Manual Chapter : Additional Information

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP APM

  • 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP GTM

  • 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP LTM

  • 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP AFM

  • 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP ASM

  • 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Additional Information

Creating a backup of the Thales RFS

Before you back up the RFS, make sure that the Thales nShield Connect Remote File System (RFS) server is installed on your network.
You back up the /shared/nfast/kmdata/local/ directory of the RFS to a secure location, so that you can recover the RFS state, if needed. The RFS contains all of the Thales nShield Connect keys.
  1. If the RFS is not installed on the BIG-IP system, rename the /shared/nfast directory to /shared/nfast.org.
    This directory can be used to recover old data, if necessary.
  2. Follow the Thales best practices for backing up the RFS server.

Upgrading the BIG-IP software when using the Thales HSM

After a BIG-IP® system software or hotfix upgrade, you must run the Thales client setup script to restore your default Thales configuration. Any local keys and certificates you loaded into the BIG-IP system before upgrading (using the command tmsh install sys crypto) appear in the upgrade partition, but they are usable only after you run the Thales client setup script. If you are restoring the Thales client on a VIPRION® system, you run the configuration script only on the primary blade, and then the system propagates the configuration to the additional active blades.

Note: If you will need CSRs, keys, or certs that were not loaded into the BIG-IP system, before you upgrade, copy the files into the /shared directory. After the upgrade, copy them back to their appropriate directories in the new partition: /config/ssl/ssl.key/, /config/ssl/ssl.crt, or /config/ssl/ssl.csr.
  1. Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
  2. Run one of these scripts, using the arguments that are appropriate for your configuration:
    • If the BIG-IP is an RFS server in addition to being a Thales client, use: nethsm-thales-rfs-install.sh and nethsm-thales-install.sh
    • If the BIG-IP is only a Thales client use: nethsm-thales-install.sh
The protected keys, which are stored in /opt/nfast/kmdata/, are available in the new partition, regardless of whether the keys and certs were loaded into the BIG-IP system.

Uninstalling Thales nShield Connect components from the BIG-IP system

If you no longer need to use the Thales nShield Connect on a BIG-IP® system, you should uninstall the files.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Uninstall the client and clean up.
    nethsm-thales-install.sh -u [-v]

fipskey.nethsm utility options

The fipskey.nethsm utility includes these options:

Option Description
-o Name applied to .key, .csr, and .crt output files
Important: This parameter is required.
-c [token | module | softcard] Type of protection (default value is token)
-e [hex] Public exponent to use when generating RSA keys only.
Note: Do not provide a value for this option, unless advised to do so by F5® Technical Support.
-g [sha1] Digest used to sign key and certificate
-k [name] Key name
-m [yes | no] Store key in non-volatile RAM
-n [integer] Slot number to read cards from
Note: Not designed to work with the Thales HSM devices.
-r [yes | no] Key recovery available
-s [integer] Size of key/certificate pair (in bits)
-t [RSA] Key type
-v [yes | no] Verification available
-C Country identifier
-D Domain name
-E Email address for key contact
-L Locality identifier
-N Substitute alternative name
Note: Applies only to SafeNet Luna HSM.
-O Organization identifier
-P Province identifier
-U Organization unit identifier

nethsm-thales-install.sh utility options

The nethsm-thales-install.sh utility includes these options:

Option Description
-h Displays help
-u Uninstalls Thales software and cleans up.
-v Prints verbose output about operations
--hsm_ip_addr=<ip_addr> Thales HSM IP address
--rfs_ip_addr=<ip_addr> Remote RFS server IP address
--rfs_username=<ssh username> Remote RFS server user name for SSH login
--rfs_interface=<interface_name> Interface identifier for the Remote File System (RFS) server. Default is the management interface (eth0).
--interface=<interface_name> Interface identifier for the BIG-IP® system to be used as the Thales HSM client. Default is the management interface (eth0).
--verbose=<level> Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output.

nethsm-thales-rfs-install.sh utility options

The nethsm-thales-rfs-install.sh utility includes these options:

Option Description
-h Displays help
-v Prints verbose output about operations
--hsm_ip_addr=<ip_addr> Thales HSM IP address
--rfs_ip_addr=<ip_addr> Remote File System (RFS) server IP address
--rfs_username=<ssh_user_name> RFS server user name for SSH login
--rfs_interface=<interface_name> Interface identifier for the BIG-IP® system used as the Thales HSM client. Default is the management interface (eth0).
--verbose=<level> Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output.