Manual Chapter : Platform and VE FIPS Module and Upgrade Notes

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0

BIG-IP LTM

  • 17.1.0

BIG-IP DNS

  • 17.1.0

BIG-IP ASM

  • 17.1.0
Manual Chapter

Platform and VE FIPS Module and Upgrade Notes

FIPS-validated F5 modules

Only certain F5 modules are included in the FIPS validated F5 Device and F5 vCMP Cryptographic Modules. This means that only those F5 modules might be licensed and running to have traffic processed as FIPS approved..
These F5 modules are included in the F5 Device and F5 vCMP Cryptographic Modules:
  • Local Traffic Manager (LTM)
  • Advanced Firewall Manager (AFM)

FIPS validation status and TMOS upgrades

Before you install any software updates or hot fixes, verify the FIPS validation status of that version on the F5 Certifications page (www.f5.com/company/certifications). The system allows you to apply all updates, but if the version has not been validated, your device will no longer be considered FIPS validated.

Firmware upgrades for hardware HSMs

If you want to maintain your F5 system's FIPS device compliance with the National Institute of Standards and Technology (NIST) or want to ensure that the system's FIPS protected internal hardware security module (HSM) is running the latest firmware version without updating the BIG-IP software, you can use the
n3fips-firmware-upgrade
utility provided by F5.
The
n3fips-firmware-upgrade
utility is available only for supported platforms. For other platforms, see K26061560: Updating the firmware for a FIPS protected internal HSM
Because the firmware upgrade process requires a system reboot, F5 recommends that you perform this upgrade only during a planned maintenance period. The upgrade does not affect your current HSM configuration.

Platform support for FIPS firmware upgrade utility

These platforms support the use of the FIPS firmware upgrade utility (
n3fips-firmware-upgrade
).
Platform family
Model
BIG-IP
i5820-DF
BIG-IP
i7820-DF
BIG-IP
10350-F
BIG-IP
i15820-DF

Prerequisites

Before you upgrade the firmware on your F5 FIPS platform with an embedded hardware HSM, you must meet these prerequisites:

Firmware upgrade for systems running BIG-IP software

Download the upgrade utilities

You can download the
n3fips-firmware-upgrade
and
n3fipsutil
utilities from F5 to upgrade the firmware on your F5 FIPS system.
If the FIPS card re-initialized with a new or different password, then the
n3fipsutil
will return error while performing firmware upgrade, export of FIPS keys, and backup of FIPS keys. It is recommended to check the security officer (SO) password health using the command
n3fipsutil -passwordCheck
before using the
n3fipsutil
utility.
  1. On your management workstation, log in to my.f5.com/manage/s/downloads.
  2. Read the End User License Agreement and Program Terms and select the check box.
    You must accept the license agreement and program terms before you can proceed.
  3. Click
    Next
    .
  4. Under
    Select a product family
    , select
    Hardware-Specific
    .
  5. Under
    Tell us more about your product
    , for
    Product Line
    , select
    FIPS_firmware_upgrade
    .
  6. For
    Product Version
    , select the version to download.
  7. Under
    Select a product container
    , select the software that you want to download.
  8. Under
    Select a download file
    , select
    n3fips-firmware-upgrade
    .
  9. For
    Download locations
    , select a download location.
  10. Click
    Download
    .
  11. Under
    Select a download file
    , select
    n3fipsutil
    .
  12. For
    Download locations
    , select a download location.
  13. Click
    Download
    .
  14. Download the corresponding checksum file and README files.
    The corresponding checksum file has the same name, except that
    .md5
    is the file extension. After the download completes, verify the integrity of the file by checking the MD5 checksum.
After you download the latest version of the upgrade utilities, you back up the FIPS key for the system.

Back up a FIPS key using the n3fipsutil utility

Before you can back up the FIPS key for the BIG-IP system, you must use SCP to move the
n3fipsutil
file to a directory on the system, such as
/shared/fw-upgrade
.
You back up the FIPS key for the F5 system using the
n3fipsutil
utility.
To back up a FIPS key on a vCMP system, log in to the vCMP guest and perform a backup. If there are multiple guests, perform a FIPS key backup from each guest running on the vCMP system.
  1. Connect to the system using the serial console or by opening an SSH session to the management IP address.
  2. Log in to the command line of the system using an account with admin access.
  3. Stop all services.
    tmsh stop sys service all
  4. Create an empty directory for the backup.
  5. Run the
    n3fipsutil
    utility.
    ./n3fipsutil -backup <
    directory-name
    > [ -n <
    partition-name
    > ]
    The
    [ -n partition-name ]
    option is optional and applicable only if the system uses custom partition names.
  6. Restart all services.
    tmsh start sys service all
  7. Use SCP to copy the entire backup directory, without modifying the contents of the directory, off site to a secure location.
    The backup directory contains the encrypted FIPS keys and also contains
    okbk.key
    and
    pokbk.key
    , which are generated during backup process. Be sure to secure these keys using your best standard process to secure the confidentiality of HSM FIPS keys.
After you have backed up the FIPS key and copied the backup to a secure location, you can install upgrade the HSM firmware for the system.

Upgrade firmware using n3fips-firmware-upgrade utility

Before you upgrade the firmware, you must use SCP to move the
n3fips-firmware-upgrade
file to a directory on the BIG-IP system, such as
/shared/fw-upgrade
.
Be sure that you have also backed up the FIPS key.
You upgrade the firmware for the embedded HSM on a supported F5 system using the
n3fips-firmware-upgrade
utility.
  1. Connect to the system using the serial console or by opening an SSH session to the management IP address.
  2. Log in to the command line of the system using an account with admin access.
  3. Change to the directory where the utility is located.
    cd /shared/fw-upgrade
  4. Run the
    n3fips-firmware-upgrade
    utility.
    ./n3fips-firmware-upgrade
  5. Reboot the system to load the HSM with upgraded firmware.
    reboot
The embedded HSM in the system is now running the latest firmware.

Recovery option for systems running BIG-IP software

In the event that you need to recover your system, you can restore a previously-backed up FIPS key and restore BIG-IP configuration files.

Restore a FIPS key using the n3fipsutil utility

Before you can restore a FIPS key for the BIG-IP system, you must use SCP to move the directory that you previously backed up to a directory on the system, such as
/shared/fw-upgrade/backups
.
If you ever need to restore a FIPS key, you can do this using the
n3fipsutil
utility after you have initialized the hardware security module (HSM). For more information on initializing the HSM, see the procedure for your platform model in the
Embedded HSM initialization and synchronization overview
section.
FIPS key backup is not supported in vCMP mode.
  1. Connect to the system using the serial console or by opening an SSH session to the management IP address.
  2. Log in to the command line of the system using an account with admin access.
  3. Stop all services.
    tmsh stop sys service all
  4. Run the
    n3fipsutil
    utility.
    ./n3fipsutil -restore <
    dir-name
    > -host <
    management-ip-address
    > [ -n <
    partition-name
    > ]
    The
    [ -n partition-name ]
    option is optional and applicable only if the system uses custom partition names.
  5. Reset the FIPS login information.
    fipsutil loginreset -r
  6. Restart all services.
    tmsh start sys service all
After you have restored the FIPS key, you can also restore a backup UCS archive for the system, if needed. For more information, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive.