My Support
  1. AskF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP Platform: FIPS Administration
  5. BIG-IP FIPS Platform Setup
Manual Chapter : BIG-IP FIPS Platform Setup

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 12.1.4, 12.1.3

BIG-IP PEM

  • 12.1.4, 12.1.3

BIG-IP AFM

  • 12.1.4, 12.1.3

BIG-IP ASM

  • 12.1.4, 12.1.3

BIG-IP AAM

  • 12.1.4, 12.1.3

BIG-IP APM

  • 12.1.4, 12.1.3

BIG-IP LTM

  • 12.1.4, 12.1.3
Manual Chapter
Table of Contents | Next Chapter >>

About setting up the BIG-IP systems in a device group

You can configure a device group using two platforms that have the same FIPS hardware security module (HSM) model installed. When setting up a FIPS solution on a device group, you install the two systems and can connect to a serial console to remotely manage the systems. In the event that network access is impaired or not yet configured, the serial console might be the only way to access your system.

After you have set up and configured the systems, you can create the FIPS security domain by initializing the HSM and creating a security officer (SO) password. You must configure the same security domain name on all HSMs in the group.

Initializing the HSM in 6900/8900 platforms

You must initialize the hardware security module (HSM) installed in each unit before you can use it. When you are creating a device group using more than one FIPS platform, you initialize the HSM on one unit, and then initialize the HSM on each peer unit using the same security domain name that you used on the first unit.
Note: You can initialize the HSM and create the security domain before you license the system and create a traffic management configuration.
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Initialize the HSM and set a security officer (SO) password.
    run util fips-util -f init
    Important: Running the fipsutil init command deletes all keys in the HSM and makes any previously exported keys unusable.
    The initialization process begins. When prompted, type an SO password.
    Note: F5® recommends that you choose a strong value for the SO password.
                               
NFB Initialization Process

WARNING - all private keys in NFB will be erased after SO password is entered!
Any configuration objects dependent on FIPS keys will cause the configuration fail to load.
Passwords must be at least 7 characters in length.
Enter no password if you instead wish to cancel.

New SO Password:
Re-enter new SO Password:
  4. When this message displays, type a security domain name. 
                               
Initializing NFB...
The security domain name must be the same on all FIPS machines.
Please enter your security domain name:
    Be sure to keep the security domain name and password in a secure location. You need the domain name and password when you initialize the HSM on a peer unit. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.
    Important: The domain name cannot be extracted or displayed by the software or hardware after you set it.
    When the initialization process completes successfully, this message displays: The FIPS device has been initialized.
  5. Enable the HSM device using one of these options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
After you complete the initialization process on the first unit, you can initialize a peer system and add it to the security domain of the first unit.

Initializing the HSM in 5000/7000/10200/11000/11050 platforms

You must initialize the hardware security module (HSM) installed in each unit before you can use it. When you are creating a device group using more than one FIPS platform, you initialize the HSM on one unit, and then initialize the HSM on a peer unit using the same security domain label that you used on the first unit.
Note: You can initialize the HSM and create the security domain before you license the system and create a traffic management configuration.
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Initialize the HSM and set a security officer (SO) password.
    run util fips-util -f init
    Important: Running the fipsutil init command deletes all keys in the HSM and makes any previously exported keys unusable.
    Note: The initialization process takes a few minutes to complete.
    The initialization process begins. When prompted, type an SO password.
    Note: F5® recommends that you choose a strong value for the SO password. You cannot use the keyword default as the SO password.
                               
WARNING: This erases all keys from the FIPS 140 device.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.

==================== WARNING ================================
The FIPS device will be reset to factory default state.
All keys and user identities currently stored in the device
will be erased.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.

Press <ENTER> to continue or Ctrl-C to cancel

Resetting the device ...

The FIPS device is now in factory default state.
Enter new Security Officer password (min. 7, max. 14 characters):
Re-enter Security Officer password:
  4. When this message displays, type a security domain label. 
                               
NOTE: security domain label must be identical on peer
FIPS devices in order to be able to synchronize with them.
Enter security domain label (max. 50 chars, default: F5FIPS):
    Be sure to keep the security domain label and password in a secure location. You need the domain label and password when you initialize the HSM on a peer unit. You can use the same password or choose a new one. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.
                               
Initializing new security domain (F5FIPS)...
Creating crypto user and crypto officer identities
Waiting for the device to re-initialize ...
Creating key encryption key (KEK)
The FIPS device has been initialized.
  5. Enable the HSM device using one of these options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
After you complete the initialization process on the first unit, you can initialize a peer system and add it to the security domain of the first unit. You must use the same SO password that you used on the first unit.

Initializing the HSM in 10350 platforms

You must initialize the hardware security module (HSM) installed in each unit before you can use it. When you are creating a device group using more than one FIPS platform, you initialize the HSM on one unit, and then initialize the HSM on a peer unit using the same security domain label that you used on the first unit. You can choose to use a different password on the peer unit.
Note: You can initialize the HSM and create the security domain, before you license the system and create a traffic management configuration.
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Initialize the HSM and set a security officer (SO) password.
    run util fips-util init
    Important: Running the fipsutil init command deletes all keys in the HSM and makes any previously exported keys unusable.
    Note: The initialization process takes a few minutes to complete.
    The initialization process begins. When prompted, type an SO password. You cannot use the keyword default as the SO password.
    Note: F5® recommends that you choose a strong value for the SO password.
                               
WARNING: This erases all keys from the FIPS 140 device.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.

==================== WARNING ================================
The FIPS device will be reset to factory default state.
All keys and user identities currently stored in the device
will be erased.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.

Press <ENTER> to continue or Ctrl-C to cancel

Resetting the device ...

The FIPS device is now in factory default state.
Enter new Security Officer password (min. 7, max. 14 characters):
Re-enter Security Officer password:
  4. When this message displays, type a security domain label. 
                               
NOTE: security domain label must be identical on peer
FIPS devices in order to be able to synchronize with them.
Enter security domain label (max. 50 chars, default: F5FIPS):
    Be sure to keep the security domain label and password in a secure location. You need the domain label and password when you initialize the HSM on a peer unit. You can use the same password or choose a new one. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.
                               
Initializing new security domain (F5FIPS)...
Creating crypto user and crypto officer identities
Waiting for the device to re-initialize ...
Creating key encryption key (KEK)
The FIPS device has been initialized.
  5. Enable the HSM device using one of these options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
After you complete the initialization process on the first unit, you can initialize a peer system and add it to the security domain of the first unit. You can choose to use the same SO password that you used on the first unit.

Initializing the HSM in i5000/i7000 Series platforms

You must initialize the hardware security module (HSM) installed in each unit before you can use it. When you are creating a device group using more than one FIPS platform, you initialize the HSM on one unit, and then initialize the HSM on a peer unit using the same security domain label that you used on the first unit. You can choose to use a different password on the peer unit.
Note: You can initialize the HSM and create the security domain, before you license the system and create a traffic management configuration.
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Initialize the HSM and set a security officer (SO) password.
    run util fips-util init
    Important: Running the fipsutil init command deletes all keys in the HSM and makes any previously exported keys unusable.
    Note: The initialization process takes a few minutes to complete.
    The initialization process begins. When prompted, type an SO password. You cannot use the keyword default as the SO password.
    Note: F5® recommends that you choose a strong value for the SO password.
                               
WARNING: This erases all keys from the FIPS 140 device.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.

==================== WARNING ================================
The FIPS device will be reset to factory default state.
All keys and user identities currently stored in the device
will be erased.
Any configuration objects dependent on FIPS keys will cause
the configuration fail to load.

Press <ENTER> to continue or Ctrl-C to cancel

Resetting the device ...

The FIPS device is now in factory default state.
Enter new Security Officer password (min. 7, max. 14 characters):
Re-enter Security Officer password:
  4. When this message displays, type a security domain label. 
                               
NOTE: security domain label must be identical on peer
FIPS devices in order to be able to synchronize with them.
Enter security domain label (max. 50 chars, default: F5FIPS):
    Be sure to keep the security domain label and password in a secure location. You need the domain label and password when you initialize the HSM on a peer unit. You can use the same password or choose a new one. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.
                               
Initializing new security domain (F5FIPS)...
Creating crypto user and crypto officer identities
Waiting for the device to re-initialize ...
Creating key encryption key (KEK)
The FIPS device has been initialized.
  5. Enable the HSM device using one of these options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
After you complete the initialization process on the first unit, you can initialize a peer system and add it to the security domain of the first unit. You can choose to use the same SO password that you used on the first unit.

Viewing HSM information using tmsh

You can use the Traffic Management Shell (tmsh) to view information about the hardware security module (HSM).
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. View information about the HSM.
    run util fips-util info
    Depending on the HSM installed in your system, a summary similar to one of these examples displays:

    Example 1, for 6900/8900 platforms:

                               
Label:             F5FIPS
HSM Serial Number: 8100298
Hardware ID:       0x0
Firmware Version:  4.7.1
Total FLASH:       14286412
Free FLASH:        14286412
Total SRAM:        16984956
Free SRAM:         16981884

    Example 2, for 10350/i5000/i7000 platforms:

                               
Label:              F5FIPS
Model:              NITROX-III CNN35XX-NFBE

Serial Number:      3.0G1501-ICM000059
FIPS state:         2

MaxSessionCount:    2048
SessionCount:       13

MaxPinLen:          14
MinPinLen:          7
TotalPublicMemory:  557540
FreePublicMemory:   234552
TotalUserKeys:      10075
AvailableUserKeys:  10075

Loging failures:
	user:    0
	officer: 0

Temperature:        72 C
HW version:         0.0
Firmware version:   CNN35XX-NFBE-FW-1.0-27

Before you synchronize the HSMs

Before you can synchronize the FIPS hardware security modules (HSMs), you must ensure that the target HSM:

  • Is already initialized
  • Has an identical security domain name
  • Does not contain existing keys
  • Includes the same model of FIPS HSM (card)
  • Contains the same firmware version

Before you run the fips-card-sync command, ensure that you have this information:

  • The SO password for the source BIG-IP® device
  • The SO password for the target BIG-IP device
  • The root password for the target BIG-IP device

The target device must also be reachable using SSH from the source device.

Synchronizing the HSMs using tmsh

Be sure that you meet all prerequisites before synchronizing the hardware security modules (HSMs) in your devices.
Synchronizing the HSMs enables you to copy keys from one HSM to another. This is also required to synchronize BIG-IP® configuration in a device group.
Note: You only need to perform the synchronization process during the initial configuration of a pair of devices. After the two devices are in sync, they remain in sync.
  1. Log on to the command line of the source BIG-IP device using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Synchronize the Master Symmetric key from the HSM on the source BIG-IP device to the HSM on the target BIG-IP device, where <hostname> is the IP address or hostname of the target BIG-IP device.
    run util fips-card-sync <hostname>
    Note: Be sure to run this command on a device that contains a valid Master Symmetric key. Otherwise, you might invalidate all keys loaded in the HSM.
    Note: A Master Symmetric key is shared between the HSMs on each BIG-IP device. This shared master key is used to encrypt the SSL private keys when the keys leave the cryptographic boundary of the HSM.
    1. When prompted, type the security officer (SO) password for the local device.
    2. When prompted, type the SO password for the remote device or press Enter if the password is the same as for the local device.
      A message similar to this example displays: 
                                       
Connecting to 172.27.76.255 as user root ...
    3. When prompted, type the root password.
      When the synchronization operation completes, a message similar to this example displays: 
                                       
FIPS devices have been synchronized.
  4. Confirm that all devices have the Master Symmetric key.
    tmsh show sys crypto master-key
    A summary similar to this example displays: 
                               
-------------------------------------------
Sys::Master-Key
-------------------------------------------
master-key hash  <hJqPIjC72OJOP90CfD9WHw==>
previous hash    <>
  5. Synchronize the BIG-IP configuration in the device group.
    Important: You must run fips-card-sync before running config-sync. Otherwise, the FIPS keys will not load on the remote device.
    run cm config-sync [ to-group | from-group ] <device_group_name>
Table of Contents | Next Chapter >>

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks

©2019 F5 Networks, Inc. All rights reserved.

Policies Privacy Trademarks