F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. F5 Platforms: FIPS Administration
  5. Recovery Options
Manual Chapter : Recovery Options

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.0.1, 13.0.0

BIG-IP APM

  • 13.0.1, 13.0.0

BIG-IP LTM

  • 13.0.1, 13.0.0

BIG-IP AFM

  • 13.0.1, 13.0.0

BIG-IP DNS

  • 13.0.1, 13.0.0

BIG-IP ASM

  • 13.0.1, 13.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

FIPS system recovery options

This table describes configuration options for FIPS system recovery.

Option Description
Configure a device group Configure the F5® devices in a device group with the FIPS HSMs synchronized. In the event of a system failure, the standby unit becomes active and handles incoming traffic. Contact F5 to arrange a Return Material Authorization (RMA) for the failed F5 device and then follow the steps for implementing a replacement unit to recover the failed device.
Configure an additional unit for recovery Fully configure a third unit, add it to the security domain, and synchronize the configurations. Remove the unit from the network and store it in a secure location. If the F5 system in production is damaged or destroyed, you can use the backup unit to reconstitute the security domain.
Save the keys on a disk Generate the private keys outside of the FIPS HSM. Copy the non-FIPS protected keys to a secure external location as a backup. Then convert the non-FIPS into FIPS keys on the F5 system. The keys on the F5 system are now protected by the FIPS HSM. If there is a catastrophic system failure, use the non-FIPS protected backup keys to repopulate the FIPS HSM.
CAUTION:
This method for backup is not FIPS-compliant.

Implementing a replacement unit in a device group after a system failure

Before you recover hardware security module (HSM) information, ensure that the F5® software is configured and then install your saved UCS file on the new replacement system. For information about backup and recovery of a BIG-IP® system UCS file, see BIG-IP® System: Essentials.
If one unit of a device group fails, the failover unit becomes active and maintains the HSM information. After you replace the failed unit in a device group, you need to restore the HSM information on the replacement unit.
  1. Connect the currently active unit to the replacement unit.
  2. On the replacement unit, initialize the FIPS card. For information about performing this initialization, see the appropriate HSM initialization procedure for your platform.
    CAUTION:
    Be sure to run this FIPS card initialization command sequence on the replacement unit. If you run it on the currently active unit, you will lose all of your existing keys.
    Note: Be sure to use the same security domain that you specified when you initially set up the currently active unit.
  3. On the currently active unit, copy information from the currently active unit to the replacement unit.
    fipscardsync peer
    CAUTION:
    Be sure to run this FIPS card initialization command from the currently active unit. If you run this command from the replacement unit, you will lose your original FIPS information.
  4. On the currently active unit, synchronize the full software configuration to the replacement unit using tmsh.
    tmsh run config-sync to-group /Common/<devicegroupname>
    Important: Synchronizing the software configuration using this command sequence also synchronizes the keys stored in the HSM.
The replacement unit is now ready to function as the failover unit in a device group.

Implementing a replacement standalone device after a system failure

You must have a backup of your non-FIPS protected keys before you can restore the hardware security module (HSM) information on a standalone replacement device.
After you replace a failed standalone unit, you need to restore the HSM information on the replacement unit.
  1. Copy the full software configuration to the replacement unit using tmsh.
    tmsh load ucs <ucsfilename>
    Important: Synchronizing the configuration does not synchronize the keys stored in the HSM.
  2. On the replacement unit, initialize the FIPS card. For information about performing this initialization, see the appropriate HSM initialization procedure for your platform.
  3. Log in to the command line of the system using an account with root access.
  4. Open the Traffic Management Shell (tmsh).
    tmsh
  5. Convert an existing key to FIPS.
    install sys crypto key <key_object_name> from-local-file <key_file_path> security-type fips
    This example converts an SSL private key named mykey from a local key file stored in the /shared/tmp directory: install sys crypto key mykey from-local-file /shared/tmp/mykey.key security-type fips
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information