Manual Chapter : FIPS Platform Setup

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.0.1, 13.0.0

BIG-IP APM

  • 13.0.1, 13.0.0

BIG-IP LTM

  • 13.0.1, 13.0.0

BIG-IP AFM

  • 13.0.1, 13.0.0

BIG-IP DNS

  • 13.0.1, 13.0.0

BIG-IP ASM

  • 13.0.1, 13.0.0
Manual Chapter
 

About setting up FIPS platforms in a device group

You can configure a device group using two platforms from the same series with a FIPS card installed in each unit. When setting up a FIPS solution on a device group, you install the two systems and can connect to a serial console to remotely manage the systems. In the event that network access is impaired or not yet configured, the serial console might be the only way to access your system.

After you have set up and configured the systems, you can create the FIPS security domain by initializing the HSM and creating a security officer (SO) password. You must configure the same security domain name on all HSMs in the group.

Initializing the HSM in 5000/7000/10200 platforms

You must initialize the hardware security module (HSM) installed in each unit before you can use it. When you are creating a device group using more than one FIPS platform, you initialize the HSM on one unit, and then initialize the HSM on a peer unit using the same security domain label that you used on the first unit.
Note: You can initialize the HSM and create the security domain before you license the system and create a traffic management configuration.
  1. Log in to the command line of the system using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Initialize the HSM and set a security officer (SO) password.
    run util fips-util -f init
    Important: Running the fipsutil init command deletes all keys in the HSM and makes any previously exported keys unusable.
    Note: The initialization process takes a few minutes to complete.
    The initialization process begins. When prompted, type an SO password.
    Note: F5 recommends that you choose a strong value for the SO password. You cannot use the keyword default as the SO password.
                               
    WARNING: This erases all keys from the FIPS 140 device.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    ==================== WARNING ================================
    The FIPS device will be reset to factory default state.
    All keys and user identities currently stored in the device
    will be erased.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    Press <ENTER> to continue or Ctrl-C to cancel
    
    Resetting the device ...
    
    The FIPS device is now in factory default state.
    Enter new Security Officer password (min. 7, max. 14 characters):
    Re-enter Security Officer password:
                            
    
  4. When this message displays, type a security domain label.
    NOTE: security domain label must be identical on peer
    FIPS devices in order to be able to synchronize with them.
    Enter security domain label (max. 50 chars, default: F5FIPS):
                            
    
    Be sure to keep the security domain label and password in a secure location. You need the domain label and password when you initialize the HSM on a peer unit. You can use the same password or choose a new one. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.
    Initializing new security domain (F5FIPS)...
    Creating crypto user and crypto officer identities
    Waiting for the device to re-initialize ...
    Creating key encryption key (KEK)
    The FIPS device has been initialized.
                            
    
  5. Enable the HSM device using one of these options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
After you complete the initialization process on the first unit, you can initialize a peer system and add it to the security domain of the first unit. You must use the same SO password that you used on the first unit.

Initializing the HSM in 10350 platforms

You must initialize the hardware security module (HSM) installed in each unit before you can use it. When you are creating a device group using more than one FIPS platform, you initialize the HSM on one unit, and then initialize the HSM on a peer unit using the same security domain label that you used on the first unit. You can choose to use a different password on the peer unit.
Note: You can initialize the HSM and create the security domain, before you license the system and create a traffic management configuration.
  1. Log in to the command line of the system using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Initialize the HSM and set a security officer (SO) password.
    run util fips-util init
    Important: Running the fipsutil init command deletes all keys in the HSM and makes any previously exported keys unusable.
    Note: The initialization process takes a few minutes to complete.
    The initialization process begins. When prompted, type an SO password. You cannot use the keyword default as the SO password.
    Note: F5® recommends that you choose a strong value for the SO password.
    Warning: If this text displays in the message below, you need to first delete all keys from the device before running the command: There are keys stored in the FIPS device Delete all keys from the device before re-initializing it. You can use the -f option to force initialization, which deletes all user-generated keys (util fips-util -f init).
                               
    WARNING: This erases all keys from the FIPS 140 device.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    ==================== WARNING ================================
    The FIPS device will be reset to factory default state.
    All keys and user identities currently stored in the device
    will be erased.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    Press <ENTER> to continue or Ctrl-C to cancel
    
    Resetting the device ...
    
    The FIPS device is now in factory default state.
    Enter new Security Officer password (min. 7, max. 14 characters):
    Re-enter Security Officer password:
                            
    
  4. When this message displays, type a security domain label.
    NOTE: security domain label must be identical on peer
    FIPS devices in order to be able to synchronize with them.
    Enter security domain label (max. 50 chars, default: F5FIPS):
                            
    
    Be sure to keep the security domain label and password in a secure location. You need the domain label and password when you initialize the HSM on a peer unit. You can use the same password or choose a new one. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.
    Initializing new security domain (F5FIPS)...
    Creating crypto user and crypto officer identities
    Waiting for the device to re-initialize ...
    Creating key encryption key (KEK)
    The FIPS device has been initialized.
                            
    
  5. Enable the HSM device using one of these options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
After you complete the initialization process on the first unit, you can initialize a peer system and add it to the security domain of the first unit. You can choose to use the same SO password that you used on the first unit.

Initializing the HSM in i5000/i7000 Series platforms

You must initialize the hardware security module (HSM) installed in each unit before you can use it. When you are creating a device group using more than one FIPS platform, you initialize the HSM on one unit, and then initialize the HSM on a peer unit using the same security domain label that you used on the first unit. You can choose to use a different password on the peer unit.
Note: You can initialize the HSM and create the security domain, before you license the system and create a traffic management configuration.
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Initialize the HSM and set a security officer (SO) password.
    run util fips-util init
    Important: Running this command deletes all keys in the HSM and makes any previously exported keys unusable.
    Note: The initialization process takes a few minutes to complete.
    The initialization process begins. When prompted, type an SO password. You cannot use the keyword default as the SO password.
    Note: F5® recommends that you choose a strong value for the SO password.
    Warning: If this text displays in the message below, you need to first delete all keys from the device before running the command: There are keys stored in the FIPS device Delete all keys from the device before re-initializing it. You can use the -f option to force initialization, which deletes all user-generated keys (util fips-util -f init).
    WARNING: This erases all keys from the FIPS 140 device.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    ==================== WARNING ================================
    The FIPS device will be reset to factory default state.
    All keys and user identities currently stored in the device
    will be erased.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    Press <ENTER> to continue or Ctrl-C to cancel
    
    Resetting the device ...
    
    The FIPS device is now in factory default state.
    Enter new Security Officer password (min. 7, max. 14 characters):
    Re-enter Security Officer password:
    
  4. When this message displays, type a security domain label.
    NOTE: security domain label must be identical on peer
    FIPS devices in order to be able to synchronize with them.
    Enter security domain label (max. 50 chars, default: F5FIPS):
    
    Be sure to keep the security domain label and password in a secure location. You need the domain label and password when you initialize the HSM on a peer unit. You can use the same password or choose a new one. This information is also required when replacing a unit (for RMA or other reasons). Since keys are synchronized from the working unit to a new unit, the domain label and password are required.
    Initializing new security domain (F5FIPS)...
    Creating crypto user and crypto officer identities
    Waiting for the device to re-initialize ...
    Creating key encryption key (KEK)
    The FIPS device has been initialized.
    
  5. Enable the HSM device using one of these options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
After you complete the initialization process on the first unit, you can initialize a peer system and add it to the security domain of the first unit. You can choose to use the same SO password that you used on the first unit.

Viewing HSM information using tmsh

You can use the Traffic Management Shell (tmsh) to view information about the hardware security module (HSM).
  1. Log in to the command line of the system using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. View information about the HSM.
    run util fips-util info
    Depending on the HSM installed in your system, a summary similar to this example (from a 10350 platform) displays.
                               
    Label:              F5FIPS
    Model:              NITROX-III CNN35XX-NFBE
    
    Serial Number:      3.0G1501-ICM000059
    FIPS state:         2
    
    MaxSessionCount:    2048
    SessionCount:       13
    
    MaxPinLen:          14
    MinPinLen:          7
    TotalPublicMemory:  557540
    FreePublicMemory:   234552
    TotalUserKeys:      10075
    AvailableUserKeys:  10075
    
    Loging failures:
    	user:    0
    	officer: 0
    
    Temperature:        72 C
    HW version:         0.0
    Firmware version:   CNN35XX-NFBE-FW-1.0-27
                            
    

Before you synchronize the HSMs

Before you can synchronize the FIPS hardware security modules (HSMs), you must ensure that the target HSM:

  • Is already initialized
  • Has an identical security domain name
  • Does not contain existing keys
  • Is the same hardware model
  • Contains the same firmware version

Before you run the fips-card-sync command, ensure that you have this information:

  • The SO password for the source F5® device
  • The SO password for the target F5 device
  • The root password for the target F5 device

The target device must also be reachable using SSH from the source device.

Synchronizing the HSMs using tmsh

Be sure that you meet all prerequisites before synchronizing the hardware security modules (HSMs) in your devices.
Synchronizing the HSMs enables you to copy keys from one HSM to another. This is also required to synchronize the software configuration in a device group.
Note: You only need to perform the synchronization process during the initial configuration of a pair of devices. After the two devices are in sync, they remain in sync.
  1. Log on to the command line of the source F5® device using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Synchronize the Master Symmetric key from the HSM on the source F5 device to the HSM on the target F5 device, where <hostname> is the IP address or hostname of the target F5 device.
    run util fips-card-sync <hostname>
    Note: Be sure to run this command on a device that contains a valid Master Symmetric key. Otherwise, you might invalidate all keys loaded in the HSM.
    Note: A Master Symmetric key is shared between the HSMs on each F5 device. This shared master key is used to encrypt the SSL private keys when the keys leave the cryptographic boundary of the HSM.
    1. When prompted, type the security officer (SO) password for the local device.
    2. When prompted, type the SO password for the remote device or press Enter if the password is the same as for the local device.
      A message similar to this example displays:
                                       
      Connecting to 172.27.76.255 as user root ...
                                    
      
    3. When prompted, type the root password.
      When the synchronization operation completes, a message similar to this example displays:
                                       
      FIPS devices have been synchronized.
                                    
      
  4. Confirm that all devices have the Master Symmetric key.
    tmsh show sys crypto master-key
    A summary similar to this example displays:
                               
    -------------------------------------------
    Sys::Master-Key
    -------------------------------------------
    master-key hash  <hJqPIjC72OJOP90CfD9WHw==>
    previous hash    <>
                            
    
  5. Synchronize the software configuration in the device group.
    Important: You must run fips-card-sync before running config-sync. Otherwise, the FIPS keys will not load on the remote device.
    run cm config-sync [ to-group | from-group ] <device_group_name>