Manual Chapter : Setting Up the Network HSM

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.2, 14.1.0

BIG-IP AFM

  • 14.1.2, 14.1.0

BIG-IP ASM

  • 14.1.2, 14.1.0

BIG-IP AAM

  • 14.1.2, 14.1.0

BIG-IP APM

  • 14.1.2, 14.1.0

BIG-IP LTM

  • 14.1.2, 14.1.0
Manual Chapter

Setting Up the Network HSM

Overview: Setting up the Network HSM

F5 BIG-IP LTM 14.1.0 supports two new Network HSM vendors: Amazon CloudHSM and Equinix SmartKey HSM. Both of the two new Network HSMs can be configured by installing the client software from the vendor and configuring it by adding the path to the PKCS #11 library to the BIG-IP configuration. This allows the addition of new Network HSM vendors to occur with greater efficiency. In addition, Network HSM adds support for multiple partitions on a configured HSM and the ability to configure the partitions and define the partition that a key belongs to. Now the configuration of the partition occurs during the install process.

In support of the Network HSM functionality, you can either utilize the new System > Certificate Management > HSM Management screen or use the new TMSH commands to configure the Network HSM. If you install the HSM using the existing F5 install script, the information is auto-filled when you open the HSM Management screen. You can also manually install the library by adding the library location to the configuration.

After you install the Network HSM client on the BIG-IP system, you may create and operate with the keys inside the HSM for use with Access Policy Manager® and Application Security Manager™.

Note: If you are installing Network HSM on a BIG-IP system that will be licensed for Appliance mode, you must install the Network HSM software prior to licensing the BIG-IP system for Appliance mode.

For specific instructions for HSM client installation and configuration, follow the HSM vendor specific workflows in this guide that link you to the vendor sites where the steps are provided based on the version you want to install.

Note: To view details for Thales HSM and SafeNet Luna SA HSM, see their supporting documentation on AskF5.

Prerequisites for setting up Network HSM with BIG-IP system

Before you can use Network HSM with the BIG-IP® system, you must make sure that these requirements are in place:

  • You have created the Network Security World (security architecture).
  • The BIG-IP system is licensed for "External Interface and Network HSM."
Important: You cannot run the BIG-IP system with both internal and external HSMs at the same time.
Note: BIG-IP TMOS with Network HSM only supports IPv4.

Other administrative information to keep in mind during setup:

  • Partition names must be unique.
  • Only one network HSM can be configured at a time.
  • You must identify a partition when installing a client (when using the F5 installer).
  • If you change the install path, client code, or any partition information, you must restart the pkcs11d daemon.
  • Run the test utility after making any changes to ensure that the HSM is configured correctly.
  • If you do not specify a partition when creating a key, the first listed partition will be used. The partition name will be automatically entered as "auto".
  • If you try to delete a partition when there are keys defined that use that partition, you will not be allowed to do so.

Note: For supported Amazon CloudHSM and Equinix SmartKey HSM versions with BIG-IP TMOS versions information, see each of their respective Interoperability Matrix for BIG-IP TMOS with HSM supplemental document available on AskF5.

Supported Versions

Network HSM supported versions:
  • Amazon CloudHSM: Version 1.0.18 and 1.1.0
  • Equinix SmartKey: Version 2.9.804

Setting up Network HSM Client Installation and Configuration

To setup a network HSM for Amazon CloudHSM or Equinix SmartKey HSM you must have network access to the network HSM, as well as the DNS configured to resolve it.

Task Summary for Amazon CloudHSM and Equinix SmartKey HSM

  • Setup your Network HSM device
  • Install the client software and create a Cryptographic User (CU)
  • Configure and activate the software
  • Configure the BIG-IP
    • Add the HSM service (if any) to the BIG-IP startup scripts
    • Add the library path
    • Setup and configure partitions
  • Manage partitions

Setting up Amazon CloudHSM client installation and configuration

Set up your Amazon CloudHSM by following the documentation in the Getting Started section of the CloudHSM guide.
Note: Amazon CloudHSM is only available for virtual machines running in the AWS cloud.

Your AWS BIG-IP VE is the EC2 client mentioned in the getting started guide and should be in the same VPC and availability zone as the CloudHSM. The getting started topics consist of information to assist creating, initializing, and activating AWS CloudHSM cluster.

Note: Follow the AWS topic directions up until following the task steps found in the Install and Client (Linux) section.

Creating a cryptographic user

Manage your HSM cryptographic users (CU) or officers (CO) in your Amazon CloudHSM cluster by:
  • creating users
  • listing users
  • changing user passwords
  • deleting users
Follow the steps required at Managing HSM Users in AWS CloudHSM.

Installing the clients

Install the clients by logging into the AWS BIG-IP VE as root and run:
Note: This client installation needs to be conducted after the BIG-IP upgrade process.
cd /shared/
mkdir nethsm
cd nethsm
 
curl -O https://s3.amazonaws.com/cloudhsmv2-software/cloudhsm-client-pkcs11-1.0-18.x86_64.rpm
curl -O https://s3.amazonaws.com/cloudhsmv2-software/cloudhsm-client-1.0-18.x86_64.rpm
 
rpm -ivh ./cloudhsm-client-pkcs11-1.0-18.x86_64.rpm
rpm -ivh ./cloudhsm-client-1.0-18.x86_64.rpm

Configuring and activating the software

To configure and activate the software you must edit the client configuration before you can use the CloudHSM client to connect to your cluster.
Follow the steps required at Edit the Client Configuration.
Note: The link takes you to a resource outside of AskF5. It is possible the referred documents have been removed without our knowledge.

Configure the BIG-IP

To configure your BIG-IP with your newly configured and activated HSM, you can:
  • Add your HSM service to the BIG-IP startup scripts.
  • Add the library path and configure partitions.

Adding the HSM service to the BIG-IP startup scripts

To add your CloudHSM service to the BIG-IP startup scripts, run the following:
# systemctl enable cloudhsm-client.service

Adding the library path and configuring partitions

To add your CloudHSM library to the BIG-IP and configure the partitions, perform either the UI screen or CLI to accomplish the task.
  1. On the Main tab, click System > Certificate Management > External HSM . The External HSM screen opens.
  2. From the Vendor list, select Auto.
  3. In the PKCS11 Library Path field, type the following:
    /opt/cloudhsm/lib/libcloudhsm_pkcs11_standard.so
  4. In the Partition List section, add the following details:
    1. In the Name field, type cavium (case sensitive).
      Note: If you type auto in the Name field, the first available partition will be selected.
    2. In the Password field, type the <CU user name>:<password>
  5. Click Add to add as many partitions as necessary.
  6. To edit any existing partition, select the partition and click Edit.
  7. To delete any existing partition, select the partition and click Delete.
  8. To test any existing partition, select a partition and click Test.
  9. If you selected Test, review the Test Output to make sure your details are accurate.
    1. If the test does not pass, attempt to locate the problem and enable debug logging and run the test again for further details. The logs are writing to /var/log/ltm.
    Note: Make sure to reset debug logging to the prior setting before continuing.
  10. Click Update.
If you are using the CLI, do the following:
  1. Add your CloudHSM library to the BIG-IP by entering:
    # tmsh create sys crypto fips external-hsm vendor auto pkcs11-lib-path /opt/cloudhsm/lib/libcloudhsm_pkcs11_standard.so
  2. Configure the partition, by entering:
    # tmsh create sys crypto fips nethsm-partition <partition-name> password "<CU user name>:<password>"
    Note: For <partition-name>, use "cavium" as it is the default partition name for AWS CloudHSM. You can also use "auto" to point to the first partition (which is normally the only partition for AWS CloudHSM).
  3. Reboot the appliance to start the service and create the links.
  4. Test your output by using the Network HSM testing tool and entering:
    # tmsh run sys crypto nethsm-test --hsm_partition_name=<partition-name>
    Note: If you do not specify hsm_partition_name then the first partition (which is normally the only partition for AWS CloudHSM) will be chosen.

Creating a key in a partition

To create a key in a partition, do the following:
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List . The New SSL Certificate screen opens.
  2. Click Create. The New SSL Certificate screen opens.
  3. In the Name field, type the name of the new SSL certificate.
  4. In the Common Name field, type the common name of the certificate. For example, nethsm_ecdsa.
  5. From the NetHSM Partition list, select Default Partition.
  6. Click Finished.
    Note: You can choose other partitions when you have multiple tokens or slots configured on your Network HSM that you use for keys.

Checking the partition for the key

To check the partition for the new key, do the following:
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List . The New SSL Certificate screen opens.
  2. Select the newly created SSL certificate name.
  3. Select the Key tab (if necessary) to check the partition for the key properties (such as name, key type, key ID, ect.).

Checking the service status

To check the service status, do the following:
  1. On the Main tab, click System > Services > Services List . The Service List screen opens.
  2. Locate the Service name (for example, pkcs11d) and view the History information.
  3. Click Start, Stop, or Restart as necessary.

Setting up Equinix SmartKey HSM client installation and configuration

Create and set up your Equinix SmartKey HSM account by following the SmartKey Getting Started information.
Note: Create the group and application as noted in the SmartKey instructions.
Note: Make note of the API key after creating the application. The API key information can be useful later.

Installing the clients

Download the Smartkey PKCS#11 RPM package version 2.9.804 from http://support.smartkey.io/downloads/smartkey-pkcs11-2.9.804-0.x86_64.rpm.
Note: The downloaded file smartkey-pkcs11-2.9.804-0.x86_64.rpm contains the RPM package name fortanix-pkcs11-2.9.804-0. Attempting to delete the package using smartkey-pkcs11-2.9.804-0 as the package name will fail. We recommend you rename the file from smartkey-pkcs11-2.9.804-0.x86_64.rpm to fortanix-pkcs11-2.9.804-0.x86_64.rpm before proceeding. This is especially relevant when doing automated/declarative package installations.
Use the following command to install the RPM package upload to the /shared/tmp folder and install it as root:
rpm -ivh /shared/tmp/<RPM package file name>

Adding the library path and configuring partitions

To add your SmartKey HSM library to the BIG-IP and configure the partitions, perform either the UI screen or CLI to accomplish the task.
  1. On the Main tab, click System > Certificate Management > HSM Management > External HSM . The External HSM screen opens.
  2. From the Vendor list, select Auto.
  3. In the PKCS11 Library Path field, type the following:
    /opt/fortanix/pkcs11/fortanix_pkcs11.so
  4. In the Partition List section, add the following details:
    1. In the Name field, type fortanix (case sensitive).
      Note: If you type auto in the Name field, the first available partition will be selected.
    2. In the Password field, type the <API Key>
      Note: The user name and password are based on the Cryptographic user created earlier.
  5. Click Add to add as many partitions as necessary.
  6. To edit any existing partition, select the partition and click Edit.
  7. To delete any existing partition, select the partition and click Delete.
  8. To test any existing partition, select a partition and click Test.
  9. If you clicked Test, review the Test Output to make sure your details are accurate.
    1. If the test does not pass, attempt to locate the problem and enable debug logging and run the test again for further details. The logs are writing to /var/log/ltm.
    Note: Make sure to reset debug logging to the prior setting before continuing.
  10. Click Update.
If you are using the CLI, do the following:
  1. Add your SmartKey HSM library to the BIG-IP by entering:
    # tmsh create sys crypto fips external-hsm vendor auto pkcs11-lib-path /opt/fortanix/pkcs11/libpkcs11_lib.so
  2. Configure the partition, by entering:
    # tmsh create sys crypto fips nethsm-partition <partition-name> password "<API Key>"
    Note: For <partition-name>, use "fortanix" as it is the default partition name for Equinix SmartKey.
  3. Reboot the appliance to start the service and create the links.
  4. Test your output by using the Network HSM testing tool and entering:
    # tmsh run sys crypto nethsm-test --hsm_partition_name=<partition-name>
Note: If you do not specify hsm_partition_name, then the first partition (which is normally the only partition for Equinix SmartKey) will be chosen.
Note: By default, smartkey-client makes REST API calls to the SmartKey server at https://www.smartkey.io. To make calls to a different SmartKey server, create a file named /config/smartkey.cfg with the SmartKey server of your choice and the API key. The format of the /config/smartkey.cfg file is defined in the “Configuration file format” section at http://support.smartkey.io/smartkey/developers-guide-pkcs11.html. To make use of this SmartKey configuration file, when configuring the partition (Step 2), use the following command line instead:
tmsh create sys crypto fips nethsm-partition <partition-name> password "file:///config/smartkey.cfg"
Note: A sample configuration file is shown next:
# cat /config/smartkey.cfg
api_key="<API Key>"
api_endpoint=https://eu.smartkey.io