Hardware HSM Setup and Administration (2024)

Setup of embedded FIPS platforms in a devicegroup

You can configure a device group using two platforms fromthe same series with a FIPS hardware security module (HSM) installed in eachunit. When setting up an embedded FIPS solution on a device group, you installthe two systems and can connect to a serial console to remotely manage thesystems. In the event that network access is impaired or not yet configured,the serial console might be the only way to access your system.

After you have set up and configured the systems, you cancreate the FIPS security domain by initializing the HSM and creating asecurity officer (SO) password. You must configure the same security domainname on all HSMs in the group.

Embedded HSM initialization and synchronizationoverview

After you have set up and configured your BIG-IP systems,you create a FIPS security domain by initializing the embedded HSM and thensynchronizing all applicable HSMs.

Initialize the HSM in 5000/7000/10200platforms

You must initialize the hardwaresecurity module (HSM) installed in each unit before you can use it. When youare creating a device group using more than one FIPS platform, you initializethe HSM on one unit, and then initialize the HSM on a peer unit using the samesecurity domain label that you used on the first unit.

You can initialize the HSM and create the securitydomain before you license the system and create a traffic managementconfiguration.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Initialize the HSM and set a securityofficer (SO) password.

    run util fips-util -finit

    Running this commanddeletes all keys in the HSM and makes any previously exported keysunusable.

    The initialization processtakes a few minutes to complete.

    The initializationprocess begins. When prompted, type an SO password.

    F5 recommends that you choose a strong valuefor the SO password. You cannot use the keyword

    default

    as theSO password.

    WARNING: This erases all keys from the FIPS 140 device.Any configuration objects dependent on FIPS keys will causethe configuration fail to load.==================== WARNING ================================The FIPS device will be reset to factory default state.All keys and user identities currently stored in the devicewill be erased.Any configuration objects dependent on FIPS keys will causethe configuration fail to load.Press <ENTER> to continue or Ctrl-C to cancelResetting the device ...The FIPS device is now in factory default state.Enter new Security Officer password (min. 7, max. 14 characters):Re-enter Security Officer password:

  4. When this message displays, type asecurity domain label.

    NOTE: security domain label must be identical on peerFIPS devices in order to be able to synchronize with them.Enter security domain label (max. 50 chars, default: F5FIPS):

    Be sure to keep the securitydomain label and password in a secure location. You need the domainlabel and password when you initialize the HSM on a peer unit. You canuse the same password or choose a new one. This information is alsorequired when replacing a unit (for RMA or other reasons). Since keysare synchronized from the working unit to a new unit, the domain labeland password are required.

    Initializing new security domain (F5FIPS)...Creating crypto user and crypto officer identitiesWaiting for the device to re-initialize ...Creating key encryption key (KEK)The FIPS device has been initialized.

  5. Enable the HSM device using one of theseoptions:

    • Reboot the unit.

    • Restart all services:

      restart sysservice all

      .

      Restarting services disruptsload-balanced traffic and might terminate remote loginsessions to the system.

After you complete theinitialization process on the first unit, you can initialize a peer system andadd it to the security domain of the first unit. You must use the same SOpassword that you used on the first unit.

Initialize the HSM in 10350v-F platforms

You must initialize the hardwaresecurity module (HSM) installed in each unit before you can use it. When youare creating a device group using more than one FIPS platform, you initializethe HSM on one unit, and then initialize the HSM on a peer unit using the samesecurity domain label that you used on the first unit. You can choose to use adifferent password on the peer unit.

You can initialize the HSM and create the security domain, before youlicense the system and create a traffic management configuration.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Initialize the HSM and set a securityofficer (SO) password.

    run util fips-utilinit

    Running this commanddeletes all keys in the HSM and makes any previously exported keysunusable.

    The initialization processtakes a few minutes to complete.

    The initializationprocess begins. When prompted, type an SO password. You cannot use thekeyword

    default

    as the SO password.

    F5 recommends that you choose a strong valuefor the SO password.

    If this text displays inthe message below, you need to first delete all keys from thedevice before running the command:

    There are keys stored inthe FIPS device Delete all keys from the device beforere-initializing it

    . You can use the

    -f

     option toforce initialization, which deletes all user-generated keys(

    util fips-util -finit

    ).

    WARNING: This erases all keys from the FIPS 140 device.Any configuration objects dependent on FIPS keys will causethe configuration fail to load.==================== WARNING ================================The FIPS device will be reset to factory default state.All keys and user identities currently stored in the devicewill be erased.Any configuration objects dependent on FIPS keys will causethe configuration fail to load.Press <ENTER> to continue or Ctrl-C to cancelResetting the device ...The FIPS device is now in factory default state.Enter new Security Officer password (min. 7, max. 14 characters):Re-enter Security Officer password:

  4. When this message displays, type asecurity domain label.

    NOTE: security domain label must be identical on peerFIPS devices in order to be able to synchronize with them.Enter security domain label (max. 50 chars, default: F5FIPS):

    Be sure to keep the securitydomain label and password in a secure location. You need the domainlabel and password when you initialize the HSM on a peer unit. You canuse the same password or choose a new one. This information is alsorequired when replacing a unit (for RMA or other reasons). Since keysare synchronized from the working unit to a new unit, the domain labeland password are required.

    Initializing new security domain (F5FIPS)...Creating crypto user and crypto officer identitiesWaiting for the device to re-initialize ...Creating key encryption key (KEK)The FIPS device has been initialized.

  5. Enable the HSM device using one of theseoptions:

    • Reboot the unit.

    • Restart all services:

      restart sysservice all

      .

      Restarting services disruptsload-balanced traffic and might terminate remote loginsessions to the system.

After you complete theinitialization process on the first unit, you can initialize a peer system andadd it to the security domain of the first unit. You can choose to use thesame SO password that you used on the first unit.

Initialize the HSM in i5000F (i5820-DF)/i7000F (i7820-DF)/i15000-DF (i15820-DF) platforms

You must initialize the hardwaresecurity module (HSM) installed in each unit before you can use it. When youare creating a device group using more than one FIPS platform, you initializethe HSM on one unit, and then initialize the HSM on a peer unit using the samesecurity domain label that you used on the first unit. You can choose to use adifferent password on the peer unit.

You can initialize the HSM and create the security domain, before youlicense the system and create a traffic management configuration.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Initialize the HSM and set a securityofficer (SO) password.

    run util fips-utilinit

    Running this commanddeletes all keys in the HSM and makes any previously exported keysunusable.

    The initialization processtakes a few minutes to complete.

    The initializationprocess begins. When prompted, type an SO password. You cannot use thekeyword

    default

    as the SO password.

    F5 recommends that you choose a strong valuefor the SO password.

    If this text displays inthe message below, you need to first delete all keys from thedevice before running the command:

    There are keys stored inthe FIPS device Delete all keys from the device beforere-initializing it

    . You can use the

    -f

     option toforce initialization, which deletes all user-generated keys(

    util fips-util -finit

    ).

    WARNING: This erases all keys from the FIPS 140 device.Any configuration objects dependent on FIPS keys will causethe configuration fail to load.==================== WARNING ================================The FIPS device will be reset to factory default state.All keys and user identities currently stored in the devicewill be erased.Any configuration objects dependent on FIPS keys will causethe configuration fail to load.Press <ENTER> to continue or Ctrl-C to cancelResetting the device ...The FIPS device is now in factory default state.Enter new Security Officer password (min. 7, max. 14 characters):Re-enter Security Officer password:

  4. When this message displays, type asecurity domain label.

    NOTE: security domain label must be identical on peerFIPS devices in order to be able to synchronize with them.Enter security domain label (max. 50 chars, default: F5FIPS):

    Be sure to keep the securitydomain label and password in a secure location. You need the domainlabel and password when you initialize the HSM on a peer unit. You canuse the same password or choose a new one. This information is alsorequired when replacing a unit (for RMA or other reasons). Since keysare synchronized from the working unit to a new unit, the domain labeland password are required.

    Initializing new security domain (F5FIPS)...Creating crypto user and crypto officer identitiesWaiting for the device to re-initialize ...Creating key encryption key (KEK)The FIPS device has been initialized.

  5. Enable the HSM device using one of theseoptions:

    • Reboot the unit.

    • Restart all services:

      restart sysservice all

      .

      Restarting services disruptsload-balanced traffic and might terminate remote loginsessions to the system.

After you complete theinitialization process on the first unit, you can initialize a peer system andadd it to the security domain of the first unit. You can choose to use thesame SO password that you used on the first unit.

View HSM information using tmsh

You can use the Traffic ManagementShell (

tmsh

) to viewinformation about the hardware security module (HSM). If you have a10350v-FIPS platform provisioned for Virtual Clustered Multiprocessing (vCMP),you can also view information about any FIPS partitions on the HSM.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. View information about the HSM.

    run util fips-utilinfo

    Depending on theHSM installed in your system, a summary similar to this example (froma 10350 platform) displays.

    Label: F5FIPSModel: NITROX-III CNN35XX-NFBESerial Number: 3.0G1501-ICM000059FIPS state: 2MaxSessionCount: 2048SessionCount: 13MaxPinLen: 14MinPinLen: 7TotalPublicMemory: 557540FreePublicMemory: 234552TotalUserKeys: 10075AvailableUserKeys: 10075Logging failures:user: 0officer: 0Temperature: 72 CHW version: 0.0Firmware version: CNN35XX-NFBE-FW-1.0-27

  4. View information about FIPS partitionson the HSM.

    run util fips-utilptninfo

Before you synchronize the HSMs

Before you can synchronize the FIPS hardware securitymodules (HSMs), you must ensure that the target HSM:

  • Is already initialized

  • Has an identical security domain name

  • Does not contain existing keys

  • Is the same hardware model

  • Contains the same firmware version

Before you run the

fips-card-sync

command,ensure that you have this information:

  • The SO password for the source F5 device

  • The SO password for the target F5 device

  • The root password for the target F5 device

The target device must also be reachable using SSH from thesource device.

Synchronize the HSMs using tmsh

Be sure that you meet allprerequisites before synchronizing the hardware security modules (HSMs) inyour devices.

Synchronizing the HSMs enables youto copy keys from one HSM to another. This is also required to synchronize thesoftware configuration in a device group.

You only need to perform the synchronization processduring the initial configuration of a pair of devices. After the twodevices are in sync, they remain in sync.

  1. Log on to the command line of the sourceF5 device using an account with root access.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Synchronize the maskingfrom the HSM on the source F5 device to the HSM on the target F5device, where <

    hostname

    > is the IP address or hostname of thetarget F5 device.

    run util fips-card-sync

    <hostname>

    Be sure to run this command on a device thatcontains a valid masking key. Otherwise, you mightinvalidate all keys loaded in the HSM.

    A masking key isshared between the HSMs on each F5 device. This shared masking keyis used to encrypt the SSL private keys when the keys leave thecryptographic boundary of the HSM.

    1. When prompted, type the securityofficer (SO) password for the local device.

    2. When prompted, type the SOpassword for the remote device or press Enter if the passwordis the same as for the local device.

      A messagesimilar to this example displays:

      Connecting to 192.0.2.255 as user root ...

    3. When prompted, type the rootpassword.

      When thesynchronization operation completes, a message similar to thisexample displays:

      FIPS devices have been synchronized.

  4. Synchronize the software configurationin the device group.

    See Also
    Installing pre-requisites | Hyperledger ComposerCloud HSM architecture  |  Documentation  |  Google CloudHyperledger FabricIntroduction — Hyperledger Fabric Docs main documentation

    You must run

    fips-card-sync

    before running

    config-sync

    . Otherwise, the FIPS keys will not loadon the remote device.

    run cm config-sync [

    to-group

    |

    from-group

     ]<

    device-group-name

    >

FIPS multi-tenancy for vCMP guests overview

The BIG-IP 10350v-FIPS platform model contains aFIPS-validated hardware security module (HSM) that supports Single Root I/OVirtualization (SR-IOV) mode on Virtual Clustered Multiprocessing(vCMP)-enabled systems.

Benefit

The benefit of SR-IOV mode is that for a BIG-IP systemon a 10350v-FIPS platform provisioned for Virtual ClusteredMultiprocessing (vCMP), you can create a virtual HSM (known as a FIPSpartition) for each guest on the system. A

FIPS partition

is a portion of cores and private key slots onthe HSM that a host administrator can dedicate to a guest forcryptographic functions.

This illustration showsa BIG-IP system where three guests each have their own FIPS partition forFIPS hardware-based processing.

Hardware HSM Setup and Administration (1)

About core allocation

You can create up to 32 FIPS partitions on the HSM, withsome number of cores allocated to each partition. The number of cores youallocate to a FIPS partition depends on the processing needs of the guestyou assign the partition to. The only limit is that the combined number ofcores for all partitions cannot exceed 63, the total number of cores thatthe HSM supports.

To determine how you want to deploy FIPS partitioningfor your vCMP guests, you should:

  • Identify the guests that need dedicatedcores.

  • Decide how many cores and private key slots youwant to allocate to each guest's partition.

For example, to decide how many cores to dedicate toeach guest, suppose guests

A

and

B

 have equal core requirements, but guest

C

 has twice the needsof both

A

 and

B

. In thiscase, you could allocate 12 cores each to

A

 and

B

, and 24 cores to

C

. Thiswould mean a total core allocation of 48 HSM cores, leaving 15 coresunallocated and available for future guest needs.

About FIPS private keys

Once you have assigned a FIPS partition to a guest, theguest administrator can log in to the guest to create, convert, or importFIPS private SSL keys, which are stored on the HSM. The FIPS partitionassigned to the guest dictates the amount of storage available for FIPSkeys on the HSM for the guest.

Host administration tasks

Before vCMP guestadministrators can create and manage FIPS keys in their own secure partitionson the FIPS hardware security module (HSM), a host administrator mustinitialize the FIPS HSM, resize the default partition to free up cores forother FIPS partitions, and create those other partitions on the HSM. As hostadministrator, you'll create one unique partition for each guest.

Prerequisite tasks for managing FIPS partitions

Before you set up FIPS partitions for your Virtual ClusteredMultiprocessing (vCMP) guests, confirm that the vCMP host prerequisites havebeen met, on each device that hosts vCMP guests in your high availabilityconfiguration. Confirm all prerequisites by logging into the BIG-IP systemusing the management IP address of the vCMP host.

Your BIG-IP user account must have arole of Administrator assigned to it.

Prerequisites

Verification tool

Verification instructions

The BIG-IP system is provisioned forVirtual Clustered Multiprocessing (vCMP).

BIG-IP Configuration utility

On the Main tab, click

System

ResourceProvisioning

. In the Module column, locate

Virtual CMP(vCMP)

 and then view the Provisioningcolumn.

You have created vCMP guests on thesystem.

BIG-IP Configuration utility

On the Main tab, click

vCMP

vCMP GuestList

. View the list of vCMP guests.

You have permission to use the TMSH(TMOS Shell) command-line interface.

BIG-IP Configuration utility

On the Main tab, click

System

Users

. Then click your account name and view the

TerminalAccess

 list. This setting must be set toeither

tmsh

 or

Advancedshell

.

The license type is10350v-FIPS.

An SSH application such asPuTTY

At the

tmsh

prompt, type

show sys hardware

 and under

Platform

, look for a

Name

 property of

10350F

.

The hardware security module (HSM)is initialized and the security label matches the label on allother devices hosting BIG-IP device group members (that is,vCMP guests).

An SSH application such asPuTTY

At the

tmsh

prompt, type

fips-util -v info

.

The HSMs on the appliances hostingthe vCMP guests in the BIG-IP device group aresynchronized.

An SSH application such asPuTTY

At the

tmsh

prompt, type

runutil fips-card-sync

hostname

.

You know the Security Officerpassword for managing the FIPS HSM.

Not applicable.

If you do not know the SecurityOfficer password, see your security administrator.

The BIG-IP configurations on allmembers of the BIG-IP device group (that is, vCMP guests) aresynchronized.

BIG-IP Configuration utility

On the Main tab, click

DeviceManagement

Overview

. Then verify that all device group members havea status of

InSync

.

For more information, see

BIG-IPDevice Service Clustering: Administration

at the F5 support sitesupport.f5.com.

Resize of FIPS partitions

After all vCMP guests are deployed with FIPS partitionsassigned to them, you might decide later that you need to increase or decreasethe number of cores for a specific guest.

When you resize a guest's partition, you use the TMSH ( TMOSShell) command-line interface, and it's helpful to understand the output thatTMSH displays during the resizing process. For example, suppose you initiallyresized

PARTITION_1

and created three other partitions, with these core allocations:

  • PARTITION_1

    : 32 cores

  • PARTITION_2

    : 8 cores

  • PARTITION_3

    : 10 cores

  • PARTITION_4

    : 4 cores

This shows that we have a total of 54 of the 63 cores on theHSM allocated, leaving 9 cores still unallocated.

Now suppose you decide to adjust the number of coresallocated to

PARTITION_2

, from 8 cores to 6. In this case, you'll need touse the

fips-util ptnresize

 command within

tmsh

. For example, if youtype:

tmsh /util fips-util ptnresize

The system prompts you for a password and the relevantpartition name and displays other fields showing their currently-configuredvalues:

Enter Security Officer password: 
SO-password
Enter partition name: 
PARTITION_2
Enter max keys (1-82160, current 5000): 
4000
Enter max accel devs (0 to 25, current 8):

In the

Enter max accel devs

field,the system shows that there are

0 to 25

 cores availableto

PARTITION_2

 forresizing, with

8

 cores currently allocated. The system calculates this

0 to 25

 value using this formula:

(Total cores on the HSM - The sum of cores for the three other partitions) + (cores currently assigned to 
PARTITION_2
)

which translates to:

 63 - (32 + 10 + 4) + 8 = 25

Notice that the displayed number ofmaximum cores available to

PARTITION_2

(

25

) includes thecurrent allocation of 8 cores.

For

Enter macaccel devs

, once you specify a new value of

6

, the number ofunallocated cores on the HSM increases from 9 to 11.

Enable vCMP after a BIG-IP software upgrade

If your BIG-IP system was provisioned for vCMP prior toupgrading to this BIG-IP version, you must enable a BigDB variable,

kernel.iommu

.

Be sure to do this before youmanage the hardware security module (HSM) to create FIPS partitions forvCMP guests.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Enable the kernel.iommu DB variable.

    modify /sys db kernel.iommuvalue enable

  4. Save your BIG-IP configuration.

    save /sys config

  5. Reboot the system.

    sys reboot

Resize the default FIPS partition

Whenever you initialize the FIPS hardware securitymodule (HSM) on a vCMP host, theprocess creates a FIPS partition named

PARTITION_1

that youcan assign to one of your vCMP guests. By default,

PARTITION_1

 containsall available FIPS cores on the HSM (63).

To free up cores for other guests, you'll need to reducethe number of cores assigned to

PARTITION_1

. You canthen allocate those freed-up cores to other FIPS partitions that youcreate.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Resize the default partition.

    fips-utilptnresize

  4. Enter the Security Officerpassword.

  5. At the

    Partition name

    prompt,enter the name of the default partition,

    PARTITION_1

    .

  6. At the

    Enter max keys

    prompt,re-type or change the current value for the maximum number of SSL keysallocated to the default partition.

  7. At the

    Enter max accel devs

    prompt, reduce the current value of

    63

    .

    The specified value representsthe number of cores currently allocated to

    PARTITION_1

    .

    For example, if youintend to create three guests, and you know that for two of thoseguests, you'll want to create

    PARTITION_2

    and

    PARTITION_3

     and allocate 20 and 10 coresrespectively, change the value for

    PARTITION_1

     from 63to 33.

    Changing this valuefrees up the number of cores that you'll need for the otherpartitions.

  8. Press Enter.

  9. Save your BIG-IP configuration.

    save /sys config

After you complete this task, the HSM hasavailable cores for you to allocate to other FIPS partitions that youcreate.

Create FIPS partitions on the HSM

You can create a virtual hardware security module (HSM)for each vCMP guest on the system that processes FIPS-related traffic.After creating FIPS partitions on the HSM, you can provide each guest withits own dedicated FIPS hardware resource to use for cryptographicfunctions.

You only need to create a FIPSpartition for a guest when the guest is processing FIPS-relatedtraffic.

  1. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  2. Create a FIPS partition.

    fips-utilptncreate

    If you receive an errormessage about acceleration, you'll need to resize the default FIPSpartition before creating FIPS partitions.

    The system thenprompts you for Security Officer password.

  3. Type the Security Officerpassword.

  4. At the

    Enter partitionname

    prompt, assign a name to the partition, such as

    PARTITION_2

    .

    Do not assign the name

    PARTITION_1

    . This is the name of the default FIPSpartition.

  5. At the

    Max key count

    prompt, type the maximum number of private SSL keys that a guestadministrator will be able to store in the guest's partition.

  6. At the

    Max accel devs

    prompt, type a value for the number of FIPS hardware cores that youwant to allocate to the partition.

  7. Press Enter.

  8. Save your BIG-IP configuration.

    save /sys config

  9. Repeat for each additional partitionthat you want to create.

After you complete this task, the HSMhas a unique FIPS partition for each guest that you want to assign FIPShardware SSL resources to. You can then provide a guest with its own dedicatedFIPS hardware SSL resource by assigning the FIPS partition to theguest.

Disablea vCMP guest

Before performing this task, confirmthat you are logged in to the BIG-IP Configuration utility as a vCMP hostadministrator.

Before you assign a FIPS partition to a guest, you mustset the guest to the

Configured

state.

This task is based on the assumptionthat the guest you want to disable is currently in a

Deployed

or

Provisioned

 state.

  1. On the Main tab, click

    vCMP

    Guest List

    .

    This displays a list of guests on the system.

  2. In the Name column, find the name of theguest you want to assign a FIPS partition to, and in the left-mostcolumn, select the check box.

  3. Click

    Disable

    .

    The guest statechanges to

    Configured

    .

  4. Repeat this task for each guest to whichyou plan on assigning a FIPS partition.

After performing this task, the guest canno longer process traffic, and you can now modify the guest to assign a FIPSpartition.

Assign a FIPS partition to a vCMP guest

Before performing this task, confirmthat you are logged into the BIG-IP Configuration utility as a vCMP hostadministrator.

For BIG-IP systems containing a FIPS hardware securitymodule (HSM) on which you have created FIPS partitions, you can assign aseparate FIPS partition to each vCMP guest on the system. This provideseach guest with its own virtual FIPS HSM to use for cryptographicfunctions when processing FIPS-related traffic.

It’s worth noting that in addition to using FIPSpartitions for FIPS-related traffic, you can configure the

SSL Mode

setting fornon-FIPS related traffic. This controls the non-FIPS hardware SSLresources on the system.

  1. On the Main tab, click

    vCMP

    Guest List

    .

    This displays a list of guests on the system.

  2. In the Name column, click the name of the guest that you want to modify.

    This displays the configured properties of the guest.

  3. From the

    FIPS Partition

    list, select a FIPS partition name.

  4. From the

    Requested State

    list, select

    Deployed

    .

  5. Click

    Update

    .

    This action causes the guest to restart.

  6. Repeat this task for each guest to which you want to assign a FIPS partition.

After you complete this task, eachvCMP guest that you modified has a virtual FIPS HSM assigned to it to use forcryptographic functions.

Display the list of FIPS partitions on the HSM

When the FIPS hardware security module (HSM) in your BIG-IP® system contains FIPS partitions for multi-tenancy, you can display a list of the partitions at any time.

  1. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  2. View a list of partitions.

    fips-util ptninfo

  3. Type the Security Officer password.

    The system displays a list of existing FIPS partitions on the HSM.

Deleting FIPS partitions on the HSM

When the FIPS hardware security module (HSM) in your BIG-IP system contains FIPS partitions for multi-tenancy, you can delete one or more of those partitions from the HSM if for some reason you no longer need them.

  1. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  2. Delete a partition.

    fips-utilptndelete

    The system promptsyou for the Security Officer password.

  3. Type the Security Officerpassword.

  4. At the

    Enter partitionname

    prompt, type the name of the partition youwant to delete.

  5. Press Enter.

  6. Save your BIG-IP configuration.

    save /sys config

Guest administration tasks

When a vCMP guest has a FIPS partition assigned to it, theguest administrator can store private SSL keys on the FIPS hardware securitymodule (HSM). Specifically, a guest administrator can use the BIG-IPConfiguration utility to:

  • Create and store FIPS keys in the HSM.

  • Import non-FIPS keys (

    .exp

    files) or FIPS keysto the HSM. Importing FIPS keys requires the BIG-IP system to use the samemasking key that was previously used to export the FIPS keys.

  • Convert non-FIPS keys to FIPS keys, which are thenstored in the HSM.

For information about managing your FIPS keys, see the KeyManagement section of this guide.

Before you log in to a vCMP guest and manage private SSLkeys, confirm that you have met these prerequisites:

  • You have a user role that allows you to log in to thesystem as a vCMP guest administrator.

  • You have permission to use the

    tmsh

    CLI.

  • You have permission to manage private SSL keys.

For more information, see the

BIG-IP Digital Certificates: Administration

guide at support.f5.com.

Key management on embedded FIPS systems

You can use one of two tools to manage keys on your embeddedFIPS system: the BIG-IP Configuration utility or the F5 TMOS Shell (

tmsh

).

FIPS key management using the BIG-IP Configuration utility

You can use the BIG-IP Configuration utility to create FIPS keys, import existing FIPS keys into a hardware security module (HSM), and convert existing keys into FIPS keys.

Existing FIPS keys (.exp files) can only be imported into an HSM that possesses the same masking key used when the FIPS keys were exported. The masking key is used to encrypt SSL private keys as they are exported from an HSM. Therefore, only the same masking key can be used to decrypt the SSL private keys as they are imported into the HSM.

Import of FIPS keys is supported if the F5system uses the same masking key that was used to export the FIPS keys.

Request a FIPS-type CA-signed certificate

You can use the Configuration utility to create a request for a certificate withFIPS type security from a certificate authority.

  1. On the Main tab, click

    System

    CertificateManagement

    Traffic CertificateManagement

    SSL CertificateList

    .

    This displays the list ofcertificates installed on the system.

  2. Click

    Create

    .

    The New SSLCertificate screen opens.

  3. In the

    Name

    field, type aunique name for the certificate.

  4. From the

    Issuer

    list,specify the type of certificate that you want to use.

    • To request a certificate from aCA, select

      Certificate Authority

      .

    • For a self-signed certificate,select

      Self

      .

  5. Configure the

    Common Name

    settingand any other settings as needed.

  6. From the

    Security Type

    list,select

    FIPS

    .

  7. From the

    Key Type

    list,select

    RSA

    ,

    DSA

    , or

    ECDSA

    .

  8. If you selected

    ECDSA

    , then fromthe

    Curve

    list, select an elliptic curve.

    The elliptic curve secp521r1is not supported on the F5 10350v-FIPS hardware platform.

  9. Click

    Finished

    .

Import keys using the BIG-IP Configurationutility

You can use the BIG-IPConfiguration utility to import existing keys into the system.

  1. On the Main tab, click

    System

    Certificate Management

    Traffic Certificate Management

    SSL Certificate List

    .

    This displays the list of certificates installed on the system.

  2. Click

    Import

    .

  3. From the

    Import Type

    list,select

    Key

    .

  4. For the

    Key Name

    setting,click

    CreateNew

    .

  5. In the

    Key Name

    field,type a name for the key.

  6. From the

    Key Source

    setting,click either

    UploadFile

     or

    Paste Text

    .

    • If you click

      Upload File

      ,type a file name or click

      Browse

       andselect a file.

    • If you click

      Paste Text

      ,copy the text from another source and paste the text into the KeySource screen.

  7. Click

    Import

    .

After you import the key, you canconvert it to a FIPS key.

Convert a key to FIPS using the BIG-IP Configurationutility

You can use the BIG-IPConfiguration utility to convert an existing key to a FIPS key.

  1. On the Main tab, click

    System

    Certificate Management

    Traffic Certificate Management

    SSL Certificate List

    .

    This displays the list of certificates installed on the system.

  2. Click a certificate name.

    This displays theproperties of that certificate.

  3. On the menu bar, click

    Key

    .

    This displays thetype and size of the key associated with the certificate.

  4. Click

    Convert to FIPS

    toconvert the key to a FIPS key.

    The key isconverted and appears in the list as a FIPS key. After the key isconverted, this process cannot be reversed.

FIPS key management using tmsh

You can use the TMOS Shell (

tmsh

) to create FIPS keys,import existing keys into an F5 system, and convert existing keys to FIPSkeys.

Create FIPS keys using tmsh

You can use the TMOS Shell(

tmsh

) to createFIPS keys.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Create a basic key.

    create sys crypto key<

    key-object-name

    > security-typefips

    For information aboutadditional options for this command, view the

    sys crypto key

    manpage:

    help sys cryptokey

    The key creation process takes a few minutesto complete.

  4. View information about the generatedkey.

    list sys crypto key<

    key-object-name

    >

Import FIPS keys using tmsh

You can use the TMOS Shell(

tmsh

) to importexisting keys into the system.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Import a key.

    install sys crypto key<

    key-object-name

    > from-local-file <

    path-to-key_file

    > security-typefips

    This example imports aFIPS key named

    mykey

    from a local key file stored in the

    /shared/tmp

    directory:

    install syscrypto key mykey from-local-file /shared/tmp/mykey.expsecurity-type fips

Convert a key to FIPS using tmsh

You can use the TMOS Shell(

tmsh

) to converta key to a FIPS key.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Convert an existing key to FIPS.

    install sys crypto key<

    key-object-name>

    from-local-file <

    key-file-path>

     security-typefips

List FIPS keys in the HSM using tmsh

You can use the TMOS Shell (

tmsh

) to list the FIPSkeys in the hardware security module (HSM).

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. List the keys in the HSM.

    tmsh show sys crypto fipskey

    A summary similar to thisexample displays:

    -------------------------------------------FIPS 140 Hardware Device-------------------------------------------=== private keys (2)ID MOD.LEN(bits)dd83774207ea554ba1192439de75e1c1 2048 /Common/testkey1.keyd750c989e6afeb5ac8ca8aec2b93461b 1024 /Common/testkey2.key

List FIPS keys in the F5 software configuration usingtmsh

You can use the TMOS Shell(

tmsh

) to listthe FIPS keys in the F5 software configuration.

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. List the keys in the hardware securitymodule (HSM).

    tmsh list sys cryptokey

    A summary similarto this example displays:

    sys crypto key default.key { key-size 1024 key-type rsa-private security-type normal}sys crypto key testkey2.key { key-id d750c989e6afeb5ac8ca8aec2b93461b key-size 1024 key-type rsa-private security-type fips}sys crypto key testkey1.key { key-id dd83774207ea554ba1192439de75e1c1 key-size 2048 key-type rsa-private security-type fips}

Delete a key from the F5 software configuration and HSMusing tmsh

You can use the TMOS Shell(

tmsh

) to deletea key from the F5 software configuration and the hardware security module(HSM).

  1. Log in to the command line of the system using an account with rootaccess.

  2. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  3. Delete a specified key.

    delete sys crypto key<

    key-object-name

    >

Supported FIPS key sizes

These are the supported key sizes for F5 FIPS platforms.

FIPS platform

Supported key sizes (bits)

5000

1024, 2048, 4096

7000

1024, 2048, 4096

10200

1024, 2048, 4096

10350

2048

i5000

2048

i7000

2048

i15000

2048

Additional FIPS platform management tmshcommands

This table lists additional

tmsh

commands that you can useto manage your FIPS platform.

Command

Description

show sys crypto fipskey

Lists information about FIPS keysstored in the FIPS hardware security module (HSM), includingFIPS key ID, length, type, and key objects.

list sys cryptokey

Lists keys in the F5 softwareconfiguration.

delete sys crypto fips key<

key-id

>

Deletes a FIPS key from the FIPS HSMonly.

Recovery options

You can use one of these options for recovering yourembedded FIPS system.

  • Configure an additional unit for recovery

  • Save the keys on a disk

  • Configure a device group

FIPS system recovery options

This table describes configuration options forFIPS system recovery.

Option

Description

Configure a device group

Configure the F5 devices in a devicegroup with the FIPS HSMs synchronized. In the event of asystem failure, the standby unit becomes active and handlesincoming traffic. Contact F5 to arrange a Return MaterialAuthorization (RMA) for the failed device and then followthe steps for implementing a replacement unit to recover thefailed device.

Configure an additional unit forrecovery

Fully configure a third unit, add itto the security domain, and synchronize the configurations.Remove the unit from the network and store it in a securelocation. If the F5 system in production is damaged ordestroyed, you can use the backup unit to reconstitute thesecurity domain.

Save the keys on a disk

Generate the private keys outside ofthe FIPS HSM. Copy the non-FIPS protected keys to a secureexternal location as a backup. Then convert the non-FIPS intoFIPS keys on the F5 system. The keys on the F5 system are nowprotected by the FIPS HSM. If there is a catastrophic systemfailure, use the non-FIPS protected backup keys to repopulatethe FIPS HSM.

Thismethod for backup is not FIPS-compliant.

Implement a replacement unit in a device group after asystem failure

Before you recover hardware securitymodule (HSM) information, ensure that the F5 software is configured and theninstall your saved UCS file on the new replacement system. For informationabout backup and recovery of a BIG-IP system UCS file, see

BIG-IP System: Essentials

at support.f5.com.

If one unit of a device groupfails, the failover unit becomes active and maintains the HSM information.After you replace the failed unit in a device group, you need to restore theHSM information on the replacement unit.

  1. Connect the currently active unit to thereplacement unit.

  2. On the replacement unit, initialize theFIPS hardware security module (HSM). For information about performingthis initialization, see the appropriate HSM initialization procedurefor your platform.

    Be sure to run this FIPS HSM initializationcommand sequence on the replacement unit. If you run it on thecurrently active unit, you will lose all of your existingkeys.

    Be sure to use the samesecurity domain that you specified when you initially set up thecurrently active unit.

  3. On the currently active unit, copyinformation from the currently active unit to the replacementunit.

    fipscardsyncpeer

    Be sure to run this FIPS HSM initializationcommand from the currently active unit. If you run this commandfrom the replacement unit, you will lose your original FIPSinformation.

  4. On the currently active unit,synchronize the full software configuration to the replacement unitusing

    tmsh

    .

    tmsh run config-sync to-group/Common/<

    device-group-name

    >

    Synchronizing the software configurationusing this command sequence also synchronizes the keys stored inthe HSM.

The replacement unit is now ready tofunction as the failover unit in a device group.

Implement a replacement standalone device after a systemfailure

You must have a backup of yournon-FIPS protected keys before you can restore the hardware security module(HSM) information on a standalone replacement device.

After you replace a failedstandalone unit, you need to restore the HSM information on the replacementunit.

  1. Copy the full software configuration tothe replacement unit using

    tmsh

    .

    tmsh load ucs <

    ucs-filename

    >

    Synchronizing the configuration does notsynchronize the keys stored in the HSM.

  2. On the replacement unit, initialize theFIPS HSM. For information about performing this initialization, seethe appropriate HSM initialization procedure for your platform.

  3. Log in to the command line of the system using an account with rootaccess.

  4. Open the TMOS Shell (

    tmsh

    ).

    tmsh

  5. Convert an existing key to FIPS.

    install sys crypto key<

    key-object-name

    > from-local-file <

    key-file-path

    > security-type fips

    This example converts anSSL private key named

    mykey

    from a local key file stored in the

    /shared/tmp

    directory:

    install syscrypto key mykey from-local-file /shared/tmp/mykey.keysecurity-type fips

Troubleshooting options

You can use one of these options for troubleshooting yourembedded FIPS system.

FIPS troubleshooting

You can use command line interface (CLI)utilities to troubleshoot common issues with your embedded FIPSdevice.

How do I check that my system includes an embeddedFIPS device (FIPS card)?

Log in to the command line interface of yoursystem and type

tmshshow sys hardware

to view details about your platform.If your system includes an embedded FIPS device, it displays as type"crypto" under one of the "Hardware Version Information" sections.This is an example of how the system output might appear when you runthis command:

Namen3-crypto0 Type crypto Model Cavium NITROX-3 Parameters -- --version CNN35x-MC-SSL-0022

How do I see which embedded FIPS device isinstalled in my system?

Log in to the CLI of your system and view themodel of FIPS device in your platform by typing

fipsdevice

.

The

fipsdevice

command is available only on BIG-IP software versions 11.0 andlater.

Where does the system log messages from theembedded FIPS device?

The Cavium device driver provides minimal logging,but you can view any log messages by logging in to the CLI of yoursystem and typing

dmesg | grep-i cavium

.

Which directories or files on my system pertain toFIPS?

/config/ssl/ssl.key

Contains key files on BIG-IP softwareversions 9.x and 10.x.

/config/filestore/files_d/Common_d/certificate_key_d/

Contains key files on BIG-IP softwareversions 11.x and later.

/config/ssl/ssl.crt

Contains certificate files on BIG-IPsoftware versions 9.x and 10.x.

/config/filestore/files_d/Common_d/certificate_d

Contains certificate files on BIG-IPsoftware versions 11.x and later.

/config/ssl/ssl.cavfips

Contains encrypted key files (.exp)‏;used in config sync.

/usr/bin/fipsutil

Used to configure the embedded FIPSdevice.

My alarm LED is blinking red, and I see thiswarning message on my LCD or in the system event log (SEL):

FIPS initialization error in bootedslot asserted

.

Clear the alarm using the LCD, then power cyclethe system using one of these methods: AOM command menu, LCD display,or externally power cycling the system.

Hardware HSM Setup and Administration (2024)
Top Articles
Encrypted Text Messaging Benefits and How-To Guide
Indian Trusts Act - Objectives, Registration and Taxation
Find All Subdomains
Chalupp's Pizza Taos Menu
Wild Smile Stapleton
Walgreens Alma School And Dynamite
Call of Duty: NEXT Event Intel, How to Watch, and Tune In Rewards
Minn Kota Paws
Purple Crip Strain Leafly
Oscar Nominated Brings Winning Profile to the Kentucky Turf Cup
Reddit Wisconsin Badgers Leaked
Erskine Plus Portal
Echat Fr Review Pc Retailer In Qatar Prestige Pc Providers – Alpha Marine Group
Alexander Funeral Home Gallatin Obituaries
Nick Pulos Height, Age, Net Worth, Girlfriend, Stunt Actor
Northeastern Nupath
The Pretty Kitty Tanglewood
Canvasdiscount Black Friday Deals
Hannaford To-Go: Grocery Curbside Pickup
Wisconsin Volleyball Team Boobs Uncensored
Bocca Richboro
Cylinder Head Bolt Torque Values
Mastering Serpentine Belt Replacement: A Step-by-Step Guide | The Motor Guy
Craigslist Middletown Ohio
Gridwords Factoring 1 Answers Pdf
Otis Offender Michigan
Mrstryst
Urban Blight Crossword Clue
How to Destroy Rule 34
Go Smiles Herndon Reviews
Magicseaweed Capitola
Pitchfork's Top 200 of the 2010s: 50-1 (clips)
Collier Urgent Care Park Shore
Blasphemous Painting Puzzle
Discover Wisconsin Season 16
Join MileSplit to get access to the latest news, films, and events!
Walmart Pharmacy Hours: What Time Does The Pharmacy Open and Close?
Craigslist Farm And Garden Reading Pa
Exam With A Social Studies Section Crossword
Sour OG is a chill recreational strain -- just have healthy snacks nearby (cannabis review)
Exploring the Digital Marketplace: A Guide to Craigslist Miami
Random Animal Hybrid Generator Wheel
Costco The Dalles Or
Crigslist Tucson
Blog Pch
Mikayla Campinos Alive Or Dead
How To Win The Race In Sneaky Sasquatch
Parks And Rec Fantasy Football Names
Costco Tire Promo Code Michelin 2022
Latest Posts
Why you don’t need an RFID-blocking wallet
How Many People Have Ever Lived on Earth?
Article information

Author: Roderick King

Last Updated:

Views: 5832

Rating: 4 / 5 (71 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Roderick King

Birthday: 1997-10-09

Address: 3782 Madge Knoll, East Dudley, MA 63913

Phone: +2521695290067

Job: Customer Sales Coordinator

Hobby: Gunsmithing, Embroidery, Parkour, Kitesurfing, Rock climbing, Sand art, Beekeeping

Introduction: My name is Roderick King, I am a cute, splendid, excited, perfect, gentle, funny, vivacious person who loves writing and wants to share my knowledge and understanding with you.