Manual Chapter : Platform and VE FIPS Module and Upgrade Notes

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3

BIG-IP DNS

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3

BIG-IP ASM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3
Manual Chapter

Platform and VE FIPS Module and Upgrade Notes

FIPS validated F5 modules

Only certain F5 modules are included in the FIPS validated F5 Device and F5 vCMP Cryptographic Modules. This means that only those F5 modules might be licensed and running to have traffic processed as FIPS approved..
These F5 modules are included in the F5 Device and F5 vCMP Cryptographic Modules:
  • Local Traffic Manager (LTM)
  • Advanced Firewall Manager (AFM)

FIPS validation status and TMOS upgrades

Before you install any software updates or hot fixes, verify the FIPS validation status of that version on the F5 Certifications page (www.f5.com/company/certifications). The system allows you to apply all updates, but if the version has not been validated, your device will no longer be considered FIPS validated.

Firmware upgrades for hardware HSMs

If you want to maintain your F5 system's FIPS device compliance with the National Institute of Standards and Technology (NIST) or want to ensure that the system's FIPS protected internal hardware security module (HSM) is running the latest firmware version without updating the BIG-IP software, you can use the
n3fips-firmware-upgrade
tool provided by F5.
The
n3fips-firmware-upgrade
tool is available only for supported platforms. For other platforms, see K26061560: Updating the firmware for a FIPS protected internal HSM
Because the firmware upgrade process requires a system reboot, F5 recommends that you perform this upgrade only during a planned maintenance period. The upgrade does not affect your current HSM configuration.

Platform support for FIPS firmware upgrade tool

These platforms support the use of the FIPS firmware upgrade tool (
n3fips-firmware-upgrade
).
Platform family
Model
BIG-IP
i5820-DF
BIG-IP
i7820-DF
BIG-IP
10350-F
BIG-IP
i15820-DF

Prerequisites

Before you upgrade the firmware on your F5 FIPS platform with an embedded hardware HSM, you must meet these prerequisites:

Firmware upgrade for systems running BIG-IP software

Download the n3fips-firmware-upgrade tool

You can download the
n3fips-firmware-upgrade
package from F5 to upgrade the firmware on your F5 FIPS system.
  1. Log in to downloads.f5.com and click
    Find a Download
    .
  2. In the Hardware-Specific area, click
    FIPS-firmware-upgrade
    .
  3. Select
    n3fips-firmware-upgrade - Hardware-Specific
    from the list.
  4. Click the file name
    n3fips-firmware-upgrade
    to start the download.
  5. Read the End User Software License and click
    I Accept
    .
  6. Click the file name
    n3fips-firmware-upgrade-<
    version-and-build-number
    >.im
    to start the download.
  7. Download the corresponding checksum file and README file.
    The corresponding checksum file has the same name as the IM file, except that
    .md5
    is the file extension. After the download completes, verify the integrity of the file by checking the MD5 checksum.
After you download the latest version of the
n3fips-firmware-upgrade
tool, you need to download the
n3fipsutil
tool from F5.

Download the n3fipsutil tool

You can download the
n3fipsutil
package from F5 to back up the FIPS key on your F5 FIPS system.
  1. Log in to downloads.f5.com and click
    Find a Download
    .
  2. In the Hardware-Specific area, click
    FIPS-firmware-upgrade
    .
  3. Select
    n3fips-firmware-upgrade - Hardware-Specific
    from the list.
  4. Click the file name
    n3fipsutil
    to start the download.
  5. Read the End User Software License and click
    I Accept
    .
  6. Click the file name
    n3fipsutil-<
    version-and-build-number
    >.im
    to start the download.
  7. Download the corresponding checksum file and README file.
    The corresponding checksum file has the same name as the IM file, except that
    .md5
    is the file extension. After the download completes, verify the integrity of the file by checking the MD5 checksum.
After you download the latest version of the
n3fipsutil
package, you back up the FIPS key for the system.

Back up a FIPS key using the n3fipsutil tool

Before you can back up the FIPS key for the BIG-IP system, you must use SCP to move the
n3fipsutil
IM file to a directory on the system, such as
/shared/fw-upgrade
.
You back up the FIPS key for the F5 system using the
n3fipsutil
tool.
To back up a FIPS key on a vCMP system, log in to the vCMP guest and perform a backup. If there are multiple guests, perform a FIPS key backup from each guest running on the vCMP system.
  1. Connect to the system using the serial console or by opening an SSH session to the management IP address.
  2. Log in to the command line of the system using an account with admin access.
  3. Stop all services.
    tmsh stop sys service all
  4. Create an empty directory for the backup.
  5. Run the
    n3fipsutil
    tool.
    ./n3fipsutil -backup <
    directory_name
    > [ -n <
    partition_name
    > ]
    The
    [ -n partition_name ]
    option is optional and applicable only if the system uses custom partition names.
  6. Restart all services.
    tmsh start sys service all
  7. Use SCP to copy the entire backup directory, without modifying the contents of the directory, off site to a secure location.
    The backup directory contains the encrypted FIPS keys and also contains
    okbk.key
    and
    pokbk.key
    , which are generated during backup process. Be sure to secure these keys using your best standard process to secure the confidentiality of HSM FIPS keys
After you have backed up the FIPS key and copied the backup to a secure location, you can install upgrade the HSM firmware for the system.

Upgrade firmware using n3fips-firmware-upgrade tool

Before you upgrade the firmware, you must use SCP to move the
n3fips-firmware-upgrade
IM file to a directory on the BIG-IP system, such as
/shared/fw-upgrade
.
Be sure that you have also backed up the FIPS key.
You upgrade the firmware for the embedded HSM on a supported F5 system using the
n3fips-firmware-upgrade
tool.
  1. Connect to the system using the serial console or by opening an SSH session to the management IP address.
  2. Log in to the command line of the system using an account with admin access.
  3. Change to the directory where the tool is located.
    cd /shared/fw-upgrade
  4. Run the
    n3fips-firmware-upgrade
    tool.
    ./n3fips-firmware-upgrade
  5. Reboot the system to load the HSM with upgraded firmware.
    reboot
The embedded HSM in the system is now running the latest firmware.

Recovery option for systems running BIG-IP software

In the event that you need to recover your system, you can restore a previously-backed up FIPS key and restore BIG-IP configuration files.

Restore a FIPS key using the n3fipsutil tool

Before you can restore a FIPS key for the BIG-IP system, you must use SCP to move the directory that you previously backed up to a directory on the system, such as
/shared/fw-upgrade/backups
.
If you ever need to restore a FIPS key, you can do this using the
n3fipsutil
tool after you have initialized the hardware security module (HSM). For more information on initializing the HSM, see the procedure for your platform model in the
Embedded HSM initialization and synchronization overview
section.
FIPS key backup is not supported in vCMP mode.
  1. Connect to the system using the serial console or by opening an SSH session to the management IP address.
  2. Log in to the command line of the system using an account with admin access.
  3. Stop all services.
    tmsh stop sys service all
  4. Run the
    n3fipsutil
    tool.
    ./n3fipsutil -restore <
    directory_name
    > -host <
    management-ip-address
    > [ -n <
    partition_name
    > ]
    The
    [ -n partition_name ]
    option is optional and applicable only if the system uses custom partition names.
  5. Reset the FIPS login information.
    fipsutil loginreset -r
  6. Restart all services.
    tmsh start sys service all
After you have restored the FIPS key, you can also restore a backup UCS archive for the system, if needed. For more information, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive.