Manual Chapter :
FIPS
Applies To:
Show Versions
F5OS-A
- 1.7.0
FIPS
FIPS overview
You can access FIPS settings from the
CLI. These settings are available only on platforms
(F5 r5000-DF and r10000-DF)
with an embedded hardware security module (HSM). For more comprehensive information on configuring FIPS platforms, see
F5
Platforms: FIPS Administration
at my.f5.com.HSM management from the CLI
You can manage the hardware security module (HSM) and FIPS
partitions from the CLI.
Initialize the HSM in F5 r5000/r10000 platforms
The hardware security module (HSM)
installed in your F5 r5000/r10000 FIPS platform is uninitialized by default.
You must initialize the HSM before you can use it. This is typically a
one-time operation.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Initialize the HSM and set a security officer (SO) password.Forcing the initialization deletes all keys in the HSM and makes any previously-exported keys unusable.fips hsm force-initWhen prompted, type an SO password. You cannot use the keyworddefaultas the SO password.F5 recommends that you choose a strong value for the SO password and keep it in a secure location.Value for 'new-so-password' (<string, min: 7 chars, max: 30 chars>): ******** Value for 'confirm-new-so-password' (<string, min: 7 chars, max: 30 chars>): ********The initialization process begins and might take a few minutes to complete..Initialization is complete, when this message displays:result The FIPS device has been initialized.
After you complete the
initialization, you create a FIPS partition.
Create a FIPS partition from the CLI
After initializing the HSM, these
resources are assigned to a single default FIPS partition called PARTITION_1
(also called a virtual HSM):
- Number of keys that the FIPS partition can hold. The range is from 1 to 1000000.
- Number of acceleration devices (or acceleration cores) for the FIPS partition. The range is from 1 to 63. F5 r5000-DF platforms support up to 32 acceleration devices, and F5 r10000-DF platforms support up to 63 acceleration devices.
Before you can create a new FIPS partition from the
CLI, you must first deallocate resources from the default partition so
that they can be assigned to any new partitions.
F5
r5000-DF platforms support up to 24 FIPS partitions, and F5 r10000-DF
platforms support up to 32 FIPS partitions.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- View information about the default FIPS partition.show fips partitionsA summary similar to this example displays:appliance-1# show fips partitions OCCUPIED ACCEL FIPS SESSION SESSION PCI NAME NAME KEYS DEVS BACKUP ID STATE KEYS COUNT ADDRESS ----------------------------------------------------------------------------------------- PARTITION_1 PARTITION_1 10075 63 disabled - 255 0 10 ca:10.0
- Change to config mode.configThe CLI prompt changes to include(config).
- Resize the default partition.fips set-partition name <fips-partition> accel-devs <quantity> keys <quantity> backup {false|true}This example changes PARTITION_1 to use one acceleration device and hold 10 keys:appliance-1(config)# fips set-partition name PARTITION_1 accel-devs 1 keys 10 Value for 'so-password' (<string, min 7 chars, max 30 chars>): *********** result fips partition PARTITION_1 has been resized
- Create a new FIPS partition.fips set-partition name <fips-partition> accel-devs <quantity> keys <quantity> backup {false|true}If you plan to migrate keys from an iSeries FIPS platform and restore to this FIPS partition on your rSeries FIPS platform, be sure to set thebackupoption totrue.This example creates PARTITION_2:appliance-1(config)# fips set-partition name PARTITION_2 accel-devs 12 keys 128 backup true Value for 'so-password' (<string, min 7 chars, max 30 chars>): *********** result fips partition PARTITION_2 has been created
- Verify the FIPS partition information.show fips partitionsA summary similar to this example displays:appliance-1# show fips partitions OCCUPIED ACCEL FIPS SESSION SESSION PCI NAME NAME KEYS DEVS BACKUP ID STATE KEYS COUNT ADDRESS ----------------------------------------------------------------------------------------- PARTITION_1 PARTITION_1 20 1 disabled - 255 0 10 ca:10.0 PARTITION_2 PARTITION_2 128 12 disabled - - - - ca:10.2
After you complete the initialization,
you create a tenant that uses the FIPS partition.
Create a tenant with a FIPS partition from the CLI
After you create a FIPS partition, you
can create a tenant and assign the FIPS partition to it from the CLI.
F5 rSeries FIPS platforms support
only tenants running BIG-IP software version 17.1.0.1 or later.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create and deploy a tenant that uses a FIPS partition.tenants tenant <name> config type BIG-IP image <filename>.bundle fips-partition <partition-name> cryptos enabled vcpu-cores-per-node <cores> nodes <node> mgmt-ip <ip-address> prefix-length <prefix> gateway <ip-address> memory <memory> running-state deployed vlans <vlan-ids>This example creates a BIG-IP tenant calledbig-ipthat uses a FIPS partition named PARTITION_2:appliance-1(config)# tenants tenant big-ip config type BIG-IP image BIGIP-17.1.0.1-0.0.0.ALL-F5OS.qcow2.zip.bundle fips-partition PARTITION_2 cryptos enabled vcpu-cores-per-node 6 nodes 1 mgmt-ip 192.0.2.42 prefix-length 24 gateway 192.0.2.254 memory 22016 running-state deployed vlans 11
After you complete the initialization,
you initialize the FIPS partition from the tenant CLI.
Initialize the HSM partition in F5OS tenants from the CLI
You must initialize the hardware security module
(HSM) partition assigned to a tenant before you can use it.
You can initialize the HSM and create the security domain
before you license the system and create a traffic management
configuration.
- Log in to the command line interface (CLI) of the tenant using an account with admin access.
- Open the TMOS Shell (tmsh).tmsh
- Initialize the HSM and set a security officer (SO) password.run util fips-util initRunning this command deletes all keys in the HSM and makes any previously exported keys unusable.The initialization process takes a few minutes to complete.The initialization process begins. When prompted, type the Security Officer (SO) password. You cannot use the keyworddefaultas the SO password.F5 recommends that you choose a strong value for the SO password.If this text displays in the message below, you need to first delete all keys from the device before running the command:There are keys stored in the FIPS device Delete all keys from the device before re-initializing it. You can use the-foption to force initialization, which deletes all user-generated keys (util fips-util -f init).WARNING: This erases all keys from the FIPS 140 device. Any configuration objects dependent on FIPS keys will cause the configuration fail to load. ==================== WARNING ================================ The FIPS device will be reset to factory default state. All keys and user identities currently stored in the device will be erased. Any configuration objects dependent on FIPS keys will cause the configuration fail to load. Press <ENTER> to continue or Ctrl-C to cancel Resetting the device ... The FIPS device is now in factory default state. Enter new Security Officer password (min. 7, max. 14 characters): Re-enter Security Officer password:
- When this message displays, type a security domain label.NOTE: security domain label must be identical on peer FIPS devices in order to be able to synchronize with them. Enter security domain label (max. 49 chars, default: F5FIPS):Be sure to keep the security domain label and password in a secure location. You need the domain label and password when you initialize the HSM on a peer unit. You can use the same password or choose a new one. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.Initializing new security domain (F5FIPS)... Creating crypto user and crypto officer identities Waiting for the device to re-initialize ... Creating key encryption key (KEK) The FIPS device has been initialized.
- Enable the HSM device using one of these options:
- Reboot the unit.
- Restart all services:restart sys service all.Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
View HSM information in the CLI
You can view information about the
embedded hardware security module (HSM) on F5 r5000-DF/r10000-DF FIPS systems
from the CLI.
If the State is 2, the HSM is initialized. If
the State is -1, the HSM is not initialized.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- View information about the HSM.show fips statusA summary similar to this example displays.appliance-1# show fips status fips status last-updated "Tue Nov 15 18:50:02 2022\n" fips status state 2 fips status desc "FIPS mode with single factor authentication" fips status label cavium fips status model "NITROX-III CNN35XX-NFBE" fips status part-number CNN3560-NFBE-3.0-G fips status serial-number 6.0G2139-VPM006082 fips status firmware-major-version 8 fips status firmware-minor-version 2 fips status hw-major-version 54 fips status hw-minor-version 48 fips status build-number 11-25 fips status firmware-id CNN35XX-NFBE-FW-2.08-11-25 fips status temperature "53 C" fips status wear-leveling DEVICE_STATUS_OK
HSM management from the webUI
You can manage the hardware security module (HSM) and FIPS
partitions from the F5OS webUI.
Display HSM information from the webUI
The HSM Details screen lists
read-only information about the embedded hardware security module (HSM) on F5
r5000-DF/r10000-DF FIPS systems. This screen shows information, such as state,
part/serial numbers, firmware/hardware versions, build number, temperature,
and wear leveling.
If the State is 2,
the HSM is initialized. If the State is -1, the HSM is not
initialized.
- Log in to the webUI using an account with admin access.
- On the left, click .
Configure the default FIPS partition from the webUI
The FIPS Partitions screen lists FIPS
partitions on the embedded hardware security module (HSM). If the HSM is newly
initialized, the FIPS Partitions screen lists only the default partition
(PARTITION_1). If the HSM needs to be initialized, no FIPS partitions are
listed. For more information on initializing the HSM, see Initialize the HSM in F5 r5000/r10000 platforms.
After initializing the HSM,
all resources (keys and acceleration devices) are assigned to a single
default FIPS partition (PARTITION_1). Before you can create a new FIPS
partition from the webUI, you must first deallocate resources from the
default partition so they can be assigned to a new
partition.
- Log in to the webUI using an account with admin access.
- On the left, click .
- Click the default partition name (PARTITION_1).The Edit FIPS Partition screen displays.
- ForKeys, enter the maximum number of keys the FIPS partition can hold.The range is from 1 to 1000000.
- ForAccel Devs, enter the maximum number of acceleration devices used for the FIPS partition.The range is from 1 to 63. F5 r5000-DF platforms support up to 32 acceleration devices, and F5 r10000-DF platforms support up to 63 acceleration devices.
- ForBackup, select whether to enable or disable backup for the FIPS partition.If you plan to migrate keys from an iSeries FIPS platform and restore to this FIPS partition on your rSeries FIPS platform, be sure to selectEnabled.
- ClickSave & Close.
Next, you can create a new custom FIPS partition.
Add FIPS partitions from the webUI
Before you can add a new FIPS
partition from the webUI, you must have already deallocated resources from the
default partition so they can be assigned to any new partitions.
The FIPS Partitions screen enables you to
manage FIPS partitions on the embedded hardware security module (HSM). If the
HSM is newly initialized, the FIPS Partitions screen lists only the default
partition (PARTITION_1). You can add a new FIPS partition from the webUI.
F5 r5000-DF platforms support up to 24 FIPS partitions,
and F5 r10000-DF platforms support up to 32 FIPS
partitions.
- Log in to the webUI using an account with admin access.
- On the left, click .
- ForName, enter a name for the FIPS partition.The minimum length is 1 character, and the maximum length is 15 characters.
- ForKeys, enter the maximum number of keys the FIPS partition can hold.The range is from 1 to 1000000.
- ForAccel Devs, enter the maximum number of acceleration devices used for the FIPS partition.The range is from 1 to 63. F5 r5000-DF platforms support up to 32 acceleration devices, and F5 r10000-DF platforms support up to 63 acceleration devices.
- ForBackup, select whether to enable or disable backup for the FIPS partition.If you plan to migrate keys from an iSeries FIPS platform and restore to this FIPS partition on your rSeries FIPS platform, be sure to selectEnabled.
- ClickSave & Close.
Next, you can create a tenant that
uses the new FIPS partition and initialize the HSM partition in the tenant.
For more information, see Create a tenant with a FIPS partition from the CLI and Initialize the HSM partition in F5OS tenants from the CLI.
F5 rSeries FIPS platforms support only tenants
running BIG-IP software version 17.1.0.1 or later.
