Manual Chapter : vCMP Host Administration Tasks

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0

BIG-IP ASM

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0

BIG-IP AAM

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0

BIG-IP APM

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0

BIG-IP LTM

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0
Manual Chapter

Host administration tasks

Before vCMP guest administrators can create and manage FIPS keys in their own secure partitions on the FIPS hardware security module (HSM), a host administrator must perform some configuration tasks.

Prerequisite tasks

Before you set up FIPS partitions for your Virtual Clustered Multiprocessing (vCMP) guests, confirm that these vCMP host prerequisites have been met, on each BIG-IP device that will host vCMP guests in a high availability configuration. Confirm all prerequisites by logging in to the BIG-IP system using the management IP address of the vCMP host.

Important: For you to confirm these prerequisites, your BIG-IP system user account must have a role of Administrator assigned to it.
Prerequisites Verification tool Verification instructions
You have permission to use the TMSH (TMOS Shell) command-line interface. BIG-IP Configuration utility On the Main tab, click System > Users . Then click your account name and view the Terminal Access list. This setting must be set to either tmsh or Advanced shell. For more information, see the guide BIG-IP System: User Account Administration on the F5 support site support.f5.com.
The license type on each BIG-IP device is correct. An SSH application such as PuTTY At the tmsh prompt, type show sys hardware. Under Platform, look at the Name property, and confirm that the platform model number includes an F. For more information, see the guide BIG-IP System: Essentials on the F5 support site support.f5.com.
The BIG-IP devices that are to operate as vCMP hosts are in a Sync-Failover device group for high availability. The BIG-IP Configuration utility or the TMOS Shell (TMSH) For more information, see the guide BIG-IP Device Service Clustering: Administration on the F5 support site support.f5.com.
The hardware security module in each BIG-IP device is in the factory default state. The TMOS Shell (TMSH) To reset an HSM to its factory default state, see the command tmsh fips-util -f reset.

Initializing the HSMs on vCMP hosts

On each physical device that you intend to configure as a vCMP host, you must initialize the installed hardware security module (HSM). In our sample configuration, two BIG-IP devices function as vCMP hosts.

During HSM initialization, the system creates a default FIPS partition named PARTITION_1. By default, all FIPS cores and key storage are allocated to this partition.

  1. Using an SSH application such as PuTTY, log in to the command line of a BIG-IP system using an account with root access.
  2. Open the TMOS Shell (TMSH) and type tmsh.
  3. Start the process of initializing the HSM by typing this TMSH command:
    run util fips-util init
    Important: Running this command deletes all keys in the HSM and makes any previously exported keys unusable.
    Note: The initialization process takes a few minutes to complete.
    After typing this command, the initialization process begins. When prompted, type an SO password. The password does not appear on the screen as you type it. Also, you cannot use the keyword default as the SO password.
    Note: F5 recommends that you choose a strong value for the SO password.
                               
    WARNING: This erases all keys from the FIPS 140 device.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    ==================== WARNING ================================
    The FIPS device will be reset to factory default state.
    All keys and user identities currently stored in the device
    will be erased.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    Press <ENTER> to continue or Ctrl-C to cancel
    
    Resetting the device ...
    
    The FIPS device is now in factory default state.
    Enter new Security Officer password (min. 7, max. 14 characters):
    Re-enter Security Officer password:
    Initializing device...
    The FIPS device has been initialized.
                            
    
  4. Enable the HSM using one of these options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
  5. To view information about the HSM after initialization, type fips-util -v info at the TMSH prompt.
  6. Repeat these steps on the other device that you intend to configure as a vCMP host.
After you complete this task, both HSMs on the BIG-IP devices are initialized. Also, each HSM contains the default FIPS partition, PARTITION_1.
Later in the configuration process, you will resize the default partition to free up FIPS resources to assign to a new FIPS partition.

Synchronizing the HSMs

Before you synchronize the HSMs on the peer devices, verify that the HSMs:

  • Are already initialized
  • Have identical security domain labels
  • Do not contain existing keys
  • Are the same hardware model
  • Contain the same firmware version

Also, check that, for each device, you know the security officer (SO) password for the HSM and the password for an account with root access.

Synchronizing the HSMs between peer devices enables you to copy keys from one HSM to another. HSM synchronization is also required before you can synchronize the BIG-IP software configuration in a Sync-Failover device group later.
  1. Log on to the command line of the source F5 device, using an account with root access.
  2. Open the TMOS Shell (tmsh) by typing tmsh at the system prompt.
  3. Confirm that the HSM on the device has a Master Symmetric key by typing the command show sys crypto master-key.
  4. Synchronize the Master Symmetric key from the HSM on the source device to the HSM on the target device, where <ip_address> is the IP address of the target device: run util fips-card-sync <ip_address> .
    Note: Be sure to run this command on a device that contains a valid Master Symmetric key. A Master Symmetric key is shared between the HSMs on each F5 device. This shared master key is used to encrypt the SSL private keys when the keys leave the cryptographic boundary of the HSM.
    In our example, this command is run util fips-card-sync 192.0.2.11
    1. When prompted, type the security officer (SO) password for the local device.
    2. When prompted, type the SO password for the remote device, or press Enter if the password is the same as for the local device.
      A message similar to this example displays:
                                       
      Connecting to 192.0.2.11 as user root ...
                                    
      
    3. When prompted, type the root password.
      When the synchronization operation completes, a message similar to this example displays:
                                       
      FIPS devices have been synchronized.
                                    
      
  5. On the source and target devices, confirm that the devices have the same Master Symmetric key.
    tmsh show sys crypto master-key
    A summary similar to this example displays:
                               
    -------------------------------------------
    Sys::Master-Key
    -------------------------------------------
    master-key hash  <hJqPIjC72OJOP90CfD9WHw==>
    previous hash    <>
                            
    
After you perform this task, the Symmetric Master key of the source and target devices are synchronized.

Provisioning the vCMP feature

Before performing this task, ensure that the amount of reserve disk space that the provisioning process creates is sufficient on each BIG-IP system. Attempting to adjust the reserve disk space after you have provisioned the vCMP feature produces unwanted results.
Performing this task creates a vCMP host (the hypervisor) and dedicates most of the system resources to running vCMP. Performing this task also enables the BigDB variable kernel.iommu, which is a requirement for vCMP. You must perform this task on each BIG-IP device that you want to function as a vCMP host in the configuration.
Warning: If the system currently contains any BIG-IP module configuration data, this data is deleted when you provision the vCMP feature.
  1. On the Main tab, click System > Resource Provisioning .
  2. Verify that all BIG-IP modules are set to None.
  3. From the Virtual CMP (vCMP) list, select Dedicated.
  4. Click Update.
  5. Repeat this task on the other BIG-IP device that you want to function as a vCMP host.
After provisioning the vCMP feature, the system reboots TMOS and prompts you to log in again. This action logs you in to the vCMP host, thereby allowing you to create guests and perform other host configuration tasks.

Resizing the default FIPS partition

Whenever you initialize the FIPS hardware security module (HSM) on a vCMP host, the process creates a FIPS partition named PARTITION_1. By default, this partition contains all available FIPS cores on the HSM, as well as all key storage. In our sample configuration, the default partition isn't used; therefore, you can reduce the amount of FIPS resource allocated to it. This frees up resources to allocate to a new partition that you create.

You must perform this task on each vCMP host in the configuration.

  1. Log in to the command line of the system using an account with root access.
  2. At the system prompt, open the TMOS Shell (tmsh) by typing tmsh.
  3. Type the command run util fips-util ptnresize.
  4. Enter the security officer (SO) password.
  5. At the Partition name prompt, note the name of the default partition, PARTITION_1.
  6. At the Enter max keys prompt, reduce the current value to the lowest value possible, 1.
  7. At the Enter max accel devs prompt, reduce the current value to the lowest value possible, 1.
  8. Press Enter.
  9. Save your BIG-IP configuration by typing save /sys config.
  10. Log on to the other vCMP host in the configuration and repeat this task.
After you complete this task, the HSM has available FIPS cores and key storage for you to allocate to a new FIPS partition that you will create.

Creating a FIPS partition on the HSMs

You can create a FIPS partition for a vCMP guest that processes FIPS-related traffic. A FIPS partition functions like a virtual HSM, dedicating some amount of FIPS cores and key storage from the physical HSM to the guest. Although the HSM initialization process created a default partition, named PARTITION_1, you can create a new FIPS partition to assign to each guest instead.

You must perform this task on each vCMP host in the configuration.

  1. Log in to the command line of the system using an account with root access.
  2. At the system prompt, open the TMOS Shell (TMSH) by typing tmsh.
  3. Type the TMSH command run util fips-util -v info to see how many FIPS cores are available for a new partitions that you create.
  4. Create a FIPS partition by typing run util fips-util ptncreate.
    Note: If you receive an error message about acceleration, you'll need to resize the default FIPS partition before creating FIPS partitions.
  5. Type a security officer password.
    This password can be the same as, or different from, the same FIPS partition that you create on the device that will be part of the guest's high-availability configuration.
  6. At the Enter partition name prompt, assign a name to the partition.
    Note: Do not assign the name PARTITION_1. This is the name of the default FIPS partition.
    In our sample configuration, this name is ptn_guest1.
  7. At the Max key count prompt, type the maximum number of private SSL keys that a guest administrator will be able to store in the guest's partition.
    Important: This value must match the Max key count value that you will specify for an equivalent FIPS partition that you will create later on the other host device in the high availability configuration.
  8. At the Max accel devs prompt, type a value for the number of FIPS hardware cores that you want to allocate to the partition.
    Important: This value must match the Max accel devs value that you will specify for an equivalent FIPS partition that you will create later on the other host device in the high availability configuration.
  9. Press Enter.
  10. Save your BIG-IP configuration by typing save /sys config.
  11. Verify that partition you created exists on the system by typing run util fips-util ptninfo at the TMSH prompt.

    You should see output similar to this:

            		11:10.0 PARTITION_1
            		11:10.2 ptn_guest1	
            		
  12. Log on to the other vCMP host in the configuration and repeat this task to create an identical partition with the same name and the same storage and FIPS core values.
After you complete this task, the HSM on each vCMP host device has a FIPS partition that you can assign to a guest that you create.

Creating vCMP guests

Before you create a vCMP guest, verify that you have configured the base network on the system to create any necessary trunks or VLANs for guests to use when processing application traffic.

You create a vCMP guest when you want to create an instance of the BIG-IP software for the purpose of running one or more BIG-IP modules to process application traffic. When creating a guest, you specify the number of cores that you want the vCMP host to allocate to each guest, as well as the FIPS partition that the guest should use.

You must perform this task on each vCMP host in the Sync-Failover device group.

Note: When creating a guest, if you see an error message such as Insufficient disk space on /shared/vmdisks. Need 24354M additional space., you must delete existing unattached virtual disks until you have freed up that amount of disk space.
  1. Log in to the BIG-IP system using a management IP address of the vCMP host.
  2. On the Main tab, click vCMP > Guest List .
  3. Click Create.
  4. From the Properties list, select Advanced.
  5. Type a Name for the guest.
    In our sample configuration, this name is Guest_1.
  6. In the Host Name field, type a unique, fully-qualified domain name (FQDN) name for the guest.
    If you leave this field blank, the system assigns the name localhost.localdomain.
  7. From the Cores Per Guest list, select the number of vCPU cores that you want the host to allocate to the guest.
    In our sample configuration, this value is 2.
  8. From the Management Network list, select Bridged.
  9. For the Management Port setting, fill in the required information:
    1. In the IP Address field, type a unique management IP address that you want to assign to the guest.
      You use this IP address to access the guest when you want to manage the BIG-IP modules running within the guest.
    2. In the Network Mask field, type the network mask for the management IP address.
    3. In the Management Route field, type a gateway address for the management IP address.
    Important: Assigning an IP address that is on the same network as the host management port has security implications that you should carefully consider.
  10. From the Initial Image list, select the ISO image file for creating the guest's virtual disk that matches the other guests in the cluster.
  11. From the FIPS Partition list, select a FIPS partition name.
    In our sample configuration, this name is ptn_guest1.
  12. In the Virtual Disk list, retain the default value of None.
    Note that if an unattached virtual disk file with that default name already exists, the system displays a message, and you must manually attach the virtual disk. You can do this using the tmsh command line interface, or use the Configuration utility to view and select from a list of available unattached virtual disks.
    The BIG-IP system creates a virtual disk with a default name (the guest name plus the string .img, such as Guest_1.img).
  13. For the VLAN List setting, subscribe to host-based VLANs:
    1. Select the external and internal VLANs from the Available list.
    2. Use the Move button to move the VLANs to the Selected list.
    After you create the guest, the guest uses the selected VLANs to process application traffic. As an option, the guest administrator can create additional VLANs later from within the guest.
  14. Confirm that the Appliance Mode check box is cleared.
  15. From the Guest Traffic Profile list:
    • Select None if you do not want to meter network traffic using a Single Rate Three Color Marker (srTCM) policer.
    • Select the name of an existing srTCM policer if you want the BIG-IP system to classify network traffic as green, yellow, or red using the srTCM standard.
  16. From the SSL Mode list, select Shared.
  17. From the Requested State list, select Deployed.
  18. Click Finished.
    After you complete this task, the BIG-IP system begins to deploy the guest.
  19. Repeat this task on the other vCMP host in the configuration assigning the same guest name, the same number of vCPU cores, and the same FIPS partition name to the guest. Only the host name of the guest must be different.
After you complete this task on each vCMP host in the configuration, each host device hosts a guest that is configured to use a portion of FIPS cores and key storage on the local HSM.