Manual Chapter :
Additional Information
Applies To:
Show VersionsBIG-IP APM
- 15.1.0, 15.0.1, 15.0.0
BIG-IP Analytics
- 15.1.0, 15.0.1, 15.0.0
BIG-IP LTM
- 15.1.0, 15.0.1, 15.0.0
BIG-IP AFM
- 15.1.0, 15.0.1, 15.0.0
BIG-IP DNS
- 15.1.0, 15.0.1, 15.0.0
BIG-IP ASM
- 15.1.0, 15.0.1, 15.0.0
Additional Information
Upgrading the
BIG-IP software when using the SafeNet HSM
After a BIG-IP system software or hotfix upgrade, you do not need to run the
SafeNet SA client setup script. Any local keys and certificates you added to the
BIG-IP system configuration before upgrading (using the command
tmsh install sys crypto
) appear in the
upgrade partition and can be used. Keys, certificates, and CSRs created using
tmsh
are already part of the
BIG-IP system configuration and can be used.If you will need keys, certificates, or
CSRs that were not added to the BIG-IP system configuration, before you upgrade,
copy the files into the
/shared
directory. After the upgrade,
copy them back to their appropriate directories in the new partition:
/config/ssl/ssl.key/
,
/config/ssl/ssl.crt
, or
/config/ssl/ssl.csr
. - Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
- Reinstall the SafeNet client on the BIG-IP system, using the parameters you used when you initially installed and registered it.nethsm-safenet-install.sh
Uninstalling
SafeNet components from the BIG-IP system
If you no longer need to use the SafeNet HSM on a
BIG-IP system, you should uninstall the files.
- Log in to the command-line interface of the system using an account with administrator privileges.
- Uninstall the SafeNet client software and clean up Thales directories.nethsm-safenet-install.sh -u [-v]
nethsm-safenet-install.sh utility options
The
nethsm-safenet-install.sh
utility includes these options:Option |
Description |
---|---|
-f |
Reinstalls when a connection with HSM already exists. |
-h |
Displays help. |
-u |
Uninstalls SafeNet software and cleans up SafeNet
directories. |
-v |
Prints verbose output about the executing operations. |
--hsm_ip_addr=<ip_addr> |
SafeNet Luna SA HSM IP address(es). For multiple HSMs, use a double-quoted value with
space-separated IP addresses (such as
--hsm_ip_addr="10.10.10.100.10.10.10.101" ). |
--hsm_partition_pwd=<password> |
SafeNet HSM partition password. This password must be the same
for all HSMs being used in High Availability (HA) configurations. For
multiple partitions, use a double-quoted value with space-separated
partition password. The passwords should be in same order as partition.
For example: --hsm_partition_pwd="pwd1 pwd2
pwd3" . |
--hsm_partition_name=<partition_name> |
SafeNet HSM partition name. For a single partition use a
double-quoted value. For example, for multiple partitions, use a
double-quoted value with colon-separated partition name:
--hsm_partition_name="par1:par2:\"my partition\"" .
To get the partition name, use the SafeNet utility "vtl
listSlots" to get the partition name(s) under
"label" corresponding to the desired
slot(s). |
--hsm_username=<user_name> |
SafeNet Luna SA HSM user name. Default is admin . |
--hsm_ha_group=<group_name> |
Name for the SafeNet HSM HA group. When using multiple HSMs in a HA
configuration, all HSMs in HA must use the same partition
password. |
--image=<image_name> |
SafeNet Luna SA tarball to be installed (for example,
Luna_5.1_Client_Software.tar). This file must be stored on theBIG-IP system in
/shared/safenet_install . |
--interface=<interface_name> |
Interface identifier of BIG-IP to be used to communicate with the SafeNet Luna SA HSM
(eth0). The default is the management interface. |
--ip_addr=<client_ip_addr> |
IP address of the BIG-IP as seen by the SafeNet HSM. |
--num_threads=<threads> |
Indicates the number of threads pkcs11d will use. The default is
20. |
--verbose=<level> |
Indicates message verbosity level. The default value is zero, and all
levels greater than zero indicate verbose output. |