Applies To:
Show VersionsBIG-IP AAM
- 13.0.1, 13.0.0
BIG-IP APM
- 13.0.1, 13.0.0
BIG-IP LTM
- 13.0.1, 13.0.0
BIG-IP AFM
- 13.0.1, 13.0.0
BIG-IP DNS
- 13.0.1, 13.0.0
BIG-IP ASM
- 13.0.1, 13.0.0
Creating a backup of the Thales RFS
Upgrading the BIG-IP software when using the Thales HSM
After a BIG-IP® system software or hotfix upgrade, you must run the Thales client setup script to restore your default Thales configuration. Any local keys and certificates you loaded into the BIG-IP system before upgrading (using the command tmsh install sys crypto) appear in the upgrade partition, but they are usable only after you run the Thales client setup script. If you are restoring the Thales client on a VIPRION® system, you run the configuration script only on the primary blade, and then the system propagates the configuration to the additional active blades.
- Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
-
Run one of these scripts, using the arguments that are appropriate for your
configuration:
- If the BIG-IP is an RFS server in addition to being a Thales client, use: nethsm-thales-rfs-install.sh and nethsm-thales-install.sh
- If the BIG-IP is only a Thales client use: nethsm-thales-install.sh
Uninstalling Thales nShield Connect components from the BIG-IP system
Replacing a broken Thales HSM without breaking existing keys
fipskey.nethsm utility options
The fipskey.nethsm utility includes these options:
Option | Description |
---|---|
-o | Name applied to .key, .csr,
and .crt output files
Important: This
parameter is required.
|
-c [token | module | softcard] | Type of protection (default value is token) |
-e [hex] | Public exponent to use when generating RSA keys only.
Note: Do not
provide a value for this option, unless advised to do so by F5® Technical Support.
|
-g [sha1] | Digest used to sign key and certificate |
-k [name] | Key name |
-m [yes | no] | Store key in non-volatile RAM |
-n [integer] | Slot number to read cards from |
-r [yes | no] | Key recovery available |
-s [integer] | Size of key/certificate pair (in bits) |
-t [RSA] | Key type |
-v [yes | no] | Verification available |
-C | Country identifier |
-D | Domain name |
-E | Email address for key contact |
-L | Locality identifier |
-N | Substitute alternative name
Note: Applies
only to SafeNet Luna HSM.
|
-O | Organization identifier |
-P | Province identifier |
-U | Organization unit identifier |
nethsm-thales-install.sh utility options
The nethsm-thales-install.sh utility includes these options:
Option | Description |
---|---|
-h | Displays help |
-v | Prints verbose output about operations |
--hsm_ip_addr=<ip_addr> | Thales HSM IP address |
--rfs_interface=<interface_name> | Interface identifier for the Remote File System (RFS) server. Default is the management interface (eth0). |
--verbose=<level> | Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output. |
nethsm-thales-rfs-install.sh utility options
The nethsm-thales-rfs-install.sh utility includes these options:
Option | Description |
---|---|
-h | Displays help |
-v | Prints verbose output about operations |
--hsm_ip_addr=<ip_addr> | Thales HSM IP address |
--rfs_ip_addr=<ip_addr> | Remote File System (RFS) server IP address |
--rfs_username=<ssh_user_name> | RFS server username for SSH login |
--rfs_interface=<interface_name> | Interface identifier for the BIG-IP® system used as the Thales HSM client. Default is the management interface (eth0). |
--verbose=<level> | Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output. |