Manual Chapter : 520/540 Platform Guide: Configuring the FIPS 140 Hardware

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.6.4, 4.6.3, 4.6.2, 4.6.1, 4.6.0, 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5 PTF-03, 4.5 PTF-02, 4.5 PTF-01, 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10, 4.5.9, 4.5.0

3-DNS Controller versions 1.x - 4.x

  • 4.6.4, 4.6.3, 4.6.2, 4.6.1, 4.6.0, 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5 PTF-03, 4.5 PTF-02, 4.5 PTF-01, 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10, 4.5.9, 4.5.0

Link Controller

  • 4.6.4, 4.6.3, 4.6.2, 4.6.1, 4.6.0, 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5 PTF-03, 4.5 PTF-02, 4.5 PTF-01, 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10, 4.5.9, 4.5.0
Manual Chapter

2

Configuring the FIPS 140 Hardware


Introducing FIPS 140 hardware security module support

The 520/540 platform, with BIG-IP software installed, supports a hardware security module (HSM) that is certified at the Federal Information Processing Standards (FIPS) 140-1 level 3. The FIPS standard is a set of requirements designed to facilitate the construction, and measure the security of cryptographic modules, and define methods for protecting cryptographic keys from unauthorized access. Typically, the cryptographic keys are generated inside the FIPS 140 certified hardware security module (HSM), and never leave except when in encrypted form.

With this HSM installed, you can encrypt private keys on the 520/540 platform with a 3-DES key that resides only on the FIPS 140 module. The 3-DES key is further encrypted with a key spread across one to five smart cards.

In order to configure FIPS 140 hardware support, you need to complete the following tasks:

  • Initialize the FIPS 140 hardware and set up the security world.
  • Generate keys using genkey and genconf utilities.
  • Configure the SSL Accelerator.

Note


All BIG-IP products except the BIG-IP LoadBalancer, BIG-IP FireGuard Controller, and the BIG-IP Cache Controller support this configuration.

The following sections in this chapter provide the information to configure FIPS 140 hardware support in various scenarios.

Initializing the FIPS 140 hardware security module and creating the security world

After you install the 520/540 platform in the network and run the Setup utility, you can initialize the FIPS 140 hardware security module (HSM). This is how you prepare the HSM for the security world. The security world is the environment you create for secure life-cycle management of keys based on nCipher technology. To create the security world, you run various utilities from the command line on the 520/540 platform. You can initialize the HSM and set up the security world in a number of different situations:

  • On a single unit or primary unit of a redundant system
  • On a redundant system with one HSM in each 520/540 platform (only required if you have a redundant system)
  • On a single 520/540 platform with two HSMs
  • On a single or redundant system, adding another HSM to an existing security world

Note


You will need a paper clip or ballpoint pen and at least two of the smart cards provided with the security module (three are recommended) before you begin the initialization process.

Creating the security world on a single unit or the primary unit of a redundant system

This section describes how to create the security world on a single unit or the primary unit of a redundant system.

To create the security world on a single unit or the primary unit of a redundant system
  1. Locate the switch labeled M-O-I on the FIPS 140 card at the back of the controller (see Figure 2.1 ). Then using a paper clip or your finger tip, move the switch to the I position.
  2. With a ballpoint pen tip, gently push the reset button (Figure 2.2 ).
    If you have done this correctly, the LED blinks quickly for a moment and then blinks slowly again.
  3. Type the following command to start the sw-init utility:

    sw-init

    Figure 2.3 is an example session of the sw-init utility.

  4. When the sw-init utility prompts you for the Administrator Cards, we recommend that you type 2 for the total number, and 1 for the required number. This creates a cardset that requires only one card to be present for card or module management, but also provides the other card as a backup of the first.

    Figure 2.4 demonstrates the proper orientation of the smart card before you insert it into the card reader.

    For more information about card sets, please refer to the nCipher manual, Key management user guide, Chapter 6: Managing cards. This manual is included on the Software and Documentation CD.

  5. Move the M-O-I switch to O (Figure 2.1 ) and, with the paperclip, press the reset button (Figure 2.2 )
  6. Generate keys by running genconf and then genkey. For detailed information, see Using the key utilities to generate keys .
  7. After you generate the keys, your next task depends on what type of system you are configuring:

Figure 2.1 This figure shows the M-O-I switch on the FIPS 140 security module

Figure 2.2 The reset button on the FIPS 140 security module



Figure 2.3 Example of a security world initialization session with the sw-init utility


# sw-init
Key management data not yet set up (at least on this computer).
Modules ready for (re)programming:
Serial no. Firmware version
#1 CBF9-187E-D9ED 1.71.11 built on Mar 21 2001 16:01:57
Please confirm - Initialize new security system and program these module(s) ? yes
How many Administrator Cards in total ? 2
How many Administrator Cards will be required ? 1
Enable future key recovery using administrator cards ?
(This cannot be enabled retrospectively. Answering `no' may require you
to discard your keys when you upgrade the support software, or if cards
or pass phrases are lost. Consult the manual for full documentation.)
Enable recovery ? [yes] yes
Using module #1.
Please insert new administrator card #1 in module #1. [enter]
Now, please enter new pass phrase for this card: ****** [enter]
Initialization of security system on module #1 complete.
Initialization complete.
 

Figure 2.4 The proper way to insert a smart card in the card reader

Configuring the security world on the second unit in a redundant system

The second unit in the redundant system must be brought into the same security world as your primary unit. This is a simple process, but one that must be done after you run the Setup utility and synchronize the configurations of the units in the redundant system. This means that both 520/540 platforms in the redundant system must be synchronized in order to synchronize the SSL keys. This section describes how to synchronize the 520/540 redundant system, and how to configure the security world on the second unit in a redundant system.

Note


You must configure the 520/540 redundant system for fail-over for this configuration to function properly. If you have not configured the redundant system, refer to Chapter 13, Configuring a Redundant System , in the BIG-IP Reference Guide.
To synchronize the 520/540 configuration from the command line

Before you configure the security world on the redundant system, synchronize the 520/540 configuration. To synchronize the 520/540 configuration from the command line, type the following command on the primary unit:

b config sync all

To configure the security world on the redundant system

After you synchronize the 520/540 configuration, you need to initialize the HSM and configure the security world on the second unit in the redundant system. You will need a ballpoint pen, or other fine-tipped implement to press the reset button.

Before you start, you need the required number of administrator smart cards from the administrator cardset you created when initializing the security world on the primary unit.

  1. At the back of the second unit in the redundant system, locate the switch labelled M-O-I (Figure 2.1 ). Then using a paper clip or your fingernail, move the switch to the I position.
  2. With the end of the ballpoint pen, gently push the reset button (Figure 2.2 ). If you have done this correctly, the LED blinks quickly for a moment, and then blinks slowly again.
  3. Place your administrator smart card into the card reader attached to the FIPS 140 security module in the redundant unit. Figure 2.4 shows the proper orientation.
  4. At the console of the second unit in the redundant system, run the sw-rest command from /config/bigconfig (See Figure 2.5 for an example session).
  5. Return to the back of the controller. Move the M-O-I switch to O (Figure 2.1 ) and, with the ballpoint pen, press the reset button in the hole above the switch (Figure 2.2 ).

    After you bring the second controller into the security world, you can configure the SSL Accelerator. For more information, see Additional configuration options .



Figure 2.5 An example session with the sw-rest utility


# sw-rest
Key management security system data found.

Modules ready for (re)programming:
Serial no. Firmware version
#1 CBF9-187E-D9ED 1.71.11 built on Mar 21 2001 16:01:57

Please confirm - Program these module(s) into existing KM infrastructure ? yes

Programming module #1. [enter]
Using slot #0, type SmartCard.

Please insert administrator card in module #1. [enter]
Initialisation of module #1 complete.
 

Configuring multiple FIPS 140 hardware security modules in a single 520/540

To achieve a faster transaction per second (TPS) rate in a controller, you can install two hardware security modules (HSMs). You may do this in two ways:

  • Install two security modules and create the security world at the same time.
  • Add a second security module to and existing security world.

Installing two security modules and creating the security world at the same time

This section describes how to install two security modules and create the security world at the same time in a single 520/540. This procedure assumes that you have not established a security world.

Note


Connect a card reader to each of the security modules for this configuration.
To install both security modules and create the security world at the same time

To bring two HSMs installed in one 520/540 into the security world, you need a paper clip or other fine-tipped implement and at least two smart cards.

  1. On each HSM, locate the switch labeled M-O-I (Figure 2.1 ). Using a paper clip or your fingernail, move the switch on each HSM to the I position.
  2. On each HSM, gently push the reset button with the tip of the ballpoint pen. If you have done this correctly, the LEDs blink quickly for a moment, and then blink slowly again.
  3. From the console, run the sw-init command. Figure 2.6 is an example session.
  4. When you are prompted for the Administrator Cards, we recommend that you enter the value 2 for the total number, and 1 for the required number. This creates a cardset that requires only one card to be present to do any card or module management, but also provides the other card as a backup. Lock one of the cards away in a secure place (after you complete the configuration).

    The utility prompts you to insert the blank cards into the reader of the first HSM to create the operator card set. Figure 2.4 shows how to orient the card before inserting it in the reader.

    The utility also prompts you to to insert the same cards into the reader attached to the second HSM to bring it into the security world at the same time.

  5. Return to the back of the controller with your pen. On each HSM, move the M-O-I switch to the O position, then, with the pen, press the reset button on both HSMs (Figure 2.2 ).
  6. Generate keys as normal by running genconf and then genkey. For detailed information, see Using the key utilities to generate keys .
  7. After you generate the keys, your next task depends on what type of system you are configuring:



Figure 2.6 A sample session for sw-init for configuring two HSMs in one 520/540


bigip2:~# sw-init
Key management data not yet set up (at least on this computer).
Modules ready for (re)programming:
Serial no. Firmware version
#1 AE63-178B-1234 1.65.8 built on Aug 21 2000 16:52:57
#2 CBF9-187E-5678 1.71.11 built on Mar 21 2001 16:01:57
Please confirm - Initialise new security system and program these module(s) ? yes
How many Administrator Cards in total ? 2
How many Administrator Cards will be required ? 1
Enable future key recovery using administrator cards ?
(This cannot be enabled retrospectively. Answering `no' may require you
to discard your keys when you upgrade the support software, or if cards
or passphrases are lost. Consult the manual for full documentation.)
Enable recovery ? [yes] [enter]
Using module #1.
Please insert new administrator card #1 in module #1. [enter]
Now, please enter new passphrase for this card: *****
Then, please reenter the passphrase for this card: *****
Initialization of security system on module #1 complete.
Programming module #2.
Using slot #0, type SmartCard.
Please insert administrator card in module #2. [enter]
Please enter passphrase for this card: *****
Initialization of module #2 complete.
Initialization complete.
 

Adding a second security module to an existing security world

This section describes how to add an additional hardware security module (HSM) to a 520/540 that already has an HSM and an established security world. Note that these instructions assume you have already installed the HSM in the 520/540. You can use this procedure to add a second HSM to a single 520/540 or to a primary controller in a redundant system. You need a ballpoint pen or other fine-tipped implement to activate the reset button.

To add a second security module to an existing security world

Before you start, gather the smart cards from the administrator card set you created when initializing the security world on the first HSM in the system.

  1. At the back of the system, locate the switch labeled M-O-I (Figure 2.1 ).

    • Then, on the HSM you are adding to the system, move the switch to the I position.
    • Leave the M-O-I switch on the original HSM at the O setting.
  2. On the new HSM, with the end of the ballpoint pen, gently push the reset button (shown in Figure 2.2 ). If you have done this correctly, the LED blinks quickly for a moment and then blinks slowly again.
  3. At the console, run the sw-rest command.
    For an example session with this utility, see Figure 2.7 .
  4. When prompted, insert the administrator card(s) into the card reader attached to the HSM you added to the system. Make sure you insert the card correctly. See Figure 2.4 for details.
  5. Return to the back of the controller. On the HSM you added to the system, move the M-O-I switch to the O position, then press the reset button.
  6. Generate keys as usual by running genconf and then genkey. For detailed information, see Using the key utilities to generate keys .
  7. After you generate the keys, your next task depends on what type of system you are configuring:



Figure 2.7 An example session with the sw-rest utility


# sw-rest
Key management security system data found.
Modules NOT ready for (re)programming:
Serial no. Reason why module not ready
#1 AE63-178B-1234 Initialisation link not fitted
Modules ready for (re)programming:
Serial no. Firmware version
#2 CBF9-187E-5678 1.71.11 built on Mar 21 2001 16:01:57
Please confirm - Program these modules(s) into existing KM infrastructure? yes
Programming module #2.
Using slot #0, type SmartCard.
Please insert administrator card into module #2. [enter] (fig 4)
Please enter passphrase for this card: ****** [enter]
Initialisation of module #2 complete.
 

Using the key utilities to generate keys

To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the genconf and genkey utilities on the 520/540 to generate a key and a temporary certificate. The genkey and gencert utilities automatically generate a request file that you can submit to a certificate authority (CA). If you have a key, you can use the gencert utility to generate a temporary certificate and request file.

These key utilities have specific funtions:

  • genconf
    This utility creates a key configuration file that contains specific information about your organization. The genkey utility uses this information to generate a certificate.
  • genkey
    After you run the genconf utility, run this utility to generate a temporary 10-year certificate for testing the SSL Accelerator on the 520/540. This utility also creates a request file that you can submit to a certificate authority (CA) to obtain a certificate.
  • gencert
    If you already have a key, run this utility to generate a temporary certificate and request file for the SSL Accelerator.

Warning


After you import or generate keys on a redundant system, make sure you synchronize the 520/540 configurations. To synchronize the 520/540 configuration, see To synchronize the 520/540 configuration from the command line .

Generating a key configuration file and a key

If you do not have a key, you can generate a key configuration file using the genconf utility, and use the file to generate a key with the genkey utility. You can also use these utilities to create a new key configuration file.

To generate a key configuration file using the genconf utility

To generate a key and certificate, first run the genconf utility from the command line with the following command:

/usr/local/bin/genconf

The utility prompts you for information about the organization for which you are requesting certification. This information includes:

  • The fully qualified domain name (FQDN) of the server. Note that this FQDN must be RFC1034/1035-compliant, and cannot be more than 63 characters long (this is an x509 limitation).
  • The two-letter ISO code for your country
  • The full name of your state or province
  • The city or town name
  • The name of your organization
  • The division name or organizational unit

Figure 2.8 contains example entries for the server my.server.net.

Figure 2.8 Example entries for the genconf utility


Common Name (full qualified domain name): my.server.net
Country Name (ISO 2 letter code): US
State or Province Name (full name): WASHINGTON
Locality Name (city, town, etc.): SEATTLE
Organization Name (company): MY COMPANY
Organizational Unit Name (division): WEB UNIT
 
To generate a key using the genkey utility

After you run the genconf utility, you can generate a key with the genkey utility. From the command line, type the following command to run the genkey utility:

/usr/local/bin/genkey <server_name>

For the <server_name>, type the FQDN of the server to which the certificate applies. After the utility starts, it prompts you to verify the information created by the genconf utility. After you run this utility, a certificate request form is created in the following directory:

/config/bigconfig/ssl.csr/<fqdn>.csr

The <fqdn> is the fully qualified domain name of the server. Please contact your certificate authority (CA) and follow their instructions for submitting this request form.

In addition to creating a request form that you can submit to a certificate authority, this utility also generates a temporary certificate. The temporary certificate is located in:

/config/bigconfig/ssl.crt/<fqdn>.crt

The <fqdn> is the fully qualified domain name of the server.

Note that you must copy the key and certificate to the other 520/540 in a redundant system.

This temporary certificate is good for ten years, but for an SSL proxy, you should have a valid certificate from your certificate authority (CA).

Warning


Be sure to keep your previous key if you are still undergoing certification. The certificate you receive is valid only with the key that originally generated the request.

Generating a certificate request file and temporary certificate

This section describes how to use the key you generated, or an existing key, to generate a certificate request file and a temporary certificate with the gencert utility.

To generate a certificate with an existing key using the gencert utility

To generate a temporary certificate and request file to submit to the certificate authority with the gencert utility, you must first copy an existing key for a server into the following directory on the 520/540:

/config/bigconfig/ssl.key/

After you copy the key into this directory, type the following command at the command line:

/usr/local/bin/gencert <server_name>

For the <server_name>, type the FQDN of the server to which the certificate applies. After the utility starts, it prompts you for various information. After you run this utility, a certificate request form is created in the following directory:

/config/bigconfig/ssl.crt/<fqdn>.csr

The <fqdn> is the fully qualified domain name of the server. Please contact your certificate authority (CA) and follow their instructions for submitting this request form.

Importing existing public keys and certificates

No additional software is needed to import an existing private key. Change to the /config/bigconfig/ssl.key directory (or the directory that contains the private key you want to import). Identify the key you want to import. It must be in PEM format. From the command line, run the generatekey command with the following command:

generatekey

Warning


After you import or generate keys on a redundant system, make sure you synchronize the 520/540 configuration. To synchronize the 520/540 configuration, see To synchronize the 520/540 configuration from the command line

Figure 2.9 is an example session with the generatekey utility.

Figure 2.9 An example session where the existing key bigip.key is imported using the generatekey utility


bigip:/config/bigconfig/ssl.key# generatekey --import ssleay protect=module
nCipher KM key generation/import utility
Site domain name ? [ ] host.company.com
Key file to import: bigip.key
Recovery feature ? (y/n) [y] y
key generation/import parameter(s):
protect Protected by MODULE
x509dnscommon Site domain name host.company.com
ssleayconvfile Key file to import bigip.key
recovery Recovery feature 1
Importing existing key ...
Key imported into key management system.
 

Warning


From a security standpoint, it is better to generate a new key instead of importing a plain text key which may have already been compromised. To generate a new key, see Using the key utilities to generate keys .

Additional configuration options

After you complete the 520/540 configuration, you have a number of options:

  • After you have initialized the security world and generated keys, you can manage the keys with the Key Management System. For more information about the Key Management System, see the BIG-IP Reference Guide, Chapter 7, Using the Key Management System , under the Authentication section.
  • There are additional SSL Accelerator options you can configure. For more information, see the BIG-IP Reference Guide, Chapter 7, SSL Accelerator Proxies .
  • All configurations have health monitoring options. Refer to the BIG-IP Reference Guide, Chapter 11, Monitors .
  • When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to the BIG-IP Reference Guide, Chapter 4, Pools .