Manual Chapter :
Setting Up the Network HSM
Applies To:
Show VersionsBIG-IP AAM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP DNS
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Setting Up the Network HSM
Overview: Setting up the Network HSM
F5 BIG-IP LTM 14.1.0 supports two new Network HSM vendors: Amazon CloudHSM
and Equinix SmartKey HSM. Both of the two new Network HSMs can be configured by
installing the client software from the vendor and configuring it by adding the path to
the PKCS #11 library to the BIG-IP configuration. This allows the addition of new
Network HSM vendors to occur with greater efficiency. In addition, Network HSM adds
support for multiple partitions on a configured HSM and the ability to configure the
partitions and define the partition that a key belongs to. Now the configuration of the
partition occurs during the install process.
In support of the Network HSM functionality, you can either utilize the new
System > Certificate Management
> HSM Management
screen or use the new TMSH commands to configure the
Network HSM. If you install the HSM using the existing F5 install script, the
information is auto-filled when you open the HSM Management screen. You can also
manually install the library by adding the library location to the configuration.After you install the Network HSM client on the BIG-IP system, you may
create and operate with the keys inside the HSM for use with Access Policy Manager and Application Security Manager™.
If
you are installing Network HSM on a BIG-IP system that will be licensed for Appliance
mode, you must install the Network HSM software prior to licensing the BIG-IP system for
Appliance mode.
For specific instructions for HSM client installation and configuration, follow the HSM
vendor specific workflows in this guide that link you to the vendor sites where the
steps are provided based on the version you want to install.
To view details for Thales HSM and SafeNet Luna SA HSM, see their supporting
documentation on AskF5.
Prerequisites for setting up Network HSM with BIG-IP system
Before you can use Network HSM with the BIG-IP® system, you must make sure that these requirements
are in place:
- You have created the Network Security World (security architecture).
- The BIG-IP system is licensed for "External Interface and Network HSM."
You cannot run the BIG-IP system with both internal and external HSMs at the same
time.
BIG-IP TMOS with
Network HSM only supports IPv4.
Other administrative information to keep in mind during setup:
- Partition names must be unique.
- Only one network HSM can be configured at a time.
- You must identify a partition when installing a client (when using the F5 installer).
- If you change the install path, client code, or any partition information, you must restart the pkcs11d daemon.
- If you configure a cloud HSM from scratch (such as AWS CloudHSM and Equinix Smartkey), you must restart TMM daemon.
- Run the test utility after making any changes to ensure that the HSM is configured correctly.
- If you do not specify a partition when creating a key, the first listed partition will be used. The partition name will be automatically entered as "auto".
- If you try to delete a partition when there are keys defined that use that partition, you will not be allowed to do so.
For supported Amazon
CloudHSM and Equinix SmartKey HSM versions with BIG-IP TMOS versions information, see
each of their respective Interoperability Matrix for BIG-IP TMOS with HSM supplemental
document available on AskF5.
Supported Versions
Network HSM supported versions:
- Amazon CloudHSM: Version 1.0.18 and 1.1.0
- Equinix SmartKey: Version 2.9.804
Setting up Network HSM Client Installation and Configuration
To setup a network HSM for Amazon CloudHSM or Equinix
SmartKey HSM you must have network access to the network HSM, as well as the DNS
configured to resolve it.
Task Summary for Amazon CloudHSM and Equinix SmartKey HSM
- Setup your Network HSM device
- Install the client software and create a Cryptographic User (CU)
- Configure and activate the software
- Configure the BIG-IP
- Add the HSM service (if any) to the BIG-IP startup scripts
- Add the library path
- Setup and configure partitions
- Manage partitions
Setting up Amazon CloudHSM client installation and configuration
Set up your Amazon CloudHSM by following the
documentation in the Getting Started section of the CloudHSM
guide.
Amazon CloudHSM is only available for virtual machines running in the
AWS cloud.
Your AWS BIG-IP VE is the EC2 client mentioned in the getting
started guide and should be in the same VPC and availability zone as the CloudHSM.
The getting started topics consist of information to assist creating, initializing,
and activating AWS CloudHSM cluster.
Follow the AWS topic directions up
until following the task steps found in the Install and Client (Linux) section.
Creating a cryptographic user
Manage your HSM cryptographic users (CU) or
officers (CO) in your Amazon CloudHSM cluster by:
- creating users
- listing users
- changing user passwords
- deleting users
Follow the steps required at Managing HSM Users in AWS CloudHSM.
Installing the clients
Install the clients by logging into the AWS BIG-IP
VE as root and run:
This client installation needs to be
conducted after the BIG-IP upgrade
process.
cd /shared/ mkdir nethsm cd nethsm curl -O https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL7/cloudhsm-client-pkcs11-3.2.1-1.el7.x86_64.rpm curl -O https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL7/cloudhsm-client-3.2.1-1.el7.x86_64.rpm rpm -ivh cloudhsm-client-pkcs11-3.2.1-1.el7.x86_64.rpm rpm -ivh cloudhsm-client-3.2.1-1.el7.x86_64.rpm
Configuring and activating the software
To configure and activate the software you must edit
the client configuration before you can use the CloudHSM client to connect to your
cluster.
Follow the steps required at Edit the Client
Configuration.
The link takes you to a resource outside of AskF5. It is
possible the referred documents have been removed without our
knowledge.
Configure the BIG-IP
To configure your BIG-IP with your newly configured and activated HSM, you
can:
- Add your HSM service to the BIG-IP startup scripts.
- Add the library path and configure partitions.
Adding the HSM service to the BIG-IP startup scripts
To add your CloudHSM service to the BIG-IP startup
scripts, run the
following:
# systemctl enable cloudhsm-client.service
Adding the library path and configuring partitions
To add your CloudHSM library to the BIG-IP and
configure the partitions, perform either the UI screen or CLI to accomplish the
task.
- On the Main tab, click. The External HSM screen opens.
- From theVendorlist, selectAuto.
- In thePKCS11 Library Pathfield, type the following:/opt/cloudhsm/lib/libcloudhsm_pkcs11.so
- In thePartition Listsection, add the following details:
- In theNamefield, typecavium(case sensitive).If you typeautoin theNamefield, the first available partition will be selected.
- In the Password field, type the <CU user name>:<password>
- ClickAddto add as many partitions as necessary.
- To edit any existing partition, select the partition and clickEdit.
- To delete any existing partition, select the partition and clickDelete.
- To test any existing partition, select a partition and clickTest.
- If you selectedTest, review the Test Output to make sure your details are accurate.
- If the test does not pass, attempt to locate the problem and enable debug logging and run the test again for further details. The logs are writing to/var/log/ltm.
Make sure to reset debug logging to the prior setting before continuing. - ClickUpdate.
If you are using the CLI, do the following:
- Add your CloudHSM library to the BIG-IP by entering:# tmsh create sys crypto fips external-hsm vendor auto pkcs11-lib-path /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
- Configure the partition, by entering:# tmsh create sys crypto fips nethsm-partition <partition-name> password "<CU user name>:<password>"For <partition-name>, use "cavium" as it is the default partition name for AWS CloudHSM. You can also use "auto" to point to the first partition (which is normally the only partition for AWS CloudHSM).
- Reboot the appliance to start the service and create the links.
- Test your output by using the Network HSM testing tool and entering:# tmsh run sys crypto nethsm-test --hsm_partition_name=<partition-name>If you do not specify hsm_partition_name then the first partition (which is normally the only partition for AWS CloudHSM) will be chosen.
Creating a key in a partition
To create a key in a partition, do the
following:
- On the Main tab, click. The New SSL Certificate screen opens.
- ClickCreate. The New SSL Certificate screen opens.
- In theNamefield, type the name of the new SSL certificate.
- In theCommon Namefield, type the common name of the certificate. For example,nethsm_ecdsa.
- From theNetHSM Partitionlist, selectDefault Partition.
- ClickFinished.You can choose other partitions when you have multiple tokens or slots configured on your Network HSM that you use for keys.
Checking the partition for the key
To check the partition for the new key, do the
following:
- On the Main tab, click. The New SSL Certificate screen opens.
- Select the newly created SSL certificate name.
- Select theKeytab (if necessary) to check the partition for the key properties (such as name, key type, key ID, ect.).
Checking the service status
To check the service status, do the
following:
- On the Main tab, click. The Service List screen opens.
- Locate theServicename (for example, pkcs11d) and view the History information.
- ClickStart,Stop, orRestartas necessary.
Setting up Equinix SmartKey HSM client installation and configuration
Create and set up your Equinix SmartKey HSM account
by following the SmartKey Getting Started
information.
Create the group and application as noted in
the SmartKey instructions.
Make note of the API
key after creating the application. The API key information can be useful later.
Installing the clients
Download the Smartkey PKCS#11 RPM package version
2.9.804 from
http://support.smartkey.io/downloads/smartkey-pkcs11-2.9.804-0.x86_64.rpm.
The downloaded file
smartkey-pkcs11-2.9.804-0.x86_64.rpm
contains the RPM package
name fortanix-pkcs11-2.9.804-0
. Attempting to delete the package
using smartkey-pkcs11-2.9.804-0
as the package name will fail. We
recommend you rename the file from
smartkey-pkcs11-2.9.804-0.x86_64.rpm
to
fortanix-pkcs11-2.9.804-0.x86_64.rpm
before proceeding. This
is especially relevant when doing automated/declarative package
installations.Use the following command to install the RPM package upload
to the /shared/tmp folder and install it as
root:
rpm -ivh /shared/tmp/<RPM package file name>
Adding the library path and configuring partitions
To add your SmartKey
HSM library to the BIG-IP and configure the partitions, perform either the UI screen or
CLI to accomplish the task.
- On the Main tab, click. The External HSM screen opens.
- From theVendorlist, selectAuto.
- In thePKCS11 Library Pathfield, type the following:/opt/fortanix/pkcs11/fortanix_pkcs11.so
- In thePartition Listsection, add the following details:
- In theNamefield, typefortanix(case sensitive).If you typeautoin theNamefield, the first available partition will be selected.
- In the Password field, type the <API Key>The user name and password are based on the Cryptographic user created earlier.
- ClickAddto add as many partitions as necessary.
- To edit any existing partition, select the partition and clickEdit.
- To delete any existing partition, select the partition and clickDelete.
- To test any existing partition, select a partition and clickTest.
- If you clickedTest, review the Test Output to make sure your details are accurate.
- If the test does not pass, attempt to locate the problem and enable debug logging and run the test again for further details. The logs are writing to/var/log/ltm.
Make sure to reset debug logging to the prior setting before continuing. - ClickUpdate.
If you are using the CLI, do
the following:
- Add your SmartKey HSM library to the BIG-IP by entering:# tmsh create sys crypto fips external-hsm vendor auto pkcs11-lib-path /opt/fortanix/pkcs11/fortanix_pkcs11.so
- Configure the partition, by entering:# tmsh create sys crypto fips nethsm-partition <partition-name> password "<API Key>"For <partition-name>, use "fortanix" as it is the default partition name for Equinix SmartKey.
- Reboot the appliance to start the service and create the links.
- Test your output by using the Network HSM testing tool and entering:# tmsh run sys crypto nethsm-test --hsm_partition_name=<partition-name>
If you do not specify hsm_partition_name, then the
first partition (which is normally the only partition for Equinix SmartKey) will be
chosen.
By default, smartkey-client makes REST API
calls to the SmartKey server at https://www.smartkey.io. To make calls to a different
SmartKey server, create a file named
/config/smartkey.cfg
with the
SmartKey server of your choice and the API key. The format of the
/config/smartkey.cfg
file is defined in the “Configuration file
format” section at http://support.smartkey.io/smartkey/developers-guide-pkcs11.html. To
make use of this SmartKey configuration file, when configuring the partition (Step
2), use the following command line
instead:tmsh create sys crypto fips nethsm-partition <partition-name> password "file:///config/smartkey.cfg"
A sample configuration file is shown
next:
# cat /config/smartkey.cfg api_key="<API Key>" api_endpoint=https://eu.smartkey.io