIG-IP system, rename the /shared/nfast directory to /shared/nfast.org. This directory can be used to recover old data, if necessary.
  2. Follow the Thales best practices for backing up the RFS server.

Creating a client SSL profile to use an external HSM key and certificate

After you have installed the external HSM key and certificate to the BIG-IP system, you can use the key and certificate as part of a client SSL profile.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client. The Client screen opens.
  2. Click Create. The New Client SSL Profile screen opens.
  3. In the Name field, type a name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. From the Configuration list, select Advanced. This selection makes it possible for you to modify additional default settings.
  6. Select the Custom check box for Configuration. The settings in the Configuration area become available for configuring.
  7. From the Certificate list, select the certificate that you imported.
  8. From the Key list, select the key that you imported.
  9. Click Finished.

About using external HSMs with VIPRION systems

There are some important considerations when configuring the Thales nShield Connect client software on a VIPRION system:

  • The Thales software and configuration files do not sync between blades. You will need to install and configure the client software on each blade installed in the chassis.
  • You will need to add the cluster management IP address and the cluster member IP address for each blade installed in the chassis to the Thales nShield Connect device for remote connectivity between the VIPRION system and the Thales device.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)