Applies To:

Show Versions Show Versions

Manual Chapter: About external HSMs and DNSSEC
Manual Chapter
Table of Contents   |   << Previous Chapter

Thales nShield Connect is an external HSM that is available for use with BIG-IP systems. Because it is network-based, rather than hardware-based, you can use the Thales nShield Connect solution with all BIG-IP platforms, including VIPRION Series chassis. You can also use the Thales nShield Connect solution with BIG-IP Virtual Edition (VE).

The Thales nShield Connect architecture includes a component called the Remote File System (RFS) that stores and manages the encrypted key files. The RFS can be installed on the BIG-IP system or on another server on your network.

The BIG-IP system is a client of the RFS, and all BIG-IP systems that are enrolled with the RFS can access the encrypted keys from this central location. The RFS helps automate the key distribution process, but it is not required that you use RFS with this solution.

When the BIG-IP system is a BIG-IP Global Traffic Manager (GTM), you can also use the Thales nShield Connect to store and manage DNSSEC keys.

For additional information about using Thales nShield Connect, see the Thales Customer Support Portal (https://support.thales-esecurity.com/).

Important: If you are installing Thales nShield Connect on a BIG-IP system that will be licensed for Appliance mode, you must install the Thales nShield Connect software prior to licensing the BIG-IP system for Appliance mode.

Prerequisites for implementing BIG-IP and Thales nShield Connect

Before you can use Thales nShield Connect with the BIG-IP system, you must ensure that:

  • The Thales nShield Connect device is installed on your network.
  • The RFS is installed on your network, or you plan to install and set up the RFS on the BIG-IP system.
  • The Thales nShield Connect device, the RFS, and the BIG-IP system can initiate connections with each other through port 9004.
  • You have created the Thales Security World (security architecture).
  • The BIG-IP system is licensed for external interface and network HSM.
  • The BIG-IP system has FIPS 140-2 or FIPS 140-3 compliant ciphers, depending upon your security needs. For information about FIPS compliant ciphers, see Annex A: Approved Security Functions for FIPS PUB 140-2 (http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) and SOL8802 for a complete list of supported ciphers on http://support.f5.com.
  • The BIG-IP system does not contain a FIPS Cavium card.
    Important: You cannot run the BIG-IP system with both internal and external HSMs at the same time.

Additionally, before you begin the installation process, ensure that you have access to:

  • The Thales Security World Software for Linux 64bit (Release 11.40 or higher)
  • The nShield_Connect_User_Guide.pdf

Installing Thales nShield Connect components on the BIG-IP system

Before you can set up the Thales nShield Connect components on a BIG-IP system, you must obtain the Thales 64 bit Linux ISO CD and copy files from the CD to specific locations on the BIG-IP system using secure copy (SCP).

You need to install files from the Thales 64 bit Linux ISO CD to the BIG-IP system.
  1. Log on to the command line of the system using the root account.
  2. Create a directory under /shared named thales_install/amd64/nfast. mkdir /shared/thales_install/amd64/nfast
  3. Copy files from the CD and place them in the specified directories:
    File to copy from the CD Location to place file on BIG-IP
    /linux/libc6_3/amd64/nfast/ctls/agg.tar /shared/thales_install/amd64/nfast/ctls/agg.tar
    /linux/libc6_3/amd64/nfast/hwcrhk/user.tar /shared/thales_install/amd64/nfast/hwcrhk/user.tar
    /linux/libc6_3/amd64/nfast/hwsp/agg.tar /shared/thales_install/amd64/nfast/hwsp/agg.tar
    /linux/libc6_3/amd64/nfast/pkcs11/user.tar /shared/thales_install/amd64/nfast/pkcs11/user.tar
If you are not using an RFS installed on another server in your network, you must set up the RFS on the BIG-IP system. Additionally, you must set up the Thales client on the BIG-IP system.

Setting up the RFS on the BIG-IP system

Before you set up the RFS on the BIG-IP system, ensure that the Thales nShield Connect device is installed on your network and the Thales Security World is set up. Ensure that the RFS is installed on the BIG-IP system as well.
Important: Setting up the RFS on the BIG-IP system is optional. If the RFS is running on another server on your network, do not perform this task.
You can run the Thales Remote File System (RFS) on the BIG-IP system. To set up the RFS, you must run a script on the BIG-IP system.
Note: You only need one RFS on your network to store all HSM keys. All Thales nShield Connect clients use the same RFS to access the HSM keys.
  1. Log on to the command line of the system using the root account.
  2. Set up the RFS. nethsm-thales-rfs-install.sh --hsm_ip_addr=<Thales_nShield Connect device IP address> --rfs_interface=<local interface name> This example sets up the RFS to run on the BIG-IP system, when the IP address of the Thales nShield Connect device has an IP address of 192.27.13.59: nethsm-thales-rfs-install.sh --hsm_ip_addr=192.27.13.59 --rfs_interface=eth0
    Additional Option Description
    -h Displays help
    -v Prints verbose output about operations
    --verbose=<level> Indicates message verbosity level (The default value is zero, and all levels greater than zero indicate verbose output.)
After you set up the RFS on the BIG-IP system, you must set up the Thales nShield Connect client on each BIG-IP system that you want to use with the Thales nShield Connect device.

Setting up the Thales nShield Connect client on the BIG-IP system

Before you set up the Thales client, ensure that the Thales nShield Connect client is installed on the BIG-IP system and that the Security World has been set up. Additionally, ensure that the RFS is installed and set up on either a remote server or on the BIG-IP system on your network.
Note: If the Thales nShield Connect client was installed on a BIG-IP system before the RFS was installed on the network, then you must reinstall the client on the BIG-IP system.
Important: If there is a firewall between the BIG-IP system and the RFS, validate that both systems can initiate a connection through port 9004.
Before you can use the Thales nShield Connect device with the BIG-IP system, you must set up the Thales client on the BIG-IP system.
  1. Log on to the command line of the system using the root account.
  2. Set up the Thales nShield Connect client, using one of these options:
    • Set up the client when the RFS is remote. nethsm-thales-install.sh --hsm_ip_addr=<nShield_Connect_device_IP_address> --rfs_ip_addr=<remote_RFS_IP_address> --rfs_username=<remote_RFS_server_username_for_SSH_login> --interface=<Interface_name_of_Thales_client_on_BIG-IP>

      This example sets up the client where the Thales nShield Connect device has an IP address of 192.27.13.59, the remote RFS has an IP address of 192.27.13.58, the user name for an SSH login to the RFS is root, and the Thales client interface is the default of eth0 :

      nethsm-thales-install.sh --hsm_ip_addr=192.27.13.59 --rfs_ip_addr=192.27.12.58 --rfs_username=root --interface=eth0

    • Set up the client when the RFS is set up on the BIG-IP system: nethsm-thales-install.sh --hsm_ip_addr=<nShield_Connect_device_IP_address> --rfs_interface=<local_RFS_server_interface>

      This example sets up the client where the Thales nShield Connect device has an IP address of 172.27.13.59 and the RFS is installed on the BIG-IP system using the eth0 interface:

      nethsm-thales-install.sh --hsm_ip_addr=172.27.13.59 --rfs_interface=eth0

Generating a key using Thales nShield Connect for use in creating manually-managed DNSSEC keys

Before you generate the key, ensure that the Thales nShield Connect client is running on all BIG-IP GTM devices in the configuration synchronization group.
Use the fipskey.nethsm utility to generate keys to be used to create manually-managed DNSSEC private keys.
Tip: For instructions about creating automatically-managed DNSSEC private keys, see Configuring DNSSEC with an external HSM in BIG-IP DNS Services: Implementations at http://support.f5.com.
  1. Set the external HSM to Thales nShield Connect. fipskey.nethsm --hsm=Thales
  2. Generate a key. fipskey.nethsm --genkey -o <output_file> This example generates three files: /config/ssl/ssl.key/www.siterequest.com.key, /config/ssl/ssl.csr/www.siterequest.com.csr, and /config/ssl/ssl.crt/www.siterequest.com.crt:

    fipskey.nethsm --genkey -o www.siterequest.com

    Additional Option Description
    -o Name applied to .key, .csr, and .crt output files
    Important: This parameter is required.
    -c <token/module/softcard> Type of protection
    -e <hex> Public exponent to use when generating RSA keys only.
    Tip: Do not provide a value for this option, unless advised to do so by F5 Technical Support.
    -g sha1 Digest used to sign key and certificate
    -k <name> Key name
    -m <yes/no> Store key in non-volatile RAM
    -n <integer> Slot to read cards from
    -r <yes/no> Key recovery available
    -s <integer> Size of key/certificate pair in bits
    -t RSA Key type
    -v <yes/no> Verification available
    -C Country identifier
    -D Domain name
    -E Email address to contact about key
    -L Locality identifier
    -O Organization identifier
    -P Province identifier
    -U Organization unit identifier
    The key is saved in /config/ssl/ssl.key/<output_file>.key. The certificate request is saved in /config/ssl/ssl.csr/output_file>.csr. The self-signed certificate is saved in /config/ssl/ssl.crt/<output_file>.crt.
After you generate a key and certificates, you need to import them into the BIG-IP configuration using tmsh.

About key protection

There are three types of key protection available for use with the BIG-IP system and Thales nShield Connect:

  • Module-protected keys are directly protected by the external HSM through the security world and can be used at any time without further authorization.
  • Softcard-protected keys are protected by a softcard and can be used by only an operator who possesses the assigned passphrases.
  • Token-protected keys are protected by a cardset and can be used by only an operator who possesses the Operator Card Set (OCS) token and any assigned passphrases.

Importing external HSM keys using tmsh

You can use the Traffic Management Shell (tmsh) to import existing external HSM keys into the system.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Import a key, by using these parameters install sys crypto key <key_object_name> from-local-file <keyname> This example imports an external HSM key named www.siterequest.com.key from a local key file stored in the /config/ssl/ssl.key/ directory: install sys crypto key www.siterequest.com.key from-local-file /config/ssl/ssl.key/www.siterequest.com.key

Importing certificates using tmsh

You can use the Traffic Management Shell (tmsh) to import existing certificates into the system.
  1. Log on to the command line of the system using the root account.
  2. Open the Traffic Management Shell (tmsh). tmsh
  3. Import a certificate. install sys crypto cert <cert_object_name> from-local-file <path_to_cert_file> install sys crypto cert www.siterequest.com.crt from-local-file /config/ssl/ssl.crt/www.siterequest.com.cert

Creating a backup of the Thales RFS

Before you back up the RFS, ensure that the Thales nShield Connect Remote File System (RFS) server is installed on your network.
Back up the /shared/nfast/kmdata/local/ directory of the RFS to recover the RFS state, if needed. The RFS contains all of the Thales nShield Connect keys.
  1. If the RFS is not installed on the BIG-IP system, rename the /shared/nfast directory to /shared/nfast.org. This directory can be used to recover old data, if necessary.
  2. Follow the Thales best practices for backing up the RFS server.

Creating a DNSSEC key using an imported external HSM key and certificate

Before you create a DNSSEC key using an imported key and certificate, ensure that you have generated a key and certificate using Thales nShield Connect, and that you have imported the key and certificate.
You can create manually-managed DNSSEC zone-signing and key-signing keys for use with an external HSM. For more information, see Configuring DNSSEC with an external HSM in BIG-IP DNS Services: Implementations at http://support.f5.com.

About using external HSMs with VIPRION systems

There are some important considerations when configuring the Thales nShield Connect client software on a VIPRION system:

  • The Thales software and configuration files do not sync between blades. You will need to install and configure the client software on each blade installed in the chassis.
  • You will need to add the cluster management IP address and the cluster member IP address for each blade installed in the chassis to the Thales nShield Connect device for remote connectivity between the VIPRION system and the Thales device.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)