Applies To:
Show Versions
BIG-IP AAM
- 14.1.2, 14.1.0
BIG-IP APM
- 14.1.2, 14.1.0
BIG-IP LTM
- 14.1.2, 14.1.0
BIG-IP AFM
- 14.1.2, 14.1.0
BIG-IP DNS
- 14.1.2, 14.1.0
BIG-IP ASM
- 14.1.2, 14.1.0
Additional Information
Creating a backup of the Thales RFS
Upgrading the BIG-IP software when using the Thales HSM
After a BIG-IP system software or hotfix upgrade, you must run the Thales client setup script to restore your default Thales configuration. Any local keys and certificates you loaded into the BIG-IP system before upgrading (using the command tmsh install sys crypto) appear in the upgrade partition, but they are usable only after you run the Thales client setup script. If you are restoring the Thales client on a VIPRION system, you run the configuration script only on the primary blade, and then the system propagates the configuration to the additional active blades.
- Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
-
Run one of these scripts, using the arguments that are appropriate for your
configuration:
- If the BIG-IP is an RFS server in addition to being a Thales client, use: nethsm-thales-rfs-install.sh and nethsm-thales-install.sh
- If the BIG-IP is only a Thales client use: nethsm-thales-install.sh
Uninstalling Thales nShield Connect components from the BIG-IP system
Replacing a broken Thales HSM without breaking existing keys
nethsm-thales-install.sh utility options
The nethsm-thales-install.sh utility includes these options:
Option | Description |
---|---|
-h | Displays help. |
-u | Uninstalls and cleans-up the Thales software. |
-v | Prints verbose output about operations. |
--hsm_ip_addr=<ip_addr> | Thales HSM IP address(es). For multiple HSMs, use a double-quoted value with space-separated IP addresses (such as --hsm_ip_addr="10.10.10.100.10.10.10.101"). |
--hsm_partition_name=<partition name> | Thales HSM partition name. For a single partition, use a double-quoted value. For example: --hsm_partition_name="loadshared accelerator". For multiple partitions, use a double-quoted value with a colon-separated partition name. For example: --hsm_partition_name="softcard1:softcard2:loadshared accelerator". To receive a partition name, use the Thales utility "ckinfo" to get the partition name after "label" under the "CK_TOKEN_INFO" section. You can ignore the trailing spaces of the label name. |
--hsm_partition_pwd=<password> | The Thales HSM partition password. This must be the same for all HSMs being used in a High Availability (HA) configuration. For multiple partitions, use a double-quoted value with a space-separated partition password.The passwords should be in the same order as the partition. For example: --hsm_partition_pwd="abc xyz uvw". |
--rfs_interface=<interface_name> | Interface identifier for the local Remote File System (RFS) server. Default is the management interface (eth0). |
--protection=<protection_type> | Indicates which type of key protection to use. Valid options are [m]odule, [o]cs, or [s]oftcard. When this option is not used, the protection defaults to module protection. |
--verbose=<level> | Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output. |
nethsm-thales-rfs-install.sh utility options
The nethsm-thales-rfs-install.sh utility includes these options:
Option | Description |
---|---|
-h | Displays help. |
--u | Uninstalls Thales software and cleans up Thales directories. |
-v | Prints verbose output about the executing operations. |
--hsm_ip_addr=<ip_addr> | Thales HSM IP address(es). For multiple HSMs, use a double-quoted value with space-separated IP addresses (such as --hsm_ip_addr="10.10.10.100.10.10.10.101"). |
--interface=<interface_name> | Interface identifier of BIG-IP to be used as Thales HSM Client (eth0). The default is the management interface. |
--num_threads=<threads> | Indicates the number of threads pkcs11d will use. The default is 20. |
--rfs_interface=<interface_name> | Local Remote File System (RFS) server interface name (eth0). |
--rfs_ip_addr=<ip_addr> | Remote RFS server IP address. |
--rfs_username=<ssh_username> | Remote RFS server username for SSH login. |
--protection=<protection_type> | Indicates which type of key protection to use. Valid options are [m]odule, [o]cs, or [s]oftcard. When this option is not used, the protection defaults to module protection. |
--verbose=<level> | Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output. |