Manual Chapter : Additional Information

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.0

BIG-IP AFM

  • 14.1.0

BIG-IP ASM

  • 14.1.0

BIG-IP AAM

  • 14.1.0

BIG-IP APM

  • 14.1.0

BIG-IP LTM

  • 14.1.0
Manual Chapter

Additional Information

Upgrading the BIG-IP software when using the SafeNet HSM

After a BIG-IP system software or hotfix upgrade, you do not need to run the SafeNet SA client setup script. Any local keys and certificates you added to the BIG-IP system configuration before upgrading (using the command tmsh install sys crypto) appear in the upgrade partition and can be used. Keys, certificates, and CSRs created using tmsh are already part of the BIG-IP system configuration and can be used.

Note: If you will need keys, certificates, or CSRs that were not added to the BIG-IP system configuration, before you upgrade, copy the files into the /shared directory. After the upgrade, copy them back to their appropriate directories in the new partition: /config/ssl/ssl.key/, /config/ssl/ssl.crt, or /config/ssl/ssl.csr.
  1. Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
  2. Reinstall the SafeNet client on the BIG-IP system, using the parameters you used when you initially installed and registered it.
    nethsm-safenet-install.sh

Uninstalling SafeNet components from the BIG-IP system

If you no longer need to use the SafeNet HSM on a BIG-IP system, you should uninstall the files.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Uninstall the SafeNet client software and clean up Thales directories.
    nethsm-safenet-install.sh -u [-v]

nethsm-safenet-install.sh utility options

The nethsm-safenet-install.sh utility includes these options:

Option Description
-f Reinstalls when a connection with HSM already exists.
-h Displays help.
-u Uninstalls SafeNet software and cleans up SafeNet directories.
-v Prints verbose output about the executing operations.
--hsm_ip_addr=<ip_addr> SafeNet Luna SA HSM IP address(es). For multiple HSMs, use a double-quoted value with space-separated IP addresses (such as --hsm_ip_addr="10.10.10.100.10.10.10.101").
--hsm_partition_pwd=<password> SafeNet HSM partition password. This password must be the same for all HSMs being used in High Availability (HA) configurations. For multiple partitions, use a double-quoted value with space-separated partition password. The passwords should be in same order as partition. For example: --hsm_partition_pwd="pwd1 pwd2 pwd3".
--hsm_partition_name=<partition_name> SafeNet HSM partition name. For a single partition use a double-quoted value. For example, for multiple partitions, use a double-quoted value with colon-separated partition name: --hsm_partition_name="par1:par2:\"my partition\"". To get the partition name, use the SafeNet utility "vtl listSlots" to get the partition name(s) under "label" corresponding to the desired slot(s).
--hsm_username=<user_name> SafeNet Luna SA HSM user name. Default is admin.
--hsm_ha_group=<group_name> Name for the SafeNet HSM HA group. When using multiple HSMs in a HA configuration, all HSMs in HA must use the same partition password.
--image=<image_name> SafeNet Luna SA tarball to be installed (for example, Luna_5.1_Client_Software.tar). This file must be stored on theBIG-IP system in /shared/safenet_install.
--interface=<interface_name> Interface identifier of BIG-IP to be used to communicate with the SafeNet Luna SA HSM (eth0). The default is the management interface.
--ip_addr=<client_ip_addr> IP address of the BIG-IP as seen by the SafeNet HSM.
--num_threads=<threads> Indicates the number of threads pkcs11d will use. The default is 20.
--verbose=<level> Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output.