Manual Chapter : FIPS

Applies To:

  • F5OS-A

    1.8.4

back-action F5 rSeries Systems: Administration and Configuration

Updated Date: 04/22/2026

FIPS

You can access FIPS settings from the CLI. These settings are available only on platforms (F5 r5000-DF and r10000-DF) with an embedded hardware security module (HSM).

For more comprehensive information on configuring FIPS platforms, see F5 Platforms: FIPS Administration at my.f5.com.

You can manage the hardware security module (HSM) and FIPS partitions from the CLI.

The hardware security module (HSM) installed in your F5 r5000/r10000 FIPS platform is uninitialized by default. You must initialize the HSM before you can use it. This is typically a one-time operation.

  1. Log in to the command line interface (CLI) of the system using an account with admin access.

    When you log in to the system, you are in user (operational) mode.

  2. Initialize the HSM and set a security officer (SO) password.

    Important: Forcing the initialization deletes all keys in the HSM and makes any previously-exported keys unusable.

    fips hsm force-init

    When prompted, type an SO password. You cannot use the keyword default as the SO password.

    Note: F5 recommends that you choose a strong value for the SO password and keep it in a secure location.

    Value for 'new-so-password' (<string, min: 7 chars, max: 30 chars>): ********
Value for 'confirm-new-so-password' (<string, min: 7 chars, max: 30 chars>): ********

    The initialization process begins and might take a few minutes to complete..

    Initialization is complete, when this message displays:

    result The FIPS device has been initialized.

After you complete the initialization, you create a FIPS partition.

After initializing the HSM, these resources are assigned to a single default FIPS partition called PARTITION_1 (also called a virtual HSM):

  • Number of keys that the FIPS partition can hold.

    The range for r5920-DF is from 1 to 25475 and for r10920-DF is from 1 to 102235.

  • Number of acceleration devices (or acceleration cores) for the FIPS partition. The range is from 1 to 63. F5 r5000-DF platforms support up to 32 acceleration devices, and F5 r10000-DF platforms support up to 63 acceleration devices.

Before you can create a new FIPS partition from the CLI, you must first deallocate resources from the default partition so that they can be assigned to any new partitions.

Note: F5 r5000-DF platforms support up to 24 FIPS partitions, and F5 r10000-DF platforms support up to 32 FIPS partitions.

  1. Log in to the command line interface (CLI) of the system using an account with admin access.

    When you log in to the system, you are in user (operational) mode.

  2. View information about the default FIPS partition.

    show fips partitions

    A summary similar to this example displays:

    appliance-1# show fips partitions
                                                OCCUPIED
                    ACCEL                FIPS   SESSION   SESSION  PCI
NAME         KEYS   DEVS   BACKUP    ID  STATE  KEYS      COUNT    ADDRESS
-----------------------------------------------------------------------------------------
PARTITION_1  10075  63     disabled  -   -1    0         10       ca:10.0

  3. Change to config mode.

    config

    The CLI prompt changes to include (config).

  4. Resize the default partition.

    fips set-partition name <*fips-partition*> accel-devs <*quantity*> keys <*quantity*> backup { enabled | disabled }

    This example changes PARTITION_1 to use one acceleration device and hold 10 keys:

    appliance-1(config)# fips set-partition name PARTITION_1 accel-devs 1 keys 10
Value for 'so-password' (<string, min 7 chars, max 30 chars>): ***********
result fips partition PARTITION_1 has been resized

  5. Create a new FIPS partition.

    fips set-partition name <*fips-partition*> accel-devs <*quantity*> keys <*quantity*> backup { enabled | disabled }

    Note: If you plan to migrate keys from an iSeries FIPS platform and restore to this FIPS partition on your rSeries FIPS platform, be sure to set the backup option to enabled.

    This example creates PARTITION_2:

    appliance-1(config)# fips set-partition name PARTITION_2 accel-devs 12 keys 128
  backup enabled 
Value for 'so-password' (<string, min 7 chars, max 30 chars>): ***********
result fips partition PARTITION_2 has been created

  6. Return to user (operational) mode.

    end

  7. Verify the FIPS partition information.

    show fips partitions

    A summary similar to this example displays:

    Note: After the host FIPS partition is created, the fips state will remain in the “-1” state until the tenant is established and the tenant FIPS environment is fully initialized. Following this initialization, the HOST FIPS partition will then display the fips state as “2”. For more information on initializing fips environment, see section Initialize the HSM partition in F5OS tenants from the CLI.

    appliance-1# show fips partitions
                                                          OCCUPIED
                    ACCEL                FIPS   SESSION   SESSION   PCI
NAME         KEYS   DEVS   BACKUP    ID  STATE  KEYS      COUNT     ADDRESS
-----------------------------------------------------------------------------------------
PARTITION_1  10       1    enabled   -   -1      0         10       ca:10.0
PARTITION_2  128     12    enabled   -   -1      -         -        ca:10.2

After you complete the initialization, you create a tenant that uses the FIPS partition.

After you create a FIPS partition, you can create a tenant and assign the FIPS partition to it from the CLI.

Important: F5 rSeries FIPS platforms support only tenants running BIG-IP software version 17.1.0.1 or later.

  1. Log in to the command line interface (CLI) of the system using an account with admin access.

    When you log in to the system, you are in user (operational) mode.

  2. Change to config mode.

    config

    The CLI prompt changes to include (config).

  3. Create and deploy a tenant that uses a FIPS partition.

    tenants tenant <*name*> config type BIG-IP image <*filename*>.bundle fips-partition <*partition-name*> cryptos enabled vcpu-cores-per-node <*cores*> nodes <*node*> mgmt-ip <*ip-address*> prefix-length <*prefix*> gateway <*ip-address*> memory <*memory*> running-state deployed vlans <*vlan-ids*>

    This example creates a BIG-IP tenant called big-ip that uses a FIPS partition named PARTITION_2:

    appliance-1(config)# tenants tenant big-ip config type BIG-IP 
  image BIGIP-17.1.0.1-0.0.0.ALL-F5OS.qcow2.zip.bundle fips-partition PARTITION_2 
  cryptos enabled vcpu-cores-per-node 6 nodes 1 mgmt-ip 192.0.2.42 
  prefix-length 24 gateway 192.0.2.254 memory 22016 running-state deployed vlans 11

After you complete the initialization, you initialize the FIPS partition from the tenant CLI.

After you create a tenant and assign the FIPS partition, you can view information about the tenant that uses FIPS partition. Here you can view information only when the tenant is in running state.

  1. Log in to the command line interface (CLI) of the system using an account with admin access.

    When you log in to the system, you are in user (operational) mode.

  2. Show the information of running tenants and it’s FIPS partition.

    show tenants tenant state status``show fips tenants

    A summary to this example displays:

    appliance-1# show tenants tenant state status
NAME  STATUS   
---------------
mbip  Running  
test  Running  


appliance-1# show fips tenants               
                 PCI      
                 DEVICE   
NAME  PARTITION  ID       
--------------------------
test  test       c3:10.4

You must initialize the hardware security module (HSM) partition assigned to a tenant before you can use it.

Note: You can initialize the HSM and create the security domain before you license the system and create a traffic management configuration.

  1. Log in to the command line interface (CLI) of the tenant using an account with admin access.

    When you log in to the system, you are in user (operational) mode.

  2. Open the TMOS Shell (tmsh).

    tmsh

  3. Initialize the HSM and set a security officer (SO) password.

    run util fips-util init

    Important: Running this command deletes all keys in the HSM and makes any previously exported keys unusable.

    Note: The initialization process takes a few minutes to complete.

    The initialization process begins. When prompted, type the Security Officer (SO) password. You cannot use the keyword default as the SO password.

    Note: F5 recommends that you choose a strong value for the SO password.

    Warning: If this text displays in the message below, you need to first delete all keys from the device before running the command: There are keys stored in the FIPS device Delete all keys from the device before re-initializing it. You can use the -f option to force initialization, which deletes all user-generated keys (util fips-util -f init).

    WARNING: This erases all keys from the FIPS 140 device.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.


==================== WARNING ================================
The FIPS device will be reset to factory default state.
All keys and user identities currently stored in the device
will be erased.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.


Press <ENTER> to continue or Ctrl-C to cancel


Resetting the device ...


The FIPS device is now in factory default state.
Enter new Security Officer password (min. 7, max. 14 characters):
Re-enter Security Officer password:

  4. When this message displays, type a security domain label.

    NOTE: security domain label must be identical on peer
FIPS devices in order to be able to synchronize with them.
Enter security domain label (max. 49 chars, default: F5FIPS):

    Be sure to keep the security domain label and password in a secure location. You need the domain label and password when you initialize the HSM on a peer unit. You can use the same password or choose a new one. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.

    Initializing new security domain (F5FIPS)...
Creating crypto user and crypto officer identities
Waiting for the device to re-initialize ...
Creating key encryption key (KEK)
The FIPS device has been initialized.

  5. Enable the HSM device using one of these options:

    • Reboot the unit.

    • Restart all services: restart sys service all.

      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.

You can view information about the embedded hardware security module (HSM) on F5 r5000-DF/r10000-DF FIPS systems from the CLI.

Note: If the State is 2, the HSM is initialized. If the State is -1, the HSM is not initialized.

  1. Log in to the command line interface (CLI) of the system using an account with admin access.

    When you log in to the system, you are in user (operational) mode.

  2. View information about the HSM.

    show fips status

    A summary similar to this example displays.

    appliance-1# show fips status
fips status last-updated "Tue Nov 15 18:50:02 2022\n"
fips status state      2
fips status desc       "FIPS mode with single factor authentication"
fips status label      cavium
fips status model      "NITROX-III CNN35XX-NFBE"
fips status part-number CNN3560-NFBE-3.0-G
fips status serial-number 6.0G2139-VPM006082
fips status firmware-major-version 8
fips status firmware-minor-version 2
fips status hw-major-version 54
fips status hw-minor-version 48
fips status build-number 11-25
fips status firmware-id CNN35XX-NFBE-FW-2.08-11-25
fips status temperature "53 C"
fips status wear-leveling DEVICE_STATUS_OK

You can manage the hardware security module (HSM) and FIPS partitions from the F5OS webUI.

The HSM Details screen lists read-only information about the embedded hardware security module (HSM) on F5 r5000-DF/r10000-DF FIPS systems. This screen shows information, such as state, part/serial numbers, firmware/hardware versions, build number, temperature, and wear leveling.

Note: If the State is 2, the HSM is initialized. If the State is -1, the HSM is not initialized.

  1. Log in to the webUI using an account with admin access.

  2. On the left, click FIPS > HSM Details.

The FIPS Partitions screen lists FIPS partitions on the embedded hardware security module (HSM). If the HSM is newly initialized, the FIPS Partitions screen lists only the default partition (PARTITION_1). If the HSM needs to be initialized, no FIPS partitions are listed. For more information on initializing the HSM, see Initialize the HSM in F5 r5000/r10000 platforms.

After initializing the HSM, all resources (keys and acceleration devices) are assigned to a single default FIPS partition (PARTITION_1). Before you can create a new FIPS partition from the webUI, you must first deallocate resources from the default partition so they can be assigned to a new partition.

  1. Log in to the webUI using an account with admin access.

  2. On the left, click FIPS > FIPS Partitions.

  3. Click the default partition name (PARTITION_1).

    The Edit FIPS Partition screen displays.

  4. For Keys, enter the maximum number of keys the FIPS partition can hold.

    The range for r5920-DF is from 1 to 25475 and for r10920-DF is from 1 to 102235.

  5. For Accel Devs, enter the maximum number of acceleration devices used for the FIPS partition.

    The range is from 1 to 63. F5 r5000-DF platforms support up to 32 acceleration devices, and F5 r10000-DF platforms support up to 63 acceleration devices.

  6. For Backup, select whether to enable or disable backup for the FIPS partition.

    Note: If you plan to migrate keys from an iSeries FIPS platform and restore to this FIPS partition on your rSeries FIPS platform, be sure to select Enabled.

  7. Click Save & Close.

Next, you can create a new custom FIPS partition.

Before you can add a new FIPS partition from the webUI, you must have already deallocated resources from the default partition so they can be assigned to any new partitions.

The FIPS Partitions screen enables you to manage FIPS partitions on the embedded hardware security module (HSM). If the HSM is newly initialized, the FIPS Partitions screen lists only the default partition (PARTITION_1). You can add a new FIPS partition from the webUI.

Note: F5 r5000-DF platforms support up to 24 FIPS partitions, and F5 r10000-DF platforms support up to 32 FIPS partitions.

  1. Log in to the webUI using an account with admin access.

  2. On the left, click FIPS > FIPS Partitions.

  3. For Name, enter a name for the FIPS partition.

    The minimum length is 1 character, and the maximum length is 15 characters.

  4. For Keys, enter the maximum number of keys the FIPS partition can hold.

    The range for r5920-DF is from 1 to 25475 and for r10920-DF is from 1-102235.

  5. For Accel Devs, enter the maximum number of acceleration devices used for the FIPS partition.

    The range is from 1 to 63. F5 r5000-DF platforms support up to 32 acceleration devices, and F5 r10000-DF platforms support up to 63 acceleration devices.

  6. For Backup, select whether to enable or disable backup for the FIPS partition.

    Note: If you plan to migrate keys from an iSeries FIPS platform and restore to this FIPS partition on your rSeries FIPS platform, be sure to select Enabled.

  7. Click Save & Close.

Next, you can create a tenant that uses the new FIPS partition and initialize the HSM partition in the tenant. For more information, see Create a tenant with a FIPS partition from the CLI.

Important: F5 rSeries FIPS platforms support only tenants running BIG-IP software version 17.1.0.1 or later.