Applies To:
Show Versions
BIG-IP AAM
- 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP APM
- 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP GTM
- 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2
BIG-IP LTM
- 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP AFM
- 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP DNS
- 12.1.2, 12.1.1, 12.1.0
BIG-IP ASM
- 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Key Management
About managing FIPS keys using the BIG-IP Configuration utility
You can use the BIG-IP® Configuration utility to create FIPS keys, import existing FIPS keys into a hardware security module (HSM), and convert existing keys into FIPS keys.
Existing FIPS keys (.exp files) can only be imported into an HSM that possesses the same Master Symmetric key used when the FIPS keys were exported. The Symmetric Master Key is used to encrypt SSL private keys as they are exported from an HSM. Therefore, only the same Master Symmetric key can be used to decrypt the SSL private keys as they are imported into the HSM.
Creating FIPS keys using the BIG-IP Configuration utility
Importing keys using the BIG-IP Configuration utility
Converting a key to FIPS using the BIG-IP Configuration utility
About managing FIPS keys using tmsh
You can use the Traffic Management Shell (tmsh) to create FIPS keys, import existing keys into a BIG-IP® system, and convert existing keys to FIPS keys.
Creating FIPS keys using tmsh
Importing FIPS keys using tmsh
Converting a key to FIPS using tmsh
Listing FIPS keys in the HSM using tmsh
Listing FIPS keys in the BIG-IP configuration using tmsh
Deleting a key from the BIG-IP configuration and HSM using tmsh
Supported FIPS key sizes
These are the supported key sizes for BIG-IP® FIPS platforms.
FIPS platform | Supported key sizes (bits) |
---|---|
5000 | 1024/2048, 4096 |
6900 | 1024, 2048 |
7000 | 1024/2048, 4096 |
8900 | 1024, 2048 |
10200 | 1024/2048, 4096 |
10350 | 2048 |
11000 | 1024/2048, 4096 |
11050 | 1024/2048, 4096 |
Additional FIPS platform management tmsh commands
This table lists additional tmsh commands that you can use to manage your FIPS platform.
Command | Description |
---|---|
show sys crypto fips | Lists keys in the FIPS card. |
list sys crypto key | Lists keys in the BIG-IP® configuration. |
delete sys crypto key <key_object_name> | Deletes a key from the BIG-IP configuration and the FIPS card. |
delete sys crypto fips by-handle <key_handle> | Deletes a key from the FIPS card only. Key handles are
obtained using the show sys crypto fips
command sequence.
CAUTION:
Use this command sequence only in the
rare circumstance when you need to delete keys that no
longer have configuration objects from the card (for
example, keys that do not show up when you run the
list sys crypto key command sequence).
|