Applies To:
Show VersionsBIG-IP AAM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: Managing external HSM keys for LTM
You can use the Thales nShield Connect to store and manage token-, module-, and softcard-protected keys.
For additional information about using Thales nShield Connect, refer to the Thales website: (https://www.thales-esecurity.com).
About key protection
There are three types of key protection available for use with the BIG-IP® system and Thales Connect:
- Module-protected keys are directly protected by the external HSM through the security world and can be used at any time without further authorization.
- Softcard-protected keys are protected by a softcard and can be used by only an operator who possesses the assigned passphrases.
- Token-protected keys are protected by a cardset and can be used by only an operator who possesses the Operator Card Set (OCS) token and any assigned passphrases.
All options are equally secure, and the main difference is the authorization requirement. As a general rule, if you have no particular security or regulatory requirement, you can default to module protection. Thales prefers the use of physical tokens for authorization. In the case of Operator Cards, Thales recommends making a 1/N card set, where N is greater than the total number of nShield Connects. For more information about card sets, refer to the Thales user guides.
Task summary
The implementation process involves configuring a key protection type, and then creating and loading token-, module-, or softcard- protected keys and certificates, and creating a client SSL profile to use the key and certificate.
Task list
Configuring the key protection type
On the BIG-IP® system, you can choose among the Thales-supported types of key protection: module, softcard, and OCS. By default, the installation script sets up the appliance to create and use module-protected keys. F5 recommends that you keep only one set of cardset files (cards* or softcard*) in the $NFAST_KMDATA/local directory.
In this release, only one type of key protection (PKCS#11 slot) can be configured for active use. You need to configure the key protection type for a slot by enabling the type you want, and disabling the others.