Manual Chapter : vCMP Guest Administration Tasks

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0

BIG-IP ASM

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0

BIG-IP AAM

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0

BIG-IP APM

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0

BIG-IP LTM

  • 14.1.0, 14.0.0, 13.1.1, 13.1.0
Manual Chapter

Guest administration tasks

There are a few tasks that a guest administrator must perform in order to store private SSL keys on a FIPS hardware security module (HSM).

Note: Before performing guest administration tasks, make sure that your BIG-IP user account has assigned you the Administrator user role and that it grants you permission to access the TMOS Shell (TMSH).

Initializing the HSMs within vCMP guests

Within each vCMP guest, you must initialize the hardware security module (HSM) in a similar way to the way you initialized the HSM on each vCMP host. Our sample configuration includes two guests, each named Guest_1.

Important: During HSM initialization on the first guest, you must create a security domain label. It's critical that you specify this same label during initialization of the HSM on the other device so that both HSMs are members of the same security domain.
  1. Using an SSH application such as PuTTY, log in to the command line of a BIG-IP system using an account with root access.
  2. Open the TMOS Shell (tmsh) and type tmsh.
  3. Start the process of initializing the HSM by typing this tmsh command:
    run util fips-util init
    Important: Running this command deletes all keys in the HSM and makes any previously exported keys unusable.
    Note: The initialization process takes a few minutes to complete.
    After typing this command, the initialization process begins. When prompted, type an SO password. The password does not appear on the screen as you type it. Also, you cannot use the keyword default as the SO password.
    Note: F5 recommends that you choose a strong value for the SO password. This password can be unique on each guest in the configuration.
                               
    WARNING: This erases all keys from the FIPS 140 device.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    ==================== WARNING ================================
    The FIPS device will be reset to factory default state.
    All keys and user identities currently stored in the device
    will be erased.
    Any configuration objects dependent on FIPS keys will cause
    the configuration fail to load.
    
    Press <ENTER> to continue or Ctrl-C to cancel
    
    Resetting the device ...
    
    The FIPS device is now in factory default state.
    Enter new Security Officer password (min. 7, max. 14 characters):
    Re-enter Security Officer password:
                            
    
  4. When this message displays, type a security domain label.
                               
    NOTE: security domain label must be identical on peer
    FIPS devices in order to be able to synchronize with them.
    Enter security domain label (max. 50 chars, default: F5FIPS):
                            
    
    Be sure to keep the security domain label and password in a secure location. You will specify the same domain label later, when you initialize the HSM on the other device.
                               
    Initializing new security domain (F5FIPS)...
    Creating crypto user and crypto officer identities
    Waiting for the device to re-initialize ...
    Creating key encryption key (KEK)
    The FIPS device has been initialized.
                            
    
  5. Enable the HSM using one of these options:
    • Reboot the unit.
    • Restart all services: restart sys service all.
      Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions to the system.
  6. To verify that the HSM is initialized with a security domain label, type fips-util -v info at the TMSH prompt.
  7. Repeat these steps on the other vCMP guest.
    Important: Be sure to specify the same security domain label on each device so that both HSMs are members of the same security domain. The SO password, however, can be unique on each device.
After you complete this task, both HSMs on the BIG-IP devices are initialized and members of the same security domain. Also, each HSM contains the default FIPS partition, PARTITION_1.
Later in the configuration process, you will resize the default partition to free up FIPS resources to assign to a new partition.

Synchronizing the FIPS partitions

Before you perform this task, make sure that you have the security officer (SO) passwords for both the local and remote vCMP guests, as well as an account with root access.

You must use the fips-card-synccommand within the TMOS Shell (TMSH) to ensure that the FIPS partitions that the host administrator created on each hardware security module (HSM) are synchronized between the guests.
  1. Log on to the command line of the source F5 vCMP guest, using an account with root access.
  2. Open the TMOS Shell (tmsh) by typing tmsh at the system prompt.
  3. Synchronize the FIPS partition from the local vCMP guest (Guest_1) to the remote guest (also Guest_1), where <hostname> is either the cluster management IP address or the fully-qualified domain name (FQDN) of the remote guest.
    In our sample configuration, a guest administrator logged into 192.0.2.10 would type this command: run util fips-card-sync -u root 192.0.2.11.
    1. When prompted, type the security officer (SO) password for the local device.
    2. When prompted, type the SO password for the remote device, or press Enter if the password is the same as for the local device.
      A message similar to this example displays:
                                       
      Connecting to 192.0.2.11 as user root ...
                                    
      
    3. When prompted, type the root password.
      When the synchronization operation completes, a message similar to this example displays:
                                       
      FIPS devices have been synchronized.
                                    
      
After you perform this task, the FIPS partitions on the vCMP guests are synchronized. Each FIPS partition has the same configuration with respect to key storage size and available FIPS cores for its associated guest.

Setting up the BIG-IP software within vCMP guests

Before you perform this task, make sure that you know the cluster IP management address assigned to each vCMP guest. Also, confirm that your BIG-IP user account has the Administrator user role assigned to it.

Use this task to run the Setup utility on the vCMP guest that resides on each vCMP host. In our sample configuration, the guest on each host is named Guest_1. The Setup utility automatically opens when you log in to a guest for the first time.

You run the Setup utility to perform tasks such as licensing the guest, assigning passwords to the root and admin user accounts, provisioning BIG-IP modules, and putting the guests into a high availability configuration.

  1. From a browser window, log in to one of the vCMP guests by typing a URL that contains its cluster management IP address: https://cluster_management_IP_address .
    In our sample configuration, this IP address is either 192.0.2.10 or 192.0.2.11.
    This action displays the Setup utility.
  2. Run the Setup utility, making sure to enable high availability during the process.
    When setting up high availability during setup, make sure to enable both configuration synchronization and failover at a minimum. Enabling connection mirroring is optional.
  3. Repeat these steps on the other vCMP guest.
After you perform this task, you have two guests that are ready to process application traffic and are configured for high availability in an active-standy configuration.

Creating FIPS keys

You can use the BIG-IP Configuration utility to create a FIPS key on each guest in the high-availability configuration. In our example, both guests in the guests' Sync-Failover device group are named Guest_1, and the FIPS key name for each guest is fips_key1.
  1. On the Main tab of the BIG-IP Configuration utility, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List .
  2. Click Create.
    The New SSL Certificate screen opens.
  3. In the Name field, type a unique name for the certificate.
  4. From the Issuer list, specify the type of certificate that you want to use:
    • For a self-signed certificate, select Self.
    • To request a certificate from a CA, select Certificate Authority.
  5. Do one of the following:
    • If you chose Self in the previous step, then in the Certificate Properties area of the screen, configure the settings as needed.
    • If you chose Certificate Authority in the previous step, then in the Certificate Properties and Certificate Signing Request Attributes areas of the screen, configure the settings as needed.
  6. From the Security Type list, select FIPS.
  7. From the Key Type list, select FIPS.
  8. Select a key size from the Size list.
  9. Click Finished.
After you complete this task, you must sync the BIG-IP system configuration on this guest to the other guest in the Sync-Failover device group, or confirm that automatic synchronization is enabled.

Confirming synchronization of FIPS partitions and keys

Before you perform this task, confirm that:

  • You have permission to access the TMOS Shell (TMSH).
  • You have performed a config sync from one guest to the other in the Sync-Failover device group.

When you have vCMP guests in a Sync-Failover device group, you can check to make sure that the FIPS partition and key for a guest are synced to the other guest.

  1. Using an SSH program such as PuTTY, log in to the console of a guest, using the guest's cluster management IP address.
    In our sample configuration, this IP address is either 192.0.2.10 or 192.0.2.11, depending on which instance of the guest you are logging in to.
  2. At the tmsh prompt, display the configuration of the local guest's FIPS partition by typing run util fips-util info.
    In our sample configuration, the FIPS partition is named ptn_guest1.
  3. At the prompt, type list sys crypto key_name .
    In our sample configuration, the key name is fips_key1.
    The system displays information about the key fips_key1.
  4. Log in to the guest on the remote vCMP host and type the same commands.
After you perform this task, you can see that the FIPS partition and the FIPS key on one guest are synced to the other guest in the guest device group.