Manual Chapter : Configuring and Maintaining a FIPS Security

Applies To:

Show Versions Show Versions

FirePass

  • 7.0.0, 6.1.0, 6.0.3

BIG-IP SAM

  • 8.0.0
Manual Chapter
The 4300 platform includes the option to install a FIPS hardware security module (HSM). The HSM and the BIG-IP® management software provide FIPS-140 level 2 support by leveraging security keys. Keys are basically codes used within the HSM to prevent hackers from entering the system. This level of support provides the following security benefits.
This chapter describes how to configure a redundant system from the factory with one FIPS HSM installed in each unit. To implement a FIPS solution in a BIG-IP® redundant system, you must perform the following tasks.
Install the BIG-IP® system and connect a serial console.
Run the fipscardsync utility to synchronize the FIPS HSMs from the console.
Some of these tasks are described in other documents. When a section in this document has tasks described in other documents, it contains links or pointers to the related documentation.
The first two tasks that you need to complete when setting up a FIPS configuration on a redundant system are to install the systems and connect a serial console. For details about performing these tasks, refer to the following sections:
The first task in creating a FIPS security domain is to initialize the FIPS HSM and create a security officer (SO) password. The SO password is required to re-initialize the HSM. When you are configuring a redundant system, you need to initialize the security domain on one unit, and then initialize the card on the peer unit using the same security domain name you used on the first unit.
Note: You can initialize the FIPS HSM and create the security domain before you license the system and create a traffic management configuration.
To initialize the first unit in a redundant system and create a security domain, you must use the fipsutil utility. To initialize the HSM and create an SO password, type the following command:
After the utility starts, you are prompted to create a security officer password, and then confirm the password. After you create a password and confirm it, you are prompted for the security domain name. Remember the security domain name you use. You need the domain name when you initialize the HSM on the peer unit. The domain name cannot be extracted or displayed by the software or hardware once you use it.
To initialize the peer unit in the redundant system and add it to the security domain of the first unit, you must use the fipsutil utility. Type the following command:
After the utility starts, you are prompted to create a security officer (SO) password. You can use the SO password that you created on the first unit; however, you are not required to use it.
When you are prompted for the security domain name, you must type the security domain name you created on the first unit.
After you complete the initialization of the HSMs and create a security domain on the redundant system, you need to run the Configuration utility.
The Configuration utility provides the ability to license the system, configure the management interface, configure failover, and create a base network configuration. After you configure failover and run the fipscardsync utility, every time you synchronize the configuration of the redundant system you are synchronizing card and key information for the FIPS security domain. The following section describes how to run the fipscardsync utility.
For details about running the Configuration utility and creating a base network configuration, see the BIG-IP® Quick Start Instructions. These instructions are included in the BIG-IP® Resource Kit shipped with each unit. You can also access these instructions at http://support.f5.com.
After you set up the system with the Configuration utility, you can synchronize the FIPS HSMs with the fipscardsync utility. Synchronizing the HSMs provides the ability to exchange keys. To run the fipscardsync utility, type the following command at the console.
The browser-based Configuration utility provides a key management interface. You can use the Configuration utility to create FIPS keys, convert existing keys to FIPS keys, and import existing keys into the system.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
This opens the SSL Certificates screen which lists all certificates installed on the Local Traffic Manager system.
2.
On the upper-right portion of the screen, click Create.
The New SSL Certificates screen opens.
3.
In the Name box, type a unique name for the certificate.
4.
Using the Issuer setting, specify the type of certificate you want to use:
5.
Configure the Common Name setting, and any other settings you want.
7.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic and click SSL Certificates.
This opens the SSL Certificates screen which lists all certificates installed on the Local Traffic Manager system.
2.
Click a certificate name.
This displays the properties of that certificate.
3.
If you want to see information about the key that is associated with that certificate, click Key on the menu bar.
This displays the type and size of the key.
4.
To convert the key to a FIPS key, click the Convert to FIPS button.
The key is converted. Once the key is converted, this process cannot be reversed.
1.
On the Main tab of the navigation pane, expand Local Traffic and click SSL Certificates.
This displays the list of existing certificates.
4.
5.
In the Certificate box, type the name of the key.
You can click the Browse button and browse for the key and select it.
6.
Click Import.
You can maintain a redundant system. In the event of a failure, the standby unit becomes active and handles incoming traffic.
The first option is to maintain a redundant system. In the event of a failure, the standby unit becomes active and handles the incoming traffic. This chapter describes how to create a redundant system configuration as part of the initial configuration. After you configure failover properly, every time you synchronize the configuration of the redundant system, you are synchronizing card and key information for the security domain.
For additional system backup, you can take a third unit, fully configure it, add it to the security domain, and synchronize the configurations. Remove the unit from the network and store it in a safe location. If the BIG-IP system in production is damaged or destroyed, you can take the backup unit from storage, and reconstitute the security domain.
Another possible method for preserving the keys is not FIPS-approved. With this option, you generate your keys in software. Copy the keys to a disk and put the disk in a secure place. Then you can import the keys into the FIPS HSM. If there is a catastrophic system failure, you can use these backup keys to create the security domain. This is not a FIPS-compliant method for backup.
If one unit of a redundant system fails, the failover unit becomes active and maintains FIPS information. However, after you replace the failed unit in a redundant system, you need to restore FIPS information on the replacement unit.
1.
Ensure that current BIG-IP system software is configured, and install your saved UCS on the new replacement system.
See the BIG-IP® Network and System Management Guide on http://support.f5.com for information on backup and recovery of a BIG-IP® UCS file.
3.
On the new replacement unit, run the fipsutil -f init command. Ensure that you use the exact same security domain that you specified when you initially set up the currently active unit.
4.
On the currently active unit, run the fipscardsync peer command.
This copies the information in the FIPS module from the currently active unit to the new replacement unit.
WARNING: Ensure that you run the fipscardsync peer command from the currently active unit. If you run the fipscardsync peer command from the new replacement unit, you will lose the original FIPS information.
5.
On the currently active unit, run configsync to copy the full configuration to the replacement system.
The new replacement system is now ready to function as the failover device in a redundant system configuration.