Applies To:
Show Versions
BIG-IP DNS
- 14.1.2, 14.1.0
BIG-IP AFM
- 14.1.2, 14.1.0
BIG-IP ASM
- 14.1.2, 14.1.0
BIG-IP AAM
- 14.1.2, 14.1.0
BIG-IP APM
- 14.1.2, 14.1.0
BIG-IP LTM
- 14.1.2, 14.1.0
Implementing the SafeNet Luna HSM with BIG-IP Systems
Overview: Setting up the SafeNet Luna SA HSM with BIG-IP systems, using a script
The Gemalto SafeNet Luna SA HSM is an external hardware security module that is available for use with BIG-IP® systems. Because it is network-based, you can use the SafeNet solution with all BIG-IP platforms, including VIPRION® Series chassis and appliances and BIG-IP Virtual Edition (VE). You can also configure multiple HSMs as an HA (high availability) group to use with BIG-IP systems.
Both RSA-based and ECDHE-ECDSA cipher suites use the network HSM. After installation on the BIG-IP system, the SafeNet Luna SA HSM is compatible with Access Policy Manager® and Application Security Manager™, without additional configuration steps.
For information about using the iControl® interface to configure the Luna SA HSM with BIG-IP systems, consult the F5 DevCentral site (https://devcentral.f5.com/icontrol/).
For additional information about using the Luna SA HSM, contact Gemalto SafeNet Technical Support (https://supportportal.gemalto.com).
Prerequisites for setting up SafeNet Luna SA HSM with BIG-IP systems
Before you can use SafeNet Luna SA HSM with the BIG-IP® system, you must make sure that:
- The SafeNet device is installed on your network.
- The SafeNet device and the BIG-IP system can communicate with each other.
- The SafeNet device has a virtual HSM (HSM Partition) defined before you install the client software on the BIG-IP system.
- The BIG-IP system is licensed for external interface and network HSM.
Additionally, before you begin the installation process, make sure that you have access to:
- The Luna SA Client software. See the Interoperability Matrix for BIG-IP TMOS with SafeNet Clients and HSM supplemental document available on AskF5 for supported SafeNet client and HSM versions with BIG-IP TMOS versions information.
- The Luna SA Customer Documentation.
Preparing to install the Luna SA client on the BIG-IP system
Before you can set up the SafeNet Luna SA client software on a BIG-IP system, you must obtain a valid Gemalto SafeNet Luna SA client license.
Installing and registering the Luna SA client
Setting up the Luna SA client on a newly added or activated blade
Generating a key/certificate using tmsh
Creating a self-signed digital certificate
Requesting a certificate from a certificate authority
Deleting a key from the BIG-IP
Creating a client SSL profile to use an external HSM key and certificate
Importing a pre-existing NetHSM key to the BIG-IP
root@(ssl8519)(cfg-sync Standalone)(Active)(/Common)(tmos)# install sys crypto key nethsm_key_label (tab) Options: from-editor from-nethsm Properties: from-local-file from-url root@(ssl8519)(cfg-sync Standalone)(Active)(/Common)(tmos)# install sys crypto key nethsm_key_label from-nethsm security-type nethsm