Manual Chapter : FIPS

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.5.2
Manual Chapter

FIPS

FIPS overview

You can access FIPS settings from the CLI. These settings are available only on platforms
(F5 r5000-DF and r10000-DF)
with an embedded hardware security module (HSM).
For more comprehensive information on configuring FIPS platforms, see
F5 Platforms: FIPS Administration
at my.f5.com.

HSM management from the CLI

You can manage the hardware security module (HSM) and FIPS partitions from the CLI.

Initialize the HSM in F5 r5000/r10000 platforms

The hardware security module (HSM) installed in your F5 r5000/r10000 FIPS platform is uninitialized by default. You must initialize the HSM before you can use it. This is typically a one-time operation.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Initialize the HSM and set a security officer (SO) password.
    Forcing the initialization deletes all keys in the HSM and makes any previously-exported keys unusable.
    fips hsm force-init
    When prompted, type an SO password. You cannot use the keyword
    default
    as the SO password.
    F5 recommends that you choose a strong value for the SO password and keep it in a secure location.
    Value for 'new-so-password' (<string, min: 7 chars, max: 30 chars>): ******** Value for 'confirm-new-so-password' (<string, min: 7 chars, max: 30 chars>): ********
    The initialization process begins and might take a few minutes to complete..
    Initialization is complete, when this message displays:
    result The FIPS device has been initialized.
After you complete the initialization, you create a FIPS partition.

Create a FIPS partition from the CLI

After initializing the HSM, these resources are assigned to a single default FIPS partition (also called a virtual HSM):
  • Number of keys that the FIPS partition can hold. The range is from 1 to 1000000.
  • Number of acceleration devices (or acceleration cores) for the FIPS partition. The range is from 1 to 63. F5 r5000-DF platforms support up to 32 acceleration devices, and F5 r10000-DF platforms support up to 63 acceleration devices.
Before you can create a new FIPS partition from the CLI, you must first deallocate resources from the default partition so that they can be assigned to any new partitions.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. View information about the default FIPS partition.
    show fips partitions
    A summary similar to this example displays:
    appliance-1# show fips partitions OCCUPIED ACCEL FIPS SESSION SESSION PCI NAME NAME KEYS DEVS BACKUP ID STATE KEYS COUNT ADDRESS ----------------------------------------------------------------------------------------- PARTITION_1 PARTITION_1 10075 63 disabled - 255 0 10 ca:10.0
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Resize the default partition.
    fips set-partition name <
    fips-partition
    > accel-devs <
    quantity
    > keys <
    quantity
    > backup {
    false
    |
    true
    }
    This example changes PARTITION_1 to use one acceleration device and hold 10 keys:
    appliance-1(config)# fips set-partition name PARTITION_1 accel-devs 1 keys 10 Value for 'so-password' (<string, min 7 chars, max 30 chars>): *********** result fips partition PARTITION_1 has been resized
  5. Create a new FIPS partition.
    fips set-partition name <
    fips-partition
    > accel-devs <
    quantity
    > keys <
    quantity
    > backup {
    false
    |
    true
    }
    If you plan to migrate keys from an iSeries FIPS platform and restore to this FIPS partition on your rSeries FIPS platform, be sure to set the
    backup
    option to
    true
    .
    This example creates PARTITION_2:
    appliance-1(config)# fips set-partition name PARTITION_2 accel-devs 12 keys 128 backup true Value for 'so-password' (<string, min 7 chars, max 30 chars>): *********** result fips partition PARTITION_2 has been created
  6. Verify the FIPS partition information.
    show fips partitions
    A summary similar to this example displays:
    appliance-1# show fips partitions OCCUPIED ACCEL FIPS SESSION SESSION PCI NAME NAME KEYS DEVS BACKUP ID STATE KEYS COUNT ADDRESS ----------------------------------------------------------------------------------------- PARTITION_1 PARTITION_1 20 1 disabled - 255 0 10 ca:10.0 PARTITION_2 PARTITION_2 128 12 disabled - - - - ca:10.2
After you complete the initialization, you create a tenant that uses the FIPS partition.

Create a tenant with a FIPS partition from the CLI

After you create a FIPS partition, you can create a tenant and assign the FIPS partition to it from the CLI.
F5 rSeries FIPS platforms support only tenants running BIG-IP software version 17.1.0.1.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Create and deploy a tenant that uses a FIPS partition.
    tenants tenant <
    name
    > config type BIG-IP image <
    filename
    >.bundle fips-partition <
    partition-name
    > cryptos enabled vcpu-cores-per-node <
    cores
    > nodes <
    node
    > mgmt-ip <
    ip-address
    > prefix-length <
    prefix
    > gateway <
    ip-address
    > memory <
    memory
    > running-state deployed
    This example creates a BIG-IP tenant called
    big-ip
    that uses a FIPS partition named PARTITION_2:
    appliance-1(config)# tenants tenant big-ip config type BIG-IP image BIGIP-17.1.0.1-0.0.0.ALL-F5OS.qcow2.zip.bundle fips-partition PARTITION_2 cryptos enabled vcpu-cores-per-node 6 nodes 1 mgmt-ip 192.0.2.42 prefix-length 24 gateway 192.0.2.254 memory 22016 running-state deployed
After you complete the initialization, you initialize the FIPS partition from the tenant CLI.

Initialize the HSM partition in F5OS tenants from the CLI

You must initialize the hardware security module (HSM) partition assigned to a tenant before you can use it.
You can initialize the HSM and create the security domain before you license the system and create a traffic management configuration.
  1. Log in to the command line interface (CLI) of the tenant using an account with admin access.
  2. Open the TMOS Shell (
    tmsh
    ).
    tmsh
  3. Initialize the HSM and set a security officer (SO) password.
    run util fips-util init
    Running this command deletes all keys in the HSM and makes any previously exported keys unusable.
    The initialization process takes a few minutes to complete.
    The initialization process begins. When prompted, type an SO password. You cannot use the keyword
    default
    as the SO password.
    F5 recommends that you choose a strong value for the SO password.
    If this text displays in the message below, you need to first delete all keys from the device before running the command:
    There are keys stored in the FIPS device Delete all keys from the device before re-initializing it
    . You can use the
    -f
    option to force initialization, which deletes all user-generated keys (
    util fips-util -f init
    ).
    WARNING: This erases all keys from the FIPS 140 device. Any configuration objects dependent on FIPS keys will cause the configuration fail to load. ==================== WARNING ================================ The FIPS device will be reset to factory default state. All keys and user identities currently stored in the device will be erased. Any configuration objects dependent on FIPS keys will cause the configuration fail to load. Press <ENTER> to continue or Ctrl-C to cancel Resetting the device ... The FIPS device is now in factory default state. Enter new Security Officer password (min. 7, max. 14 characters): Re-enter Security Officer password:
  4. When this message displays, type a security domain label.
    NOTE: security domain label must be identical on peer FIPS devices in order to be able to synchronize with them. Enter security domain label (max. 49 chars, default: F5FIPS):
    Be sure to keep the security domain label and password in a secure location. You need the domain label and password when you initialize the HSM on a peer unit. You can use the same password or choose a new one. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.
    Initializing new security domain (F5FIPS)... Creating crypto user and crypto officer identities Waiting for the device to re-initialize ... Creating key encryption key (KEK) The FIPS device has been initialized.
  5. Enable the HSM device using one of these options:
    • Reboot the unit.
    • Restart all services:
      restart sys service all
      .
      Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.

View HSM information in the CLI

You can view information about the embedded hardware security module (HSM) on F5 r5000-DF/r10000-DF FIPS systems from the CLI.
If the State is 2, the HSM is initialized. If the State is -1, the HSM is not initialized.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. View information about the HSM.
    show fips status
    A summary similar to this example displays.
    appliance-1# show fips status fips status last-updated "Tue Nov 15 18:50:02 2022\n" fips status state 2 fips status desc "FIPS mode with single factor authentication" fips status label cavium fips status model "NITROX-III CNN35XX-NFBE" fips status part-number CNN3560-NFBE-3.0-G fips status serial-number 6.0G2139-VPM006082 fips status firmware-major-version 8 fips status firmware-minor-version 2 fips status hw-major-version 54 fips status hw-minor-version 48 fips status build-number 11-25 fips status firmware-id CNN35XX-NFBE-FW-2.08-11-25 fips status temperature "53 C" fips status wear-leveling DEVICE_STATUS_OK

HSM management from the webUI

You can manage the hardware security module (HSM) and FIPS partitions from the F5OS webUI.

Display HSM information from the webUI

The HSM Details screen lists read-only information about the embedded hardware security module (HSM) on F5 r5000-DF/r10000-DF FIPS systems. This screen shows information, such as state, part/serial numbers, firmware/hardware versions, build number, temperature, and wear leveling.
If the State is 2, the HSM is initialized. If the State is -1, the HSM is not initialized.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    FIPS
    HSM Details
    .

Configure the default FIPS partition from the webUI

The FIPS Partitions screen lists FIPS partitions on the embedded hardware security module (HSM). If the HSM is newly initialized, the FIPS Partitions screen lists only the default partition (PARTITION_1). If the HSM needs to be initialized, no FIPS partitions are listed. For more information on initializing the HSM, see Initialize the HSM in F5 r5000/r10000 platforms.
After initializing the HSM, all resources (keys and acceleration devices) are assigned to a single default FIPS partition (PARTITION_1). Before you can create a new FIPS partition from the webUI, you must first deallocate resources from the default partition so they can be assigned to a new partition.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    FIPS
    FIPS Partitions
    .
  3. Click the default partition name (PARTITION_1).
    The Edit FIPS Partition screen displays.
  4. For
    Keys
    , enter the maximum number of keys the FIPS partition can hold.
    The range is from 1 to 1000000.
  5. For
    Accel Devs
    , enter the maximum number of acceleration devices used for the FIPS partition.
    The range is from 1 to 63. F5 r5000-DF platforms support up to 32 acceleration devices, and F5 r10000-DF platforms support up to 63 acceleration devices.
  6. For
    Backup
    , select whether to enable or disable backup for the FIPS partition.
    If you plan to migrate keys from an iSeries FIPS platform and restore to this FIPS partition on your rSeries FIPS platform, be sure to select
    Enabled
    .
  7. Click
    Save & Close
    .
Next, you can create a new custom FIPS partition.

Add FIPS partitions from the webUI

Before you can add a new FIPS partition from the webUI, you must have already deallocated resources from the default partition so they can be assigned to any new partitions.
The FIPS Partitions screen enables you to manage FIPS partitions on the embedded hardware security module (HSM). If the HSM is newly initialized, the FIPS Partitions screen lists only the default partition (PARTITION_1). You can add a new FIPS partition from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    FIPS
    FIPS Partitions
    .
  3. For
    Name
    , enter a name for the FIPS partition.
    The minimum length is 1 character, and the maximum length is 15 characters.
  4. For
    Keys
    , enter the maximum number of keys the FIPS partition can hold.
    The range is from 1 to 1000000.
  5. For
    Accel Devs
    , enter the maximum number of acceleration devices used for the FIPS partition.
    The range is from 1 to 63. F5 r5000-DF platforms support up to 32 acceleration devices, and F5 r10000-DF platforms support up to 63 acceleration devices.
  6. For
    Backup
    , select whether to enable or disable backup for the FIPS partition.
    If you plan to migrate keys from an iSeries FIPS platform and restore to this FIPS partition on your rSeries FIPS platform, be sure to select
    Enabled
    .
  7. Click
    Save & Close
    .
Next, you can create a tenant that uses the new FIPS partition and initialize the HSM partition in the tenant. For more information, see Create a tenant with a FIPS partition from the CLI and Initialize the HSM partition in F5OS tenants from the CLI.
F5 rSeries FIPS platforms support only tenants running BIG-IP software version 17.1.0.1.