Applies To:
Show VersionsBIG-IP AAM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Creating a backup of the Thales RFS
Upgrading the BIG-IP software when using the Thales HSM
After a BIG-IP® system software or hotfix upgrade, you must run the Thales client setup script to restore your default Thales configuration. Any local keys and certificates you loaded into the BIG-IP system before upgrading (using the command tmsh install sys crypto) appear in the upgrade partition, but they are usable only after you run the Thales client setup script. If you are restoring the Thales client on a VIPRION® system, you run the configuration script only on the primary blade, and then the system propagates the configuration to the additional active blades.
- Log in to the command-line interface of the BIG-IP system using an account with administrator privileges.
-
Run one of these scripts, using the arguments that are appropriate for your
configuration:
- If the BIG-IP is an RFS server in addition to being a Thales client, use: nethsm-thales-rfs-install.sh and nethsm-thales-install.sh
- If the BIG-IP is only a Thales client use: nethsm-thales-install.sh
Uninstalling Thales nShield Connect components from the BIG-IP system
Replacing a broken Thales HSM without breaking existing keys
fipskey.nethsm utility options
The fipskey.nethsm utility includes these options:
Option | Description |
---|---|
-o | Name applied to .key, .csr,
and .crt output files
Important: This
parameter is required.
|
-c [token | module | softcard] | Type of protection (default value is token) |
-e [hex] | Public exponent to use when generating RSA keys only.
Note: Do not
provide a value for this option, unless advised to do so by F5® Technical Support.
|
-g [sha1] | Digest used to sign key and certificate |
-k [name] | Key name |
-m [yes | no] | Store key in non-volatile RAM |
-n [integer] | Slot number to read cards from |
-r [yes | no] | Key recovery available |
-s [integer] | Size of key/certificate pair (in bits) |
-t [RSA] | Key type |
-v [yes | no] | Verification available |
-C | Country identifier |
-D | Domain name |
-E | Email address for key contact |
-L | Locality identifier |
-N | Substitute alternative name
Note: Applies
only to SafeNet Luna HSM.
|
-O | Organization identifier |
-P | Province identifier |
-U | Organization unit identifier |
nethsm-thales-install.sh utility options
The nethsm-thales-install.sh utility includes these options:
Option | Description |
---|---|
-h | Displays help. |
-v | Prints verbose output about operations. |
--hsm_ip_addr=<ip_addr> | Thales HSM IP address(es). For multiple HSMs, use a double-quoted value with space-separated IP addresses (such as --hsm_ip_addr="10.10.10.100.10.10.10.101"). |
--rfs_interface=<interface_name> | Interface identifier for the local Remote File System (RFS) server. Default is the management interface (eth0). |
--protection=<protection_type> | Indicates which type of key protection to use. Valid options are [m]odule, [o]cs, or [s]oftcard. When this option is not used, the protection defaults to module protection. |
--verbose=<level> | Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output. |
nethsm-thales-rfs-install.sh utility options
The nethsm-thales-rfs-install.sh utility includes these options:
Option | Description |
---|---|
-h | Displays help. |
--u | Uninstalls Thales software and cleans up Thales directories. |
-v | Prints verbose output about the executing operations. |
--hsm_ip_addr=<ip_addr> | Thales HSM IP address(es). For multiple HSMs, use a double-quoted value with space-separated IP addresses (such as --hsm_ip_addr="10.10.10.100.10.10.10.101"). |
--interface=<interface_name> | Interface identifier of BIG-IP® to be used as Thales HSM Client (eth0). The default is the management interface. |
--num_threads=<threads> | Indicates the number of threads pkcs11d will use. The default is 20. |
--rfs_interface=<interface_name> | Local Remote File System (RFS) server interface name (eth0). |
--rfs_ip_addr=<ip_addr> | Remote RFS server IP address. |
--rfs_username=<ssh_username> | Remote RFS server username for SSH login. |
--protection=<protection_type> | Indicates which type of key protection to use. Valid options are [m]odule, [o]cs, or [s]oftcard. When this option is not used, the protection defaults to module protection. |
--verbose=<level> | Indicates message verbosity level. The default value is zero, and all levels greater than zero indicate verbose output. |