BIG-IP Platform: FIPS Administration

solidseniorΔιακομιστές

9 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

859 εμφανίσεις

BIG-IP
®
Platform: FIPS Administration
Version 11.3
Table of Contents
Legal Notices.....................................................................................................5
Chapter 1:  BIG-IP Platform FIPS 140 Options.........................................................................7
Chapter 2:  About Internal HSMs...............................................................................................9
About setting up the BIG-IP systems...............................................................................10
Initializing the internal HSM on the 6900/8900 platforms.................................................10
Initializing the internal HSM on the 10000/11000/11050 platforms..................................11
Synchronizing internal HSMs...........................................................................................13
About managing internal HSM (FIPS) keys using the Configuration utility......................14
Creating internal HSM (FIPS) keys using the Configuration utility........................14
Importing keys using the Configuration utility........................................................14
Converting a key to FIPS using the Configuration utility.......................................15
About managing internal HSM (FIPS) keys using tmsh...................................................15
Creating internal HSM (FIPS) keys using tmsh.....................................................15
Importing internal HSM (FIPS) keys using tmsh...................................................15
Converting a key to internal HSM (FIPS) using tmsh............................................16
FIPS system recovery options.........................................................................................16
Recovering internal HSM information after a system failure.................................16
Other FIPS platform management tmsh commands........................................................17
Chapter 3:  About external HSMs and LTM.............................................................................19
Prerequisites for implementing BIG-IP and Thales nShield Connect...............................20
Installing Thales nShield Connect components on the BIG-IP system............................20
Configuring the BIG-IP connection to Thales nShield Connect.......................................21
Generating a key and certificates using Thales generatekey utility..................................23
Importing external HSM keys using tmsh.........................................................................26
Importing certificates using tmsh.....................................................................................26
Creating a backup of the Thales RFS..............................................................................27
Troubleshooting Thales nShield Connect with the BIG-IP system...................................27
About using external HSMs with VIPRION systems........................................................27
3
Table of Contents
4
Table of Contents
Legal Notices
Publication Date
This document was published on July 2,2013.
Publication Number
MAN-0401-01
Copyright
Copyright
©
2013,F5 Networks,Inc.All rights reserved.
F5 Networks,Inc.(F5) believes the information it furnishes to be accurate and reliable.However,F5 assumes
no responsibility for the use of this information,nor any infringement of patents or other rights of third
parties which may result fromits use.No license is granted by implication or otherwise under any patent,
copyright,or other intellectual property right of F5 except as specifically described by applicable user
licenses.F5 reserves the right to change specifications at any time without notice.
Trademarks
AAM,Access Policy Manager,Advanced Client Authentication,Advanced Firewall Manager,Advanced
Routing,AFM,Alive With F5,APM,Application Acceleration Manager,Application Security Manager,
ARX,AskF5,ASM,BIG-IP,BIG-IQ,Cloud Extender,CloudFucious,Cloud Manager,Clustered
Multiprocessing,CMP,COHESION,Data Manager,DevCentral,DevCentral [DESIGN],DNS Express,
DSC,DSI,Edge Client,Edge Gateway,Edge Portal,ELEVATE,EM,Enterprise Manager,ENGAGE,F5,
F5 [DESIGN],F5 Certified [DESIGN],F5 Networks,Fast Application Proxy,Fast Cache,FirePass,Global
Traffic Manager,GTM,GUARDIAN,iApps,IBR,Intelligent Browser Referencing,Intelligent Compression,
IPv6 Gateway,iControl,iHealth,iQuery,iRules,iRules OnDemand,iSession,L7 Rate Shaping,LC,Link
Controller,Local Traffic Manager,LTM,LineRate,LineRate Systems [DESIGN],LROS,Message Security
Manager,MSM,OneConnect,Packet Velocity,PEM,Policy Enforcement Manager,Protocol Security
Manager,PSM,Real Traffic Policy Builder,Scale
N
,Signalling Delivery Controller,SDC,SSLAcceleration,
StrongBox,SuperVIP,SYN Check,TCP Express,TDR,TMOS,Traffic Management Operating System,
Traffix Systems,Traffix Systems (DESIGN),Transparent Data Reduction,UNITY,VAULT,VIPRION,
vCMP,VE F5 [DESIGN],Virtual Clustered Multiprocessing,WA,WAN Optimization Manager,
WebAccelerator,WOM,and ZoneRunner,are trademarks or service marks of F5 Networks,Inc.,in the
U.S.and other countries,and may not be used without F5's express written consent.
All other product and company names herein may be trademarks of their respective owners.
Export Regulation Notice
This product may include cryptographic software.Under the Export Administration Act,the United States
government may consider it a criminal offense to export this product fromthe United States.
RF Interference Warning
This is a Class A product.In a domestic environment this product may cause radio interference,in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant
to Part 15 of FCC rules.These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment.This unit generates,uses,and
can radiate radio frequency energy and,if not installed and used in accordance with the instruction manual,
may cause harmful interference to radio communications.Operation of this equipment in a residential area
is likely to cause harmful interference,in which case the user,at his own expense,will be required to take
whatever measures may be required to correct the interference.
Any modifications to this device,unless expressly approved by the manufacturer,can void the user's authority
to operate this equipment under part 15 of the FCC rules.
Canadian Regulatory Compliance
This Class A digital apparatus complies with Canadian ICES-003.
Standards Compliance
This product conforms to the IEC,European Union,ANSI/UL and Canadian CSA standards applicable to
Information Technology products at the time of manufacture.
VCCI Class A Compliance
This is a Class A product.In a domestic environment,this product may cause radio interference,in which
case the user may be required to take corrective actions.VCCI-A
6
Legal Notices
Chapter
1
BIG-IP Platform FIPS 140 Options
You can implement a BIG-IP
®
FIPS-compliant key storage solution
using either:
• ABIG-IPplatformcontaining a factory-installed,FIPS-certified
hardware security module (HSM),also referred to as an internal
HSM
• An external HSM
Chapter
2
About Internal HSMs
The BIG-IP
®
6900,8900,10000,11000,and 11050 platforms are
available with a FIPS-certified hardware security module (HSM)
as a factory-installed option.
• About setting up the BIG-IP systems
• Initializing the internal HSM on the
6900/8900 platforms
The internal HSMand the BIG-IPkey management software provide
FIPS 140 level 2 support.This level of support provides security
benefits,such as:
• Initializing the internal HSM on the
10000/11000/11050 platforms
• Synchronizing internal HSMs
• About managing internal HSM (FIPS) keys
using the Configuration utility
• Private keys are stored in the internal HSMwhere they are
protected fromphysical and software attacks.
• About managing internal HSM (FIPS) keys
using tmsh
• Private keys can never be extracted in plain text format.
Important:Because of hardware differences,it is not possible to
synchronize security domains between the newer platforms
• FIPS system recovery options
• Other FIPS platform management tmsh
commands
(10000/11000/11050 platforms) and older platforms (6900/8900
platforms).
About setting up the BIG-IP systems
You can configure a device group using two platforms with a FIPS card installed in each unit.When setting
up a FIPS solution on a device group,you install the two systems and connect to a serial console.
After you have set up the systems,you can create the FIPS security domain by initializing the internal HSM
and creating a security officer (SO) password.
Initializing the internal HSM on the 6900/8900 platforms
You must initialize the FIPS hardware security module (HSM) installed in each unit (internal HSM) before
you can use it.When you are creating a device group using more than one FIPS platform,you initialize the
FIPS card on one unit,and then initialize the HSMon a peer unit using the same security domain name that
you used on the first unit.
Note:You can initialize the HSMand create the security domain before you license the system and create
a traffic management configuration.
1.Log on to the command line of the BIG-IP
®
systemusing the root account.
2.Open the Traffic Management Shell (tmsh).
tmsh
3.View information about the FIPS card.
run util fips-util info
A summary similar to this example displays:
Label:F5FIPS
HSM Serial Number:8100298
Hardware ID:0x0
Firmware Version:4.7.1
Total FLASH:14286412
Free FLASH:14286412
Total SRAM:16984956
Free SRAM:16981884
4.Initialize the HSMand set a security officer (SO) password.
run util fips-util -f init
Important:Running the fipsutil init command deletes all keys in the FIPS HSMand makes any
previously exported keys unusable.
Note:F5
®
recommends that you choose a strong value for the SO password.
The initialization process begins.When prompted,type an SO password.
NFB Initialization Process
WARNING - all private keys in NFB will be erased after SO password is entered!
Any configuration objects dependent on FIPS keys will cause the configuration
fail to load.
10
About Internal HSMs
Passwords must be at least 7 characters in length.
Enter no password if you instead wish to cancel.
New SO Password:
Re-enter new SO Password:
5.When this message displays,type a security domain name.
Initializing NFB...
The security domain name must be the same on all FIPS machines.
Please enter your security domain name:
Keep the security domain name and password in a secure location.You need the domain name and
password when you initialize the HSMon the peer unit.This information is also required when replacing
a unit (for RMA or other reasons).
Important:The domain name cannot be extracted or displayed by the software or hardware after you
set it.
When the initialization process completes successfully,this message displays:The FIPS device has
been initialized.
6.Enable the HSMdevice by either rebooting the unit or restarting all services.
restart sys service all
Note:Restarting services disrupts load-balanced traffic and might terminate remote login sessions to
the system.
After you complete the initialization process on the first unit,you can initialize the peer systemand add it
to the security domain of the first unit.
Initializing the internal HSM on the 10000/11000/11050 platforms
You must initialize the FIPS hardware security module (HSM) installed in each unit (internal HSM) before
you can use it.When you are creating a device group using more than one FIPS platform,you initialize the
FIPS card on one unit,and then initialize the HSMon a peer unit using the same security domain name that
you used on the first unit.
Note:You can initialize the HSMand create the security domain before you license the system and create
a traffic management configuration.
1.Log on to the command line of the BIG-IP
®
systemusing the root account.
2.Open the Traffic Management Shell (tmsh).
tmsh
3.View information about the FIPS card.
run util fips-util info
A summary similar to the following displays:
Label:f5site09
Model:NITROX XL CN16XX-NFBE
11
BIG-IP
®
Platform: FIPS Administration
Serial Number:k8vjumsaportsaks
FIPS state:2
MaxSessionCount:10240
SessionCount:1
MaxPinLen:14
MinPinLen:7
TotalPublicMemory:467348
FreePublicMemory:62876
TotalUserKeys:3996
AvailableUserKeys:3996
Loging failures:
user:0
officer:0
HW version:2.0
Firmware version:CN16XX-NFBE-FW-1.2-101022
4.
Initialize the HSMand set a security officer (SO) password.
run util fips-util -f init
Note:The initialization process takes a few minutes to complete.
The initialization process begins.When prompted,type an SO password.
WARNING:This erases all keys from the FIPS 140 device.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.
==================== WARNING ================================
The FIPS device will be reset to factory default state.
All keys and user identities currently stored in the device
will be erased.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.
Press <ENTER> to continue or Ctrl-C to cancel
Resetting the device...
The FIPS device is now in factory default state.
Enter new Security Officer password (min.7,max.14 characters):
Re-enter Security Officer password:
5.When the following message displays,type a security domain name.
NOTE:security domain label must be identical on peer
FIPS devices in order to be able to synchronize with them.
Enter security domain label (max.50 chars,default:F5FIPS):
Keep the security domain name and password in a secure location.You need the domain name and
password when you initialize the internal HSMon the peer unit.This information is also required when
replacing a unit (for RMA or other reasons).
12
About Internal HSMs
Important:The domain name cannot be extracted or displayed by the software or hardware after you
set it.
Initializing new security domain (f5site09)...
Creating crypto user and crypto officer identities
Waiting for the device to re-initialize...
Creating key encryption key (KEK)
The FIPS device has been initialized.
6.Enable the HSMdevice using one of the following options:
• Reboot the unit.
• Restart all services:restart sys service all.
Note:Restarting services disrupts load-balanced traffic and might terminate remote login sessions
to the system.
After you complete the initialization process on the first unit,you can initialize the peer systemand add it
to the security domain of the first unit.Optionally,you can use the same SOpassword that you used on the
first unit.
Synchronizing internal HSMs
Before you can synchronize internal HSMs,you must ensure that the target HSM:
• Is already initialized.
• Has an identical security domain label.
• Does not contain existing keys.
The target device must also be reachable using SSH fromthe source device.
Synchronizing the internal HSM(FIPS) cards enables you to copy keys fromone card to another.This is
also required to synchronize BIG-IP
®
configuration in a device group.
Note:You only need to perform the synchronization process during the initial configuration of a pair of
devices.After the two devices are in sync,they remain in sync.
1.
Log on to the command line of the BIG-IP
®
systemusing the root account.
2.Open the Traffic Management Shell (tmsh).
tmsh
3.Synchronize the Master Symmetric key used to encrypt/decrypt keys when they are imported/exported
into the HSM,where <hostname> is the address or hostname of the synchronization target.
run util fips-card-sync <hostname>
13
BIG-IP
®
Platform: FIPS Administration
About managing internal HSM (FIPS) keys using the Configuration utility
You can use the Configuration utility to create internal HSM(FIPS) keys,import existing keys into the
system,and convert existing keys to internal HSM(FIPS) keys.
Creating internal HSM (FIPS) keys using the Configuration utility
You can use the Configuration utility to create internal HSM(FIPS) keys.
1.On the Main tab,click System> File Management > SSL Certificate List.
This displays the list of certificates installed on the system.
2.Click Create.
The New SSL Certificate screen opens.
3.In the Name field,type a unique name for the certificate.
4.Fromthe Issuer list,specify the type of certificate that you want to use.
• To request a certificate froma CA,select Certificate Authority.
• For a self-signed certificate,select Self.
5.Configure the Common Name setting and any other settings as needed.
6.In the Key Properties area,select a key size fromthe Size list.
7.Fromthe Security Type list,select FIPS.
8.Click Finished.
Importing keys using the Configuration utility
You can use the Configuration utility to import existing keys into the system.
1.On the Main tab,click System> File Management > SSL Certificate List.
This displays the list of certificates installed on the system.
2.Click Import.
3.Fromthe Import Type list,select Key.
4.For the Key Name setting,click Create New.
5.In the Key Name field,type a name for the key.
6.Fromthe Key Source setting,click either Upload File or Paste Text.
• If you click Upload File,type a file name or click Browse and select a file.
• If you click Paste Text,copy the text fromanother source and paste the text into the Key Source
screen.
7.Click Import.
After you import the key,you can convert it to a FIPS key.
14
About Internal HSMs
Converting a key to FIPS using the Configuration utility
You can use the Configuration utility to convert an existing key to a FIPS key.
1.On the Main tab,click System> File Management > SSL Certificate List.
This displays the list of certificates installed on the system.
2.Click a certificate name.
This displays the properties of that certificate.
3.On the menu bar,click Key.
This displays the type and size of the key associated with the certificate.
4.Click Convert to FIPS to convert the key to a FIPS key.
The key is converted and appears in the list as a FIPS key.After the key is converted,this process cannot
be reversed.
About managing internal HSM (FIPS) keys using tmsh
You can use the Traffic Management Shell (tmsh) to create internal HSM(FIPS) keys,import keys into the
BIG-IP
®
system,and convert keys to internal HSM(FIPS) keys.
Creating internal HSM (FIPS) keys using tmsh
You can use the Traffic Management Shell (tmsh) to create FIPS keys.
1.
Log on to the command line of the BIG-IP
®
systemusing the root account.
2.Open the Traffic Management Shell (tmsh).
tmsh
3.Create a basic key.
create sys crypto key <key_object_name> security-type fips
For information about additional options for this command,view the sys crypto key man page:
help sys crypto key
Note:The key creation process takes a few minutes to complete.If you are using a 4096 bit key,F5
®
recommends that you create the key externally and then import it.
Importing internal HSM (FIPS) keys using tmsh
You can use the Traffic Management Shell (tmsh) to import existing keys into the system.
1.Log on to the command line of the BIG-IP
®
systemusing the root account.
2.Open the Traffic Management Shell (tmsh).
tmsh
3.Import a key.
15
BIG-IP
®
Platform: FIPS Administration
install sys crypto key <key_object_name> from-local-file <path_to_key_file>
security-type fips
This example imports an internal HSMkey named mykeyfroma local key file stored in the/shared/tmp
directory:install sys crypto key mykey from-local-file/shared/tmp/mykey.pem
security-type fips
Converting a key to internal HSM (FIPS) using tmsh
You can use the Traffic Management Shell (tmsh) to convert a key to a FIPS key.
1.Log on to the command line of the BIG-IP
®
systemusing the root account.
2.Open the Traffic Management Shell (tmsh).
tmsh
3.Convert an existing key to FIPS.
install sys crypto key <key_object_name> security-type fips
FIPS system recovery options
DescriptionOption
Maintain a device group so that in the event of a failure,
the standby unit becomes active and handles the
Configure a device group
incoming traffic.After you configure failover properly,
you need to synchronize FIPS card and key information
for the security domain every time you synchronize the
configuration of the device group.
Fully configure a third unit,add it to the security domain,
and synchronize the configurations.Remove the unit
Configure an additional unit for recovery
fromthe network and store it in a secure location.If the
BIG-IP
®
systemin production is damaged or destroyed,
you can use the backup unit to reconstitute the security
domain.
Copy and save the keys to a disk.Generate the keys in
software,copy the keys to a disk,and then store the disk
Save the keys on a disk
in a secure location.If there is a catastrophic system
failure,import the keys into the internal HSMand use
these backup keys to create the security domain.
Caution:This method for backup is not FIPS-compliant.
Recovering internal HSM information after a system failure
Before you recover internal HSMinformation,ensure that the BIG-IP
®
software is configured and then
install your saved UCS file on the newreplacement system.For information about backup and recovery of
a BIG-IP systemUCS file,see http://support.f5.com.
16
About Internal HSMs
If one unit of a device group fails,the failover unit becomes active and maintains the internal HSM
information.After you replace the failed unit in a device group,you need to restore the internal HSM
information on the replacement unit.
1.Connect the currently active unit to the replacement unit.
2.On the replacement unit,initialize the FIPS card.
fipsutil -f init
Caution:Be sure to run this command sequence on the replacement unit.If you run it on the currently
active unit,you will overwrite your existing FIPS unit and lose all of your keys.
Note:Be sure that you use the same security domain that you specified when you initially set up the
currently active unit.
3.
On the currently active unit,copy information fromthe currently active unit to the replacement unit.
fipscardsync peer
Caution:Be sure to run this command sequence fromthe currently active unit.If you run this command
from the replacement unit,you will lose the original FIPS information.
4.On the currently active unit,copy the full configuration to the replacement systemusing either the
Configuration utility or tmsh.
Important:Synchronizing the configuration does not synchronize the keys stored in the HSM.
The replacement systemis now ready to function as the failover unit in a device group.
Other FIPS platform management tmsh commands
This table lists other tmsh commands that you can use to manage your FIPS platform.
DescriptionCommand
Lists keys in the FIPS card.show sys crypto fips
Lists keys in the BIG-IP
®
configuration.list sys crypto key
Deletes a key fromthe BIG-IP configuration and the
FIPS card.
delete sys crypto key <key_object_name>
Deletes a key fromthe FIPS card only.Key handles
are obtained using the show sys crypto fips
command sequence.
Caution:Use this command sequence only in the
rare circumstance when you need to delete keys that
delete sys crypto fips by-handle
<key_handle>
no longer have configuration objects from the card
(for example,keys that do not showup when you run
the list sys crypto key command sequence).
17
BIG-IP
®
Platform: FIPS Administration
Chapter
3
About external HSMs and LTM
Thales nShield

Connect is an external HSMthat is available for
use with BIG-IP
®
systems.Because it is an external HSM(rather
• Prerequisites for implementing BIG-IP and
Thales nShield Connect
than an internal HSM),you can use the Thales nShield Connect
• Installing Thales nShield Connect
components on the BIG-IP system
solution with all BIG-IP platforms,including the VIPRION
®
Series
chassis.You can also use the Thales nShield Connect solution with
BIG-IP Virtual Edition (VE).
• Configuring the BIG-IP connection to Thales
nShield Connect
The Thales nShield Connect architecture includes a component
called the Remote File System(RFS) that stores and manages the
• Generating a key and certificates using
Thales generatekey utility
encrypted key files.The BIG-IP systemis a client of the RFS,and
• Importing external HSM keys using tmsh
all BIG-IP systems that are enrolled with the RFS can access the
encrypted keys fromthis central location.
• Importing certificates using tmsh
• Creating a backup of the Thales RFS
For additional information about using Thales nShield Connect,
see the Thales Customer Support Portal
(https://support.thales-esecurity.com/).
• Troubleshooting Thales nShield Connect
with the BIG-IP system
• About using external HSMs with VIPRION
systems
Important:If you are installing Thales nShield Connect on a
BIG-IP system that will be licensed for Appliance mode,you must
install the Thales nShield Connect software prior to licensing the
BIG-IP system for Appliance mode.
Prerequisites for implementing BIG-IP and Thales nShield Connect
Before you can use Thales
®
nShield

Connect with the BIG-IP
®
system,you must ensure that:
• The Thales nShield Connect device is installed in your network.
• The RFS is installed on a server in your network.
• The Thales nShield Connect device,the RFS,and the BIG-IP systemcan initiate connections with each
other through port 9004.
• You have created the Thales Security World (security architecture).
• You have created an Operator Card Set (OCS) to protect the BIG-IP SSL certificate keys.
Important:The BIG-IP system requires that all keys are protected by an Operator Card Set (OCS).
However,the BIG-IP system does not support a passphrase-protected OCS.
• The BIG-IP systemhas FIPS 140-2 or FIPS 140-3 compliant ciphers,depending upon your security
needs.For information about FIPS compliant ciphers,see Annex A:Approved Security Functions for
FIPS PUB 140-2
(http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) andSOL8802
for a complete list of supported ciphers on http://support.f5.com.
• The BIG-IP systemdoes not contain a FIPS Caviumcard.
Important:You cannot run the BIG-IP system with both internal and external HSMs at the same time.
Additionally,before you begin the installation process,ensure that you have access to:
• The Thales Security World Software for Linux 64bit (Release 11.40 or higher)
• The nShield_Connect_User_Guide.pdf
Installing Thales nShield Connect components on the BIG-IP system
Before you can install the Thales
®
nShield

Connect components on a BIG-IP
®
system,you must obtain
these files fromthe Thales 64-bit Linux ISO CD and copy themusing secure copy (SCP) to the BIG-IP
system,as shown in the table:
BIG-IP systemdestinationThales CD files
/shared/thales_install/amd64/nfast/ctls/agg.tar/linux/libc6_3/amd64/nfast/ctls/agg.tar
/shared/thales_install/amd64/nfast/hwcrhk/user.tar/linux/libc6_3/amd64/nfast/hwcrhk/user.tar
/shared/thales_install/amd64/nfast/hwsp/agg.tar/linux/libc6_3/amd64/nfast/hwsp/agg.tar
/shared/thales_install/amd64/nfast/pkcs11/user.tar/linux/libc6_3/amd64/nfast/pkcs11/user.tar
You need to install the Thales nShield Connect components on each BIG-IP systemthat will be used with
Thales nShield Connect.
1.Log on to the command line of the BIG-IP
®
systemusing the root account.
2.
Create a directory named nfast under/shared.
mkdir/shared/nfast
20
About external HSMs and LTM
3.Link the/opt/nfast directory to the/shared/nfast directory.
ln -s/shared/nfast/opt/nfast
4.Extract the hardware support agg.tar file.
tar -C/-xvf/shared/thales_install/amd64/nfast/hwsp/agg.tar
5.Extract the control tools agg.tar file.
tar -C/-xvf/shared/thales_install/amd64/nfast/ctls/agg.tar
6.Extract the hardware cryptography user.tar file.
tar -C/-xvf/shared/thales_install/amd64/nfast/hwcrhk/user.tar
7.Extract the PKCS11 user.tar file.
tar -C/-xvf/shared/thales_install/amd64/nfast/pkcs11/user.tar
8.Create a file in/opt/nfast/cknfastrc.
echo"CKNFAST_LOADSHARING=1">/opt/nfast/cknfastrc
echo"CKNFAST_NO_ACCELERATOR_SLOTS=1">>/opt/nfast/cknfastrc
echo"CKNFAST_ASSUME_SINGLE_PROCESS=0">>/opt/nfast/cknfastrc
echo"CKNFAST_DEBUG=6">>/opt/nfast/cknfastrc
echo"CKNFAST_DEBUGFILE=/var/log/pkcs11d.debug">>/opt/nfast/cknfastrc
9.Run the installation.
echo 1 |/opt/nfast/sbin/install
When the installation completes successfully,this message displays:---- Installation complete
---
Configuring the BIG-IP connection to Thales nShield Connect
Before you begin configuration,ensure that you have:
• Created the Thales Security World (security architecture).
• Created an Operator Card Set (OCS) to protect the BIG-IP SSL certificate keys.
• Added the IP address of the BIG-IP
®
systemto the Thales nShield Connect device using the front-panel
LCD.
• Run the following command sequence on the RFS to add the BIG-IP systemas a client of the RFS
/opt/nfast/bin/rfs-setup --force -g --write-noauth <BIG-IP IP address>
Before you can use Thales
®
nShield

Connect with the BIG-IP system,you need to configure the BIG-IP
system's connection to the Thales nShield Connect device and the Remote File System(RFS).
1.Log on to the command line of the BIG-IP
®
systemusing the root account.
2.To modify the PATH,type this command:
export PATH=$PATH:/opt/nfast/bin
3.Enroll the BIG-IP systemwith the Thales netHSM.
nethsmenroll --force <Thales_nShield_Connect_ip_address> $(anonkneti
<Thales_nShield_Connect_ip_address>)
Note:The anonkneti command returns two values:the Electronic Serial Number (ESN) of the netHSM
and the 40-character hash for the module's key (also called the key hash).
21
BIG-IP
®
Platform: FIPS Administration
4.Set up the connection to the RFS.
a) rfs-sync --no-authenticate --setup <rfs_ip_address>
b) rfs-sync --update
Note:Before you run the commands to set up the connection to the RFS,ensure that the RFS server is
network-accessible to the BIG-IP system.
5.Modify the file permissions.
a) chmod 755 -R/opt/nfast/bin
b) chown -R nfast:nfast/opt/nfast/kmdata/
c) chmod 700 -R/opt/nfast/kmdata/tmp/nfpriv_root
d) chown -R root:root/opt/nfast/kmdata/tmp/nfpriv_root
Important:Any time you run nethsmenroll or rfs-sync,you must reset the file permissions.
6.Set the Security Enhanced Linux (SELinux) policy.
a) chcon -t f5config_t/shared/nfast/cknfastrc
b) chcon -R -t f5config_t/opt/nfast/kmdata/local
c) chcon -R -t lib_t/shared/nfast/toolkits/pkcs11
7.Verify the configuration using the enquiry utility.
enquiry
When the BIG-IP system's connection to the Thales nShield Connect RFS is configured properly,a
message displays the value of the mode parameter as operational and the value of the connection
status parameter as OK,as shown in this example:
mode operational
connection status OK
connection info
esn = 4ECE-3073-AC6B;
addr = INET/172.31.10.243/9004;
ku hash = fedafb9bfb596be388d9f7b86a4ef2932135f29f,
mech = Any;time-limit = 24h;
data-limit = 8MB
Tip:If the enquiry command returns a failure,ensure that the IP address of the RFS has been added
to Thales nShield Connect using the LCD on the front of the device.Additionally,ensure that the
connection between Thales nShield Connect and the BIG-IP system is functioning.
8.Validate the connection between the BIG-IP systemand the Thales nShield Connect device.
ckinfo
A successful result includes the PKCS#11 library,slot,and token information.
9.
Validate the connection between the BIG-IP systemand the external HSM.
nfkminfo
A successful result includes a World section that contains a state of Initialized and Usable and
a Module section that contains a state of operator.
10.Enable pkcs11d.
tmsh modify sys service pkcs11d add
11.Restart pkcs11d.
22
About external HSMs and LTM
tmsh restart sys service pkcs11d
pkcs11d starts.If pkcs11d continually restarts,ensure that these files exist in the
/opt/nfast/kmdata/local directory for each nShield Connect client:
• module_*
• world
• card_*
• cards_*
12.Restart the tmminstance.
tmsh restart sys service tmm
If there is a firewall between the BIG-IP systemand the RFS server,verify that the systems can initiate
connections through port 9004.
Generating a key and certificates using Thales generatekey utility
You can use the Thales
®
generatekey utility to generate private keys,self-signed certificates,and certificate
signing requests on a BIG-IP
®
system.You can also use the generatekey utility to import a software-based
key to the BIG-IP system.
Note:The generatekey utility defaults to a 30-day certificate and key file.There is no way to change
this value.
1.Log on to the command line of the BIG-IP
®
systemusing the root account.
2.Update the local key database.
rfs-sync --update
A message displays indicating how many key files were updated on the system.
3.Change to the/shared/tmp directory.
cd/shared/tmp
4.Use the generatekey utility to do one of the following:
a) Generate a self-signed certificate and a certificate signing request (CSR),by using these parameters:
generatekey pkcs11 certreq=yes selfcert=yes embedsavefile=<keyname>
plainname=<keyname> recovery=yes protect=token nvram=no pubexp= type=RSA
size=2048 digest=sha1 x509country=<country> x509province=<state or province>
x509locality=<city> x509org=<organization> x509orgunit=<department>
x509dnscommon=<URL> x509email=
For example,to generate a PKCS#11 RSA key named mykey,and a self-signed certificate named
mykey_selfcert,and a CSR named mykey_req,with additional parameters as shown,type:
generatekey pkcs11 certreq=yes selfcert=yes embedsavefile=mykey
plainname=mykey recovery=yes protect=token nvram=no pubexp= type=RSA
size=2048 digest=sha1 x509country=US x509province=WA x509locality=Seattle
x509org=F5 x509orgunit=PD x509dnscommon=www.myorg.com x509email=
b) Import a RSA private key that is not password-protected,by using these parameters:
generatekey --import pkcs11 certreq=yes embedsavefile=<keyname>
plainname=<keyname> recovery=yes protect=token nvram=no type=RSA
pemreadfile=<RSA_private_key_file_path>
23
BIG-IP
®
Platform: FIPS Administration
This example imports an RSA private key named mykey with a CSR named mykey_req,froma
file named/shared/tmp/myprivatekey with additional parameters as shown:generatekey
--import pkcs11 certreq=yes embedsavefile=mykey plainname=mykey recovery=yes
protect=token nvram=no type=RSA pemreadfile=/shared/tmp/myprivatekey
You can use the options shown in this table with the generatekey utility.
RequiredRecommended
value
DescriptionOption
Yespkcs11Type of application of the key.pcks11
YesYesGenerates a certificate signed by a third party.certreq
YesYesGenerates a self-signed certificate.selfcert
Yes<keyname>Indicates the file and path where the BIG-IP system
saves the key and certificate you are generating.
embedsavefile
Yes<keyname>Identifies the key to the domain on the RFS server
Note:To determine the plainname of a key,you can
run the following command on the BIG-IP system:
plainname
nfkminfo -l.The system returns the names of the
keys,as shown in this example:Keys protected
by cardsets:
key_pkcs11_ucc6abd4ecd9c508fefb1cf2ad596a50129d
9188c1-07116673c2c129c3a937c0d6a2c682936017a65e
'www.siterequest.com'
NoYes (default
value)
Specifies whether key recovery is available.recovery
Notoken (default
value)
Important:The
BIG-IP system
Method used to authorize key usage.protect
requires that all
keys are
protected by an
Operator Card
Set (OCS),
which is a
token.
NoNo (default
value)
On the Thales device the NVRAMhas 32 KBof space
available to store data;however,F5 Networks
recommends that you do not store keys,because this
ties the key to a specific HSM.
nvram
NoEmptyF5 Networks recommends that you leave this
parameter empty.
pubexp
NoRSA (default
value)
Key typetype
Nosha1 (default
value)
Digest used to sign self-signed certificates and CSRsdigest
24
About external HSMs and LTM
RequiredRecommended
value
DescriptionOption
No2048 The
default value is
1024.
Key sizesize
The F5
Networks
<country>Country location datax509country
best practice
is to include
all
geolocation
data.
The F5
Networks
<country>Country location datax509country
best practice
is to include
all
geolocation
data.
The F5
Networks
<state/province>State/Province location datax509province
best practice
is to include
all
geolocation
data.
The F5
Networks
<city>City location datax509locality
best practice
is to include
all
geolocation
data.
The F5
Networks
<organization_unit>Organization location datax509orgunit
best practice
is to include
all
geolocation
data.
The F5
Networks
<domain_name>Common name of the domain for which you are
generating a certificate
x509dnscommon
best practice
is to include
all
geolocation
data.
YesLeave this blankOlder email systems cannot handle a value other than
empty for this parameter per current Internet task force
recommendation.
x509email=
25
BIG-IP
®
Platform: FIPS Administration
5.Restart pkcs11d.
tmsh restart sys service pkcs11d
pkcs11d starts.If pkcs11d continually restarts,ensure that these files exist in the
/opt/nfast/kmdata/local directory for each nShield Connect client:
• module_*
• world
• card_*
• cards_*
6.Restart the tmminstance.
tmsh restart sys service tmm
7.Commit the new keys to the Thales Remote File System(RFS).
rfs-sync --commit
Important:All files in the/opt/nfast/kmdata/local directory will be committed to the RFS.
8.If you want to use a third-party signed certificate,send the <keyname>_req file,which is a product of
using the generatekey utility,to the CA to request a signed certificate.
After you generate keys and certificates,you need to import theminto the BIG-IPconfiguration using tmsh.
Importing external HSM keys using tmsh
You can use the Traffic Management Shell (tmsh) to import existing keys into the system.
1.
Log on to the command line of the BIG-IP
®
systemusing the root account.
2.Open the Traffic Management Shell (tmsh).
tmsh
3.Import a key,by using these parameters:
install sys crypto key <key_object_name> from-local-file
/shared/tmp/<key_object_name>
This example imports a key named mykey,froma key file named mykeyin the/shared/tmp/directory:
install sys crypto key mykey from-local-file/shared/tmp/mykey
Importing certificates using tmsh
If you are importing a third-party signed certificate,ensure that you have obtained the certificate fromthe
CA (<keyname>.crt) and copied it into the/shared/tmp/directory;otherwise,ensure that you have
generated a self-signed certificate using the Thales
®
generatekey utility.
You can use the Traffic Management Shell (tmsh) to import existing certificates into the system.
1.
Log on to the command line of the BIG-IP
®
systemusing the root account.
2.Open the Traffic Management Shell (tmsh).
tmsh
26
About external HSMs and LTM
3.Import a self-signed certificate,by using these parameters.
install sys crypto cert <keyname>.crt from-local-file
/shared/tmp/<keyname>_selfcert
For example,to import a self-signed certificate created for a key named mykey,type:install sys
crypto cert mykey.crt from-local-file/shared/tmp/mykey_selfcert
4.Import a third-party certificate,by using these parameters.
install sys crypto cert <keyname>.crt from-local-file/shared/tmp/<keyname>.crt
For example,to import a third-party signed certificate for a key named mykey,type:install sys
crypto cert mykey.crt from-local-file/shared/tmp/mykey.crt
Creating a backup of the Thales RFS
Before you back up the RFS,ensure that the Thales
®
nShield

Connect Remote File System(RFS) server
is installed on your network.
You can back up the/shared/nfast/kmdata/local/and/shared/nfast/kmdata/hsm-*directories
of the RFS to recover the RFS state,if needed.The RFS contains all of the Thales nShield Connect keys.
1.
Copy the/shared/nfast directory to/shared/nfast.org.
This directory can be used to recover old data,if necessary.
2.Follow the Thales best practices for backing up the RFS server.
Troubleshooting Thales nShield Connect with the BIG-IP system
If the BIG-IP
®
systemand the Thales nShield

Connect device are not communicating,configure the self
IP address of the BIG-IP systemto allow port 9004.
1.On the Main tab,click Network > Self IPs.
The Self IPs screen opens.
2.In the Name column,click the self IP address that you want to modify.
The properties of the self IP address display.
3.Fromthe Port Lockdown list,select 9004.
4.Click Update.
About using external HSMs with VIPRION systems
There are some important considerations when configuring the Thales
®
nShield

Connect software on a
VIPRION
®
system:
• The Thales software and configuration files do not sync between blades.You need to install and configure
the client software on each blade installed in the chassis.
27
BIG-IP
®
Platform: FIPS Administration
• You need to add the cluster management IP address and the cluster member IP address for each blade
installed in the chassis to the Thales nShield Connect device for remote connectivity between the
VIPRION systemand the Thales device.
28
About external HSMs and LTM
Index
10000/11000/11050 platforms
fipsutil 11
initializing internal HSM 11
security domain 11
security officer (SO) password 11
SO (security officer) password 11
6900/8900 platforms
fipsutil 10
initializing internal HSM 10
security domain 10
security officer (SO) password 10
SO (security officer) password 10
A
Appliance mode 19
B
backup
creating for Thales RFS 27
D
device group
setting up FIPS platforms 10
E
external HSM
configuring 21
generating a FIPS key 23
installing 20
prerequisites for installing 20
using with Appliance mode 19
using with VIPRION systems 27
F
FIPS card, See internal HSM.
FIPS keys, See internal HSM keys.
H
hardware-based HSM, See internal HSM.
hardware security module (HSM)
external 19
internal 9
I
importing certificates using tmsh 26
importing keys using tmsh 15, 26
initializing internal HSM
on the 10000/11000/11050 platforms 11
on the 6900/8900 platforms 10
internal HSM
9
converting a key to FIPS using the Configuration utility 15
converting a key to FIPS using tmsh 16
creating keys using the Configuration utility 14
creating keys using tmsh 15
implementation options 7
importing keys using the Configuration utility 14
recovering after a system failure 16
synchronizing HSM cards 13
system backup 16
system recovery 16
system recovery options 16
internal HSM keys
key management using the Configuration utility 14
key management using tmsh 15
managing keys using the Configuration utility 14
managing keys using tmsh 15
N
network-based HSM, See external HSM.
O
Operator Card Set (OCS) 20, 23
R
redundant system configuration, See device group.
Remote File System (RFS)
backing up 27
defined 19
using with nShield Connect 21
RFS, See Remote File System (RFS).
S
security domain
synchronizing between platforms 9
synchronizing HSMs
internal HSM 13
T
Thales HSM
using with VIPRION systems 27
Thales nShield Connect
about prerequisites for installing 20
installing 20
tmsh commands
for FIPS platform 17
importing certificates 26
importing keys 15, 26
troubleshooting
port 9004 issues 27
29
Index
30
Index