Manual Chapter : Additional Information

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.0, 15.0.1, 15.0.0

BIG-IP Analytics

  • 15.1.0, 15.0.1, 15.0.0

BIG-IP LTM

  • 15.1.0, 15.0.1, 15.0.0

BIG-IP AFM

  • 15.1.0, 15.0.1, 15.0.0

BIG-IP DNS

  • 15.1.0, 15.0.1, 15.0.0

BIG-IP ASM

  • 15.1.0, 15.0.1, 15.0.0
Manual Chapter

Additional Information

Upgrading the BIG-IP software when using the SafeNet HSM

After a BIG-IP system software or hotfix upgrade, you do not need to run the SafeNet SA client setup script. Any local keys and certificates you added to the BIG-IP system configuration before upgrading (using the command
tmsh install sys crypto
) appear in the upgrade partition and can be used. Keys, certificates, and CSRs created using
tmsh
are already part of the BIG-IP system configuration and can be used.
If you will need keys, certificates, or CSRs that were not added to the BIG-IP system configuration, before you upgrade, copy the files into the
/shared
directory. After the upgrade, copy them back to their appropriate directories in the new partition:
/config/ssl/ssl.key/
,
/config/ssl/ssl.crt
, or
/config/ssl/ssl.csr
.
  1. Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
  2. Reinstall the SafeNet client on the BIG-IP system, using the parameters you used when you initially installed and registered it.
    nethsm-safenet-install.sh

Uninstalling SafeNet components from the BIG-IP system

If you no longer need to use the SafeNet HSM on a BIG-IP system, you should uninstall the files.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Uninstall the SafeNet client software and clean up Thales directories.
    nethsm-safenet-install.sh -u [-v]

nethsm-safenet-install.sh utility options

The
nethsm-safenet-install.sh
utility includes these options:
Option
Description
-f
Reinstalls when a connection with HSM already exists.
-h
Displays help.
-u
Uninstalls SafeNet software and cleans up SafeNet directories.
-v
Prints verbose output about the executing operations.
--hsm_ip_addr=<ip_addr>
SafeNet Luna SA HSM IP address(es). For multiple HSMs, use a double-quoted value with space-separated IP addresses (such as
--hsm_ip_addr="10.10.10.100.10.10.10.101"
).
--hsm_partition_pwd=<password>
SafeNet HSM partition password. This password must be the same for all HSMs being used in High Availability (HA) configurations. For multiple partitions, use a double-quoted value with space-separated partition password. The passwords should be in same order as partition. For example:
--hsm_partition_pwd="pwd1 pwd2 pwd3"
.
--hsm_partition_name=<partition_name>
SafeNet HSM partition name. For a single partition use a double-quoted value. For example, for multiple partitions, use a double-quoted value with colon-separated partition name:
--hsm_partition_name="par1:par2:\"my partition\""
. To get the partition name, use the SafeNet utility
"vtl listSlots"
to get the partition name(s) under "
label"
corresponding to the desired slot(s).
--hsm_username=<user_name>
SafeNet Luna SA HSM user name. Default is
admin
.
--hsm_ha_group=<group_name>
Name for the SafeNet HSM HA group. When using multiple HSMs in a HA configuration, all HSMs in HA must use the same partition password.
--image=<image_name>
SafeNet Luna SA tarball to be installed (for example, Luna_5.1_Client_Software.tar). This file must be stored on theBIG-IP system in
/shared/safenet_install
.
--interface=<interface_name>
Interface identifier of BIG-IP to be used to communicate with the SafeNet Luna SA HSM (eth0). The default is the management interface.
--ip_addr=<client_ip_addr>
IP address of the BIG-IP as seen by the SafeNet HSM.
--num_threads=<threads>
Indicates the number of threads pkcs11d will use. The default is 20.
--verbose=<level>
Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output.