Manual Chapter :
Platform and VE FIPS Module and Upgrade Notes
Applies To:
Show VersionsBIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3
BIG-IP LTM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3
BIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3
BIG-IP DNS
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3
BIG-IP ASM
- 17.1.0, 17.0.0, 16.1.4, 16.1.3
Platform and VE FIPS Module and Upgrade Notes
FIPS validated F5 modules
Only certain F5 modules are included in the FIPS validated F5 Device
and F5 vCMP Cryptographic Modules. This means that only those F5 modules might
be licensed and running to have traffic processed as FIPS approved..
These F5 modules are included in the F5 Device and F5 vCMP
Cryptographic Modules:
- Local Traffic Manager (LTM)
- Advanced Firewall Manager (AFM)
FIPS validation status and TMOS upgrades
Before you install any software updates or hot fixes, verify the
FIPS validation status of that version on the F5 Certifications page
(www.f5.com/company/certifications). The system allows you to
apply all updates, but if the version has not been validated, your device will
no longer be considered FIPS validated.
Firmware upgrades for hardware HSMs
If you want to maintain your F5 system's FIPS
device compliance with the National Institute of Standards and Technology (NIST)
or want to ensure that the system's FIPS protected internal hardware security
module (HSM) is running the latest firmware version without updating the BIG-IP
software, you can use the
n3fips-firmware-upgrade
tool provided by F5.The
n3fips-firmware-upgrade
tool is available only for supported platforms. For other platforms, see K26061560: Updating the firmware
for a FIPS protected internal HSMBecause the firmware upgrade process requires a system reboot, F5 recommends
that you perform this upgrade only during a planned maintenance period. The
upgrade does not affect your current HSM configuration.
Platform support for FIPS firmware upgrade tool
These platforms support the use of the FIPS firmware upgrade tool (
n3fips-firmware-upgrade
).Platform family |
Model |
---|---|
BIG-IP |
i5820-DF |
BIG-IP |
i7820-DF |
BIG-IP |
10350-F |
BIG-IP |
i15820-DF |
Prerequisites
Before you upgrade the firmware on your F5 FIPS
platform with an embedded hardware HSM, you must meet these
prerequisites:
- You have command-line access to the F5 system.
- You have root access to the system.
- You have the FIPS HSM security officer (SO) password.
- You have the HSM security domain.
- You are running firmware version 1.0-52. If your system is not running this version, you must upgrade to the required BIG-IP software version and then upgrade the firmware. For more information, see K26061560: Updating the firmware for a FIPS protected internal HSM.
- Create a UCS archive and store the backup file off site in a secure location. For more information, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive
- Back up the FIPS key. For more information, see theBack up the FIPS keysection.
Firmware upgrade for systems running BIG-IP software
Download the n3fips-firmware-upgrade tool
You can download the
n3fips-firmware-upgrade
package from F5 to upgrade the firmware on your F5 FIPS system.- Log in to downloads.f5.com and clickFind a Download.
- In the Hardware-Specific area, clickFIPS-firmware-upgrade.
- Selectn3fips-firmware-upgrade - Hardware-Specificfrom the list.
- Click the file namen3fips-firmware-upgradeto start the download.
- Read the End User Software License and clickI Accept.
- Click the file namen3fips-firmware-upgrade-<to start the download.version-and-build-number>.im
- Download the corresponding checksum file and README file.The corresponding checksum file has the same name as the IM file, except that.md5is the file extension. After the download completes, verify the integrity of the file by checking the MD5 checksum.
After you download the latest version of
the
n3fips-firmware-upgrade
tool, you need to download the n3fipsutil
tool from
F5.Download the n3fipsutil tool
You can download the
n3fipsutil
package from F5 to back up the FIPS key on your F5 FIPS system.- Log in to downloads.f5.com and clickFind a Download.
- In the Hardware-Specific area, clickFIPS-firmware-upgrade.
- Selectn3fips-firmware-upgrade - Hardware-Specificfrom the list.
- Click the file namen3fipsutilto start the download.
- Read the End User Software License and clickI Accept.
- Click the file namen3fipsutil-<to start the download.version-and-build-number>.im
- Download the corresponding checksum file and README file.The corresponding checksum file has the same name as the IM file, except that.md5is the file extension. After the download completes, verify the integrity of the file by checking the MD5 checksum.
After you download the latest version of
the
n3fipsutil
package, you back up the FIPS key for the system.Back up a FIPS key using the n3fipsutil tool
Before you can back up the FIPS key
for the BIG-IP system, you must use SCP to move the
n3fipsutil
IM file to a
directory on the system, such as /shared/fw-upgrade
.You back up the FIPS key for the F5
system using the
n3fipsutil
tool.To back up a FIPS key on a vCMP
system, log in to the vCMP guest and perform a backup. If there are
multiple guests, perform a FIPS key backup from each guest running on the vCMP system.
- Connect to the system using the serial console or by opening an SSH session to the management IP address.
- Log in to the command line of the system using an account with admin access.
- Stop all services.tmsh stop sys service all
- Create an empty directory for the backup.
- Run then3fipsutiltool../n3fipsutil -backup <directory_name> [ -n <partition_name> ]The[ -n partition_name ]option is optional and applicable only if the system uses custom partition names.
- Restart all services.tmsh start sys service all
- Use SCP to copy the entire backup directory, without modifying the contents of the directory, off site to a secure location.The backup directory contains the encrypted FIPS keys and also containsokbk.keyandpokbk.key, which are generated during backup process. Be sure to secure these keys using your best standard process to secure the confidentiality of HSM FIPS keys
After you have backed up the FIPS
key and copied the backup to a secure location, you can install upgrade the
HSM firmware for the system.
Upgrade firmware using n3fips-firmware-upgrade tool
Before you upgrade the firmware, you must
use SCP to move the
n3fips-firmware-upgrade
IM file to a directory on the BIG-IP
system, such as /shared/fw-upgrade
. Be sure that you have also
backed up the FIPS key.
You upgrade the firmware for the embedded
HSM on a supported F5 system using the
n3fips-firmware-upgrade
tool.- Connect to the system using the serial console or by opening an SSH session to the management IP address.
- Log in to the command line of the system using an account with admin access.
- Change to the directory where the tool is located.cd /shared/fw-upgrade
- Run then3fips-firmware-upgradetool../n3fips-firmware-upgrade
- Reboot the system to load the HSM with upgraded firmware.reboot
The embedded HSM in the system is now running the latest firmware.
Recovery option for systems running BIG-IP
software
In the event that you need to recover your system, you can restore a
previously-backed up FIPS key and restore BIG-IP configuration files.
Restore a FIPS key using the n3fipsutil tool
Before you can restore a FIPS key for the
BIG-IP system, you must use SCP to move the directory that you previously backed up to a
directory on the system, such as
/shared/fw-upgrade/backups
.If you ever need to restore a FIPS key,
you can do this using the
n3fipsutil
tool after you have initialized the hardware
security module (HSM). For more information on initializing the HSM, see the
procedure for your platform model in the Embedded HSM initialization
and synchronization overview
section.
FIPS key backup is not supported in vCMP
mode.
- Connect to the system using the serial console or by opening an SSH session to the management IP address.
- Log in to the command line of the system using an account with admin access.
- Stop all services.tmsh stop sys service all
- Run then3fipsutiltool../n3fipsutil -restore <directory_name> -host <management-ip-address> [ -n <partition_name> ]The[ -n partition_name ]option is optional and applicable only if the system uses custom partition names.
- Reset the FIPS login information.fipsutil loginreset -r
- Restart all services.tmsh start sys service all
After you have restored the FIPS key, you can also restore a backup UCS archive
for the system, if needed. For more information, see K13132: Backing up and restoring
BIG-IP configuration files with a UCS archive.