Manual Chapter : Implementing the SafeNet Luna HSM with BIG-IP Systems

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Implementing the SafeNet Luna HSM with BIG-IP Systems

Overview: Implementing the SafeNet Luna SA HSM with BIG-IP Systems

The SafeNet Luna SA HSM is an external HSM that is available for use with BIG-IP® systems. Because it is network-based, you can use the SafeNet solution with all BIG-IP appliances and BIG-IP Virtual Edition (VE). For interoperability information, refer to the Interoperability Matrix for BIG-IP TMOS with SafeNet Clients and HSM on the AskF5™ web site located at support.f5.com.

For additional information about using the Luna SA HSM, contact SafeNet Technical Support (http://www.safenet-inc.com/technical-support/).

Task summary

The implementation process involves preparation of the SafeNet device and the BIG-IP® system, followed by key/certificate management and creation of a client SSL profile to use the key and certificate.

Task list

Prerequisites for implementing BIG-IP and SafeNet Luna SA HSM

Before you can use SafeNet Luna SA HSM with the BIG-IP® system, you must make sure that:

  • The SafeNet device is installed on your network.
  • The SafeNet device and the BIG-IP system can initiate connections with each other.
  • The SafeNet device should have a virtual HSM (HSM Partition) defined before you install the client software on the BIG-IP system.
  • The BIG-IP system is licensed for external interface and network HSM.
  • The BIG-IP system has FIPS 140-2 or FIPS 140-3 compliant ciphers, depending upon your security needs. For information about FIPS compliant ciphers, see Annex A: Approved Security Functions for FIPS PUB 140-2 (http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) and SOL8802 for a complete list of supported ciphers at http://support.f5.com.

Additionally, before you begin the installation process, make sure that you have access to:

  • The Luna SA Client software (Version 5.1)
  • The Luna SA Customer Documentation
Note: If you install the Luna SA HSM (external HSM) on a system with a FIPS card (internal HSM) installed, the Luna SA HSM takes precedence. You cannot use the SafeNet Luna SA HSM on a BIG-IP system that is running another external HSM.

Preparing to install the Luna SA client on the BIG-IP system

Before you can set up the SafeNet Luna SA client software on a BIG-IP® system, you must obtain the software tarball from F5® and copy it to the BIG-IP system using secure copy (SCP).

To use the Luna SA HSM, you need to install the Luna SA client software onto the BIG-IP system.
  1. Log in to the command-line interface of the system using the root account.
  2. Create a directory under /sharednamed safenet_install.
    mkdir /shared/safenet_install
  3. Copy the software tarball to /shared/safenet_install.
  4. Set up the SafeNet configuration on the BIG-IP system using the password for the Luna partition.
    tmsh create sys crypto fips external-hsm vendor safenet password <password>

    This example sets the vendor as SafeNet with Default1 as the password:

    tmsh create sys crypto fips external-hsm vendor safenet password Default1!
  5. Verify that the configuration was created.
    tmsh list sys crypto fips
    The system displays information about external HSMs configured on the system, similar to this example: sys crypto fips external-hsm { password Default1! vendor safenet }

Installing and registering the Luna SA client

Before you can use the Luna SA device with the BIG-IP® system, you must install and register the Luna SA client. You will need to provide the passwords for your Luna SA device during the installation process.
  1. Log in to the command-line interface of the system using the root account.
  2. Install and register the Luna SA client.
    nethsm-safenet-install.sh --hsm_ip_addr=<luna_sa_device_IP_address> --image=Luna_x.x_Client_Software.tar

    This example sets up the version 5.1 client where the Luna SA device has an IP address of 172.27.13.59:

    nethsm-safenet-install.sh --hsm_ip_addr=172.27.13.59 --image=Luna_5.1_Client_Software.tar
    Install all components when prompted. During the installation, you register your client IP address with the SafeNet device, and assign the Luna SA client to one previously-defined HSM partition. The BIG-IP system supports using keys only within the first HSM partition/slot assigned to the Luna SA client. Note that HSM partitions are not the same as BIG-IP partitions.

Generating a key/certificate using tmsh

You can use the Traffic Management Shell (tmsh) to generate a key and certificate.
  1. Log in to the command-line interface of the system using the root account.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Generate a key.
    tmsh create sys crypto key <key_name> gen-certificate common-name <cert_name> security-type nethsm

    This example generates an external HSM key named test_key and a certificate named test_safenet.com with the security type of nethsm:

    tmsh create sys crypto key test_key gen-certificate common-name test_safenet.com security-type nethsm

Generating a key/certificate using the Luna SA client

Before you generate a key/certificate, make sure that the SafeNet Luna SA client is running on the BIG-IP® system.
You can use the fipskey.nethsm utility to generate private keys and self-signed certificates on the BIG-IP system.
  1. Set the external HSM to SafeNet.
    fipskey.nethsm --hsm=safenet
  2. Generate a key.
    fipskey.nethsm --genkey -o <output_file>

    This example generates three files: /config/ssl/ssl.key/www.siterequest.com.key, /config/ssl/ssl.csr/www.siterequest.com.csr, and /config/ssl/ssl.crt/www.siterequest.com.crt:

    fipskey.nethsm --genkey -o www.siterequest.com
    The key is saved in /config/ssl/ssl.key/<output_file>.key. The certificate request is saved in /config/ssl/ssl.csr/output_file>.csr. The self-signed certificate is saved in /config/ssl/ssl.crt/<output_file>.crt.
  3. Verify that the key was created.
    tmsh list sys crypto key www.siterequest.com.key
    Information about the key displays:
    sys crypto key www.siterequest.com.key {
    	key-size 2048
    	key-type rsa-private
    	security-type normal
    }
After you generate a key and certificates, you need to import them into the BIG-IP configuration using tmsh.

Importing external HSM keys using tmsh

You can use the Traffic Management Shell (tmsh) to import existing external HSM (FIPS) keys into the BIG-IP® system.
  1. Log in to the command-line interface of the system using the root account.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Import a key.
    install sys crypto key <key_object_name> from-local-file <keyname>
    This example imports an external HSM key named my_key.key from a local key file stored in the /config/ssl/ssl.key/ directory: install sys crypto key my_key.key from-local-file /config/ssl/ssl.key/my_key.key
After you have imported the key into the BIG-IP system, you must import the certificate.

Adding certificates using tmsh

You can use the Traffic Management Shell (tmsh) to add existing certificates to the BIG-IP® system configuration.
  1. Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Add the certificate.
    install sys crypto cert <cert_object_name> from-local-file <path_to_cert_file>

    This example loads the certificate named my_key.crt from a local certificate file stored in the /config/ssl/ssl.crt/ directory:

    install sys crypto cert my_key.crt from-local-file /config/ssl/ssl.crt/my_key.crt

Creating a client SSL profile to use an external HSM key and certificate

After you have installed the external HSM key and certificate to the BIG-IP® system, you can use the key and certificate as part of a client SSL profile.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. From the Configuration list, select Advanced.
    This selection makes it possible for you to modify additional default settings.
  6. Select the Custom check box for Configuration.
    The settings in the Configuration area become available for configuring.
  7. Using the Certificate Key Chain setting, specify one or more certificate key chains:
    1. From the Certificate list, select the name of a certificate that you imported.
    2. From the Key list, select the name of the key that you imported.
    3. From the Chain list, select the chain that you want to include in the certificate key chain.
    4. Click Add.
  8. Click Finished.
After you have created the client SSL profile, you must assign the profile to a virtual server, so that the virtual server can process SSL traffic according to the specified profile settings.