Thales nShield Connect is an external HSM that is available for use with BIG-IP systems. Because it is network-based, rather than hardware-based, you can use the Thales nShield Connect solution with all BIG-IP platforms, including VIPRION Series chassis. You can also use the Thales nShield Connect solution with BIG-IP Virtual Edition (VE).
The Thales nShield Connect architecture includes a component called the Remote File System (RFS) that stores and manages the encrypted key files. The RFS can be installed on the BIG-IP system or on another server on your network.
The BIG-IP system is a client of the RFS, and all BIG-IP systems that are enrolled with the RFS can access the encrypted keys from this central location. The RFS helps automate the key distribution process, but it is not required that you use RFS with this solution.
When the BIG-IP system is a BIG-IP Global Traffic Manager (GTM), you can also use the Thales nShield Connect to store and manage DNSSEC keys.
For additional information about using Thales nShield Connect, see the Thales Customer Support Portal (https://support.thales-esecurity.com/).
Before you can use Thales nShield Connect with the BIG-IP system, you must ensure that:
Additionally, before you begin the installation process, ensure that you have access to:
Before you can set up the Thales nShield Connect components on a BIG-IP system, you must obtain the Thales 64 bit Linux ISO CD and copy files from the CD to specific locations on the BIG-IP system using secure copy (SCP).
|File to copy from the CD||Location to place file on BIG-IP|
|-v||Prints verbose output about operations|
|--verbose=<level>||Indicates message verbosity level (The default value is zero, and all levels greater than zero indicate verbose output.)|
This example sets up the client where the Thales nShield Connect device has an IP address of 184.108.40.206, the remote RFS has an IP address of 220.127.116.11, the user name for an SSH login to the RFS is root, and the Thales client interface is the default of eth0 :
nethsm-thales-install.sh --hsm_ip_addr=18.104.22.168 --rfs_ip_addr=22.214.171.124 --rfs_username=root --interface=eth0
This example sets up the client where the Thales nShield Connect device has an IP address of 172.27.13.59 and the RFS is installed on the BIG-IP system using the eth0 interface:
nethsm-thales-install.sh --hsm_ip_addr=172.27.13.59 --rfs_interface=eth0
fipskey.nethsm --genkey -o www.siterequest.com
|-o||Name applied to .key, .csr, and .crt output files
Important: This parameter is required.
|-c <token/module/softcard>||Type of protection|
|-e <hex>||Public exponent to use when generating RSA keys only.
Tip: Do not provide a value for this option, unless advised to do so by F5 Technical Support.
|-g sha1||Digest used to sign key and certificate|
|-k <name>||Key name|
|-m <yes/no>||Store key in non-volatile RAM|
|-n <integer>||Slot to read cards from|
|-r <yes/no>||Key recovery available|
|-s <integer>||Size of key/certificate pair in bits|
|-t RSA||Key type|
|-v <yes/no>||Verification available|
|-E||Email address to contact about key|
|-U||Organization unit identifier|
There are three types of key protection available for use with the BIG-IP system and Thales nShield Connect:
There are some important considerations when configuring the Thales nShield Connect client software on a VIPRION system: