Applies To:
Show VersionsBIG-IP AAM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP AFM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Host administration tasks
Before vCMP guest administrators can create and manage FIPS keys in their own secure partitions on the FIPS hardware security module (HSM), a host administrator must perform some configuration tasks.
Prerequisite tasks
Before you set up FIPS partitions for your Virtual Clustered Multiprocessing (vCMP) guests, confirm that these vCMP host prerequisites have been met, on each BIG-IP device that will host vCMP guests in a high availability configuration. Confirm all prerequisites by logging in to the BIG-IP system using the management IP address of the vCMP host.
Prerequisites | Verification tool | Verification instructions |
---|---|---|
You have permission to use the TMSH (TMOS Shell) command-line interface. | BIG-IP Configuration utility | On the Main tab, click Terminal Access list. This setting must be set to either tmsh or Advanced shell. For more information, see the guide BIG-IP System: User Account Administration on the F5 support site support.f5.com. | . Then click your account name and view the
The license type on each BIG-IP device is correct. | An SSH application such as PuTTY | At the tmsh prompt, type show sys hardware. Under Platform, look at the Name property, and confirm that the platform model number includes an F. For more information, see the guide BIG-IP System: Essentials on the F5 support site support.f5.com. |
The BIG-IP devices that are to operate as vCMP hosts are in a Sync-Failover device group for high availability. | The BIG-IP Configuration utility or the TMOS Shell (TMSH) | For more information, see the guide BIG-IP Device Service Clustering: Administration on the F5 support site support.f5.com. |
The hardware security module in each BIG-IP device is in the factory default state. | The TMOS Shell (TMSH) | To reset an HSM to its factory default state, see the command tmsh fips-util -f reset. |
Initializing the HSMs on vCMP hosts
On each physical device that you intend to configure as a vCMP host, you must initialize the installed hardware security module (HSM). In our sample configuration, two BIG-IP devices function as vCMP hosts.
During HSM initialization, the system creates a default FIPS partition named PARTITION_1. By default, all FIPS cores and key storage are allocated to this partition.
Synchronizing the HSMs
Before you synchronize the HSMs on the peer devices, verify that the HSMs:
- Are already initialized
- Have identical security domain labels
- Do not contain existing keys
- Are the same hardware model
- Contain the same firmware version
Also, check that, for each device, you know the security officer (SO) password for the HSM and the password for an account with root access.
Provisioning the vCMP feature
- On the Main tab, click .
- Verify that all BIG-IP modules are set to None.
- From the Virtual CMP (vCMP) list, select Dedicated.
- Click Update.
- Repeat this task on the other BIG-IP device that you want to function as a vCMP host.
Resizing the default FIPS partition
Whenever you initialize the FIPS hardware security module (HSM) on a vCMP host, the process creates a FIPS partition named PARTITION_1. By default, this partition contains all available FIPS cores on the HSM, as well as all key storage. In our sample configuration, the default partition isn't used; therefore, you can reduce the amount of FIPS resource allocated to it. This frees up resources to allocate to a new partition that you create.
You must perform this task on each vCMP host in the configuration.
- Log in to the command line of the system using an account with root access.
- At the system prompt, open the TMOS Shell (tmsh) by typing tmsh.
- Type the command run util fips-util ptnresize.
- Enter the security officer (SO) password.
- At the Partition name prompt, note the name of the default partition, PARTITION_1.
- At the Enter max keys prompt, reduce the current value to the lowest value possible, 1.
- At the Enter max accel devs prompt, reduce the current value to the lowest value possible, 1.
- Press Enter.
- Save your BIG-IP configuration by typing save /sys config.
- Log on to the other vCMP host in the configuration and repeat this task.
Creating a FIPS partition on the HSMs
You can create a FIPS partition for a vCMP guest that processes FIPS-related traffic. A FIPS partition functions like a virtual HSM, dedicating some amount of FIPS cores and key storage from the physical HSM to the guest. Although the HSM initialization process created a default partition, named PARTITION_1, you can create a new FIPS partition to assign to each guest instead.
You must perform this task on each vCMP host in the configuration.
Creating vCMP guests
Before you create a vCMP guest, verify that you have configured the base network on the system to create any necessary trunks or VLANs for guests to use when processing application traffic.
You create a vCMP guest when you want to create an instance of the BIG-IP software for the purpose of running one or more BIG-IP modules to process application traffic. When creating a guest, you specify the number of cores that you want the vCMP host to allocate to each guest, as well as the FIPS partition that the guest should use.
You must perform this task on each vCMP host in the Sync-Failover device group.