Applies To:

Show Versions Show Versions

Supplemental Document: Configuring and Maintaining a FIPS Security Domain

Original Publication Date: 12/06/2007
Updated Date: 02/26/2014

- Understanding the BIG-IP FIPS implementation
- Installing the BIG-IP systems and connecting a serial console
- Creating the FIPS security domain
     - Initializing the first unit in a redundant system
     - Initializing the peer system
- Running the Configuration utility
- Run the fipscardsync utility to synchronize the FIPS HSMs
- Generating and managing FIPS keys
- Planning for system recovery
- Recovering FIPS information after a system failure

- Understanding the BIG-IP FIPS implementation
- Installing the BIG-IP systems and connecting a serial console
- Creating the FIPS security domain
    - Initializing the first unit in a redundant system
    - Initializing the peer system
- Running the Configuration utility
- Running the fipscardsync utility
- Generating and managing FIPS keys
- Planning for system recovery
- Contacting F5 Networks

Understanding the BIG-IP FIPS implementation

The BIG-IP includes the option to install a FIPS hardware security module (HSM). With this release, the HSM and the BIG-IP key management software provide FIPS-140 level 2 support. This level of support provides the following security benefits.

  • Keys are stored in the HSM where they are protected from physical and software attacks.
  • Keys can never be extracted in plain text format.

This document describes how to configure a redundant system from the factory with one FIPS HSM installed in each unit. To implement a FIPS solution in a BIG-IP redundant system, you must perform the following tasks. Some of these tasks are described in other documents. The sections in this document with tasks described in other documents contain links or pointers to the related documentation.

  • Install the BIG-IP systems and connect a serial console.
  • Create the FIPS security domain from the console.
  • Run the Configuration utility.
  • Run the fipscardsync utility to synchronize the FIPS HSMs from the console.
  • Create a traffic management configuration and synchronize the configurations (configsync).
[ Top ]

Installing the BIG-IP systems and connecting a serial console

The tasks required to install the systems and connect a serial console are described in detail in two guides.

  • For details about installing the hardware, see the Platform Guide: 1500, 3400, and 6400, Chapter 2, Installing the IP Application Switch Platform.
  • For information on connecting a serial console, see Installation, Licensing, and Upgrades for BIG-IP Systems, Chapter 2, Installing a Management Workstation.

After the systems are set up, and you have configured a console, you can create the FIPS security domain.

[ Top ]

Creating the FIPS security domain

The first step to creating a FIPS security domain is to initialize the FIPS HSM and create a security officer (SO) password. The SO password is required to re-initialize the HSM. If you are configuring a redundant system, you need to initialize the security domain on one unit, and then initialize the card on the peer unit using the same security domain name you used on the first unit.

To create a FIPS security domain, you must perform the following tasks

  • Initialize the first unit in the redundant system.
  • Initialize the peer system.

NOTE:  You can initialize the FIPS HSM and create the security domain before you license the system and create a traffic management configuration.

Initializing the first unit in a redundant system

To initialize the first unit in a redundant system and create a security domain you must use the fipsutil utility. To initialize the HSM and create an SO password, type the following command:

fipsutil -f init

After the utility starts, you are prompted to create a security officer password, and then confirm the password. After you create a password and confirm it, you are prompted for the security domain name. Remember the security domain name you use. You need the domain name when you initialize the HSM on the peer unit. The domain name cannot be returned by the software or hardware once you use it.

After you complete the initialization process on the first unit, you can initialize the peer system.

Initializing the peer system

To initialize the peer unit in the redundant system and add it to the security domain of the first unit, you must use the fipsutil utility. Type the following command:

fipsutil -f init

After the utility starts, you are prompted to create a security officer (SO) password. You can use the SO password you created on the first unit; however, you are not required to use it.

When you are prompted for the security domain name, you must type the security domain name you created on the first unit.

After you initialize the HSMs in both units, you can log into each unit and run the Configuration utility.

[ Top ]

Running the Configuration utility

After you complete the initialization of the HSMs and create a security domain on the redundant system, you can run the Configuration utility.

The Configuration utility provides the ability to license the system, configure the management interface, configure failover, and create a base network configuration. After you configure failover properly, and after you have run the fipscardsync utility, every time you synchronize the configuration of the redundant system, you are synchronizing card and key information for the security domain.

For details about running the Configuration utility and creating a base network configuration, see the BIG-IP Quick Start Instructions. These instructions are included in the BIG-IP Resource Kit shipped with each unit. You can also access these instructions at http://tech.f5.com.

[ Top ]

Run the fipscardsync utility to synchronize the FIPS HSMs

After you set up the system with the Configuration utility, you can synchronize the FIPS HSMs with the fipscardsync utility. Synchronizing the HSMs provides the ability to exchange keys. To run the fipscardsync utility, type the following command at the console.

fipscardsync peer

After you synchronize the HSMs, you can create a traffic management configuration.

[ Top ]

Generating and managing FIPS keys

The web-based Configuration utility provides a key management interface. You can use the Configuration utility to create FIPS keys, convert existing keys to FIPS keys, and import existing keys into the system.

NOTE:  Once a key is converted to FIPS, the process cannot be reversed.

To create FIPS keys using the Configuration utility

  1. On the Main tab, expand Local Traffic.
  2. Click SSL Certificates.
    This opens the SSL Certificates screen and lists all certificates installed on the LTM system.
  3. On the upper-right portion of the screen, click Create.
  4. In the Name box, type a unique name for the certificate.
  5. For the Issuer setting, select Self for a self-signed certificate. Select Certificate Authority to request a certificate from a CA.
  6. Configure the Common Name setting, and any other settings you want.
  7. In the Key Properties section, select the security type FIPS, and a key size.
  8. Click Finished.

To convert existing keys using the Configuration utility

  1. On the Main tab, expand Local Traffic.
  2. Click SSL Certificates.
    This opens the SSL Certificates screen and lists all certificates installed on the LTM system.
  3. Click a certificate name.
    This displays the properties of that certificate.
  4. If you want to see information about the key that is associated with that certificate, click Key on the menu bar.
    This displays the type and size of the key.
  5. To convert the key to a FIPS key, click the Convert to FIPS button.
    The key is converted. Once the key is converted, this process cannot be reversed.

To import existing keys using the Configuration utility

  1. On the Main tab, expand Local Traffic.
  2. Click SSL Certificates.
    This displays the list of existing certificates.
  3. In the upper right corner of the screen, click Import.
  4. Select the type of import Key.
  5. Select the import method (File or Text).
  6. In the Certificate box, type the name of the key.
    You can click the Browse button and browse for the key and select it.
  7. Click Import.
    After you import the key, you can convert it to FIPS using the procedure To convert existing keys using the Configuration utility.
[ Top ]

Planning for system recovery

There are several steps you can take to plan for a system recovery. You can maintain a redundant system. In the event of a failure, the standby unit becomes active and handles incoming traffic. Another option is to configure a third unit with the same configuration and storing it in a safe place. A last option, that is not FIPS approved, is to copy the keys to a disk and put the disk in a safe place. Each of these options is described in this section.

Configuring a redundant system
The first step is to maintain a redundant system. In the event of a failure, the standby unit becomes active and handles the incoming traffic. Creating a redundant system configuration is one of the steps described in this document as part of the initial configuration. After you configure failover properly, every time you synchronize the configuration of the redundant system you are synchronizing card and key information for the security domain.

Configuring an additional unit for recovery
For additional system backup, you can take a third unit, fully configure it, add it to the security domain, and synchronize the configurations. Remove the unit from the network and store it in a safe location. If the BIG-IP system in production is damaged or destroyed, you can take the backup unit from storage and reconstitute the security domain.

Saving keys on a disk
Another possible method for preserving the keys is not FIPS-approved. With this option, you generate your keys in software. Copy the keys to a disk and put the disk in a secure place. Then you can import the keys into the FIPS HSM. If there is a catastrophic system failure, you can use these backup keys to create the security domain. This is not a FIPS compliant method for backup.

[ Top ]

Recovering FIPS information after a system failure

If one unit of a redundant system fails, the failover unit becomes active and maintains FIPS information. However, after you replace the failed unit in a redundant system, you need to restore FIPS information on the replacement unit.

To copy FIPS information from the currently active original system to a new replacement system

  1. Ensure that current BIG-IP software is configured and install your saved UCS on the new replacement system.
    See tech.f5.com for information on backup and recovery of a BIG-IP UCS file.
  2. Connect the currently active unit to new replacement unit.
  3. On the new replacement unit, run the command fipsutil -f init. Ensure that you use the exact same security domain that you specified when you initially set up the currently active unit.
  4. On the currently active unit, run the fipscardsync peer command.
    This copies the information in the FIPS module from the currently active unit to the new replacement unit.

    Important: Ensure that you run the fipscardsync peer command from the currently active unit. If you run the fipscardsync peer command from the new replacement unit, you will lose the original FIPS information.

  5. On the currently active unit, run configsync to copy the full configuration to the replacement system.
    The new replacement system is now ready to function as the failover device in a redundant pair configuration.
[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)