The BIG-IP 6900, 8900, 10000, 11000, and 11050 platforms are available with a FIPS-certified hardware security module (HSM) as a factory-installed option.
The internal HSM and the BIG-IP key management software provide FIPS 140 level 2 support. This level of support provides security benefits, such as:
You can configure a device group using two platforms with a FIPS card installed in each unit. When setting up a FIPS solution on a device group, you install the two systems and connect to a serial console.
After you have set up the systems, you can create the FIPS security domain by initializing the HSM and creating a security officer (SO) password.
Before you can synchronize the FIPS hardware security modules (HSMs), you must ensure that the target HSM:
The target device must also be reachable using SSH from the source device.
You can use the Configuration utility to create FIPS (internal HSM) keys, import existing keys into the system, and convert existing keys to FIPS keys.
You can use the Traffic Management Shell (tmsh) to create FIPS (internal HSM) keys, import existing keys into the BIG-IP system, and convert existing keys to FIPS keys.
|Configure a device group||Maintain a device group so that in the event of a failure, the standby unit becomes active and handles the incoming traffic. After you configure failover properly, you need to synchronize FIPS HSM and key information for the security domain every time you synchronize the configuration of the device group.|
|Configure an additional unit for recovery||Fully configure a third unit, add it to the security domain, and synchronize the configurations. Remove the unit from the network and store it in a secure location. If the BIG-IP system in production is damaged or destroyed, you can use the backup unit to reconstitute the security domain.|
|Save the keys on a disk||Copy and save the keys to a disk. Generate the keys in software, copy the keys to a disk, and then store the disk in a secure location. If there is a catastrophic system failure, import the keys into the internal HSM and use these backup keys to create the security domain.
This method for backup is not FIPS-compliant.
This table lists other tmsh commands that you can use to manage your FIPS platform.
|show sys crypto fips||Lists keys in the FIPS card.|
|list sys crypto key||Lists keys in the BIG-IP configuration.|
|delete sys crypto key <key_object_name>||Deletes a key from the BIG-IP configuration and the FIPS card.|
|delete sys crypto fips by-handle <key_handle>||Deletes a key from the FIPS card only. Key handles are obtained using the show sys crypto fips command sequence.
Use this command sequence only in the rare circumstance when you need to delete keys that no longer have configuration objects from the card (for example, keys that do not show up when you run the list sys crypto key command sequence).