Original Publication Date: 12/06/2007
Updated Date: 02/26/2014
- Understanding the BIG-IP FIPS implementation
- Installing the BIG-IP systems and connecting a serial console
- Creating the FIPS security domain
- Initializing the first unit in a redundant system
- Initializing the peer system
- Running the Configuration utility
- Running the fipscardsync utility
- Generating and managing FIPS keys
- Planning for system recovery
- Contacting F5 Networks
The BIG-IP includes the option to install a FIPS hardware security module (HSM). With this release, the HSM and the BIG-IP key management software provide FIPS-140 level 2 support. This level of support provides the following security benefits.
This document describes how to configure a redundant system from the factory with one FIPS HSM installed in each unit. To implement a FIPS solution in a BIG-IP redundant system, you must perform the following tasks. Some of these tasks are described in other documents. The sections in this document with tasks described in other documents contain links or pointers to the related documentation.
The tasks required to install the systems and connect a serial console are described in detail in two guides.
After the systems are set up, and you have configured a console, you can create the FIPS security domain.
The first step to creating a FIPS security domain is to initialize the FIPS HSM and create a security officer (SO) password. The SO password is required to re-initialize the HSM. If you are configuring a redundant system, you need to initialize the security domain on one unit, and then initialize the card on the peer unit using the same security domain name you used on the first unit.
To create a FIPS security domain, you must perform the following tasks
NOTE: You can initialize the FIPS HSM and create the security domain before you license the system and create a traffic management configuration.
To initialize the first unit in a redundant system and create a security domain you must use the fipsutil utility. To initialize the HSM and create an SO password, type the following command:
fipsutil -f init
After the utility starts, you are prompted to create a security officer password, and then confirm the password. After you create a password and confirm it, you are prompted for the security domain name. Remember the security domain name you use. You need the domain name when you initialize the HSM on the peer unit. The domain name cannot be returned by the software or hardware once you use it.
After you complete the initialization process on the first unit, you can initialize the peer system.
To initialize the peer unit in the redundant system and add it to the security domain of the first unit, you must use the fipsutil utility. Type the following command:
fipsutil -f init
After the utility starts, you are prompted to create a security officer (SO) password. You can use the SO password you created on the first unit; however, you are not required to use it.
When you are prompted for the security domain name, you must type the security domain name you created on the first unit.
After you initialize the HSMs in both units, you can log into each unit and run the Configuration utility.
After you complete the initialization of the HSMs and create a security domain on the redundant system, you can run the Configuration utility.
The Configuration utility provides the ability to license the system, configure the management interface, configure failover, and create a base network configuration. After you configure failover properly, and after you have run the fipscardsync utility, every time you synchronize the configuration of the redundant system, you are synchronizing card and key information for the security domain.
For details about running the Configuration utility and creating a base network configuration, see the BIG-IP Quick Start Instructions. These instructions are included in the BIG-IP Resource Kit shipped with each unit. You can also access these instructions at http://tech.f5.com.
After you set up the system with the Configuration utility, you can synchronize the FIPS HSMs with the fipscardsync utility. Synchronizing the HSMs provides the ability to exchange keys. To run the fipscardsync utility, type the following command at the console.
After you synchronize the HSMs, you can create a traffic management configuration.
The web-based Configuration utility provides a key management interface. You can use the Configuration utility to create FIPS keys, convert existing keys to FIPS keys, and import existing keys into the system.
NOTE: Once a key is converted to FIPS, the process cannot be reversed.
There are several steps you can take to plan for a system recovery. You can maintain a redundant system. In the event of a failure, the standby unit becomes active and handles incoming traffic. Another option is to configure a third unit with the same configuration and storing it in a safe place. A last option, that is not FIPS approved, is to copy the keys to a disk and put the disk in a safe place. Each of these options is described in this section.
Configuring a redundant system
The first step is to maintain a redundant system. In the event of a failure, the standby unit becomes active and handles the incoming traffic. Creating a redundant system configuration is one of the steps described in this document as part of the initial configuration. After you configure failover properly, every time you synchronize the configuration of the redundant system you are synchronizing card and key information for the security domain.
Configuring an additional unit for recovery
For additional system backup, you can take a third unit, fully configure it, add it to the security domain, and synchronize the configurations. Remove the unit from the network and store it in a safe location. If the BIG-IP system in production is damaged or destroyed, you can take the backup unit from storage and reconstitute the security domain.
Saving keys on a disk
Another possible method for preserving the keys is not FIPS-approved. With this option, you generate your keys in software. Copy the keys to a disk and put the disk in a secure place. Then you can import the keys into the FIPS HSM. If there is a catastrophic system failure, you can use these backup keys to create the security domain. This is not a FIPS compliant method for backup.
If one unit of a redundant system fails, the failover unit becomes active and maintains FIPS information. However, after you replace the failed unit in a redundant system, you need to restore FIPS information on the replacement unit.
Important: Ensure that you run the fipscardsync peer command from the currently active unit. If you run the fipscardsync peer command from the new replacement unit, you will lose the original FIPS information.