BIG-IP® Platform FIPS Administration - F5 Networks · BIG-IP® Platform FIPS Administration. Chapter 3 About external HSMs and LTM Thales

BIG-IP® Platform FIPS Administration

Version 11.4

Table of Contents

Legal Notices.....................................................................................................5

Chapter 1: BIG-IP Platform FIPS 140 Options.........................................................................7

Chapter 2: About FIPS hardware-based HSMs.......................................................................9

About setting up the BIG-IP systems...............................................................................10

Initializing the HSM in the 6900/8900 platforms...............................................................10

Initializing the HSM in the 10000/11000/11050 platforms................................................11

Synchronizing the HSMs..................................................................................................13

About managing FIPS keys using the Configuration utility..............................................13

Creating FIPS keys using the Configuration utility................................................13

Importing keys using the Configuration utility........................................................14

Converting a key to FIPS using the Configuration utility.......................................14

About managing FIPS keys using tmsh...........................................................................15

Creating FIPS keys using tmsh.............................................................................15

Importing FIPS keys using tmsh............................................................................15

Converting a key to FIPS using tmsh....................................................................15

FIPS system recovery options.........................................................................................16

Recovering HSM information after a system failure..............................................16

Other FIPS platform management tmsh commands........................................................17

Chapter 3: About external HSMs and LTM.............................................................................19

Prerequisites for implementing BIG-IP and Thales nShield Connect...............................20

Installing Thales nShield Connect components on the BIG-IP system............................20

Setting up the RFS on the BIG-IP system........................................................................21

Setting up the Thales nShield Connect client on the BIG-IP system...............................21

Generating a key/certificate using Thales nShield Connect.............................................22

About key protection..............................................................................................23

Importing external HSM keys using tmsh.........................................................................24

Importing existing SSL keys into Thales nShield device for use by the BIG-IP

system.........................................................................................................................24

Importing certificates using tmsh.....................................................................................26

Creating a backup of the Thales RFS..............................................................................26

Creating a client SSL profile to use an external HSM key and certificate .......................26

About using external HSMs with VIPRION systems........................................................27

Chapter 4: About external HSMs and DNSSEC.....................................................................29

Prerequisites for implementing BIG-IP and Thales nShield Connect...............................30

Installing Thales nShield Connect components on the BIG-IP system............................30

3

Table of Contents

Setting up the RFS on the BIG-IP system........................................................................31

Setting up the Thales nShield Connect client on the BIG-IP system...............................31

Generating a key using Thales nShield Connect for use in creating manually-managed

DNSSEC keys.............................................................................................................32

About key protection..............................................................................................33

Importing external HSM keys using tmsh.........................................................................34

Importing certificates using tmsh.....................................................................................34

Creating a backup of the Thales RFS..............................................................................34

Creating a DNSSEC key using an imported external HSM key and certificate................35

About using external HSMs with VIPRION systems........................................................35

4

Table of Contents

Legal Notices

Publication Date

This document was published on February 3, 2017.

Publication Number

MAN-0401-02

Copyright

Copyright © 2012-2017, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumesno responsibility for the use of this information, nor any infringement of patents or other rights of thirdparties which may result from its use. No license is granted by implication or otherwise under any patent,copyright, or other intellectual property right of F5 except as specifically described by applicable userlicenses. F5 reserves the right to change specifications at any time without notice.

Trademarks

3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, AdvancedRouting, APM, Application SecurityManager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious,CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, EdgeGateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks,F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, IntelligentBrowser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules,iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local TrafficManager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, ProtocolSecurity Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYNCheck, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, TransparentData Reduction, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM,and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries,and may not be used without F5's express written consent.

All other product and company names herein may be trademarks of their respective owners.

Patents

This product may be protected by one or more patents indicated at:http://www.f5.com/about/guidelines-policies/patents

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United Statesgovernment may consider it a criminal offense to export this product from the United States.

RF Interference Warning

This is a Class A product. In a domestic environment this product may cause radio interference, in whichcase the user may be required to take adequate measures.

http://www.f5.com/about/guidelines-policies/patents

FCC Compliance

This equipment has been tested and found to comply with the limits for a Class A digital device pursuantto Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmfulinterference when the equipment is operated in a commercial environment. This unit generates, uses, andcan radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,may cause harmful interference to radio communications. Operation of this equipment in a residential areais likely to cause harmful interference, in which case the user, at his own expense, will be required to takewhatever measures may be required to correct the interference.

Anymodifications to this device, unless expressly approved by themanufacturer, can void the user's authorityto operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003.

Standards Compliance

This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable toInformation Technology products at the time of manufacture.

6

Legal Notices

Chapter

1BIG-IP Platform FIPS 140 Options

You can implement a BIG-IP® FIPS-compliant key storage solutionusing either:

• A BIG-IP platform containing a factory-installed, FIPS-certifiedhardware security module (HSM), also referred to as an internalHSM

• An external HSM

Chapter

2About FIPS hardware-based HSMs

The BIG-IP® 6900, 8900, 10000, 11000, and 11050 platforms areavailable with a FIPS-certified hardware security module (HSM)as a factory-installed option.

• About setting up the BIG-IP systems• Initializing the HSM in the 6900/8900

platformsThe internal HSMand the BIG-IP keymanagement software provideFIPS 140 level 2 support. This level of support provides securitybenefits, such as:

• Initializing the HSM in the10000/11000/11050 platforms

• Synchronizing the HSMs• About managing FIPS keys using the

Configuration utility• Private keys are stored in the internal HSM where they are

protected from physical and software attacks.• About managing FIPS keys using tmsh • Private keys can never be extracted in plain text format.• FIPS system recovery options

Important: Because of hardware differences, it is not possible tosynchronize security domains between the newer platforms

• Other FIPS platform management tmshcommands

(10000/11000/11050 platforms) and older platforms (6900/8900platforms).

About setting up the BIG-IP systems

You can configure a device group using two platforms with a FIPS card installed in each unit. When settingup a FIPS solution on a device group, you install the two systems and connect to a serial console.

After you have set up the systems, you can create the FIPS security domain by initializing the HSM andcreating a security officer (SO) password.

Initializing the HSM in the 6900/8900 platforms

You must initialize the hardware security module (HSM) installed in each unit (internal HSM) before youcan use it. When you are creating a device group using more than one FIPS platform, you initialize the HSMon one unit, and then initialize the HSM on a peer unit using the same security domain name that you usedon the first unit.

Note: You can initialize the HSM and create the security domain before you license the system and createa traffic management configuration.

1. Log on to the command line of the system using the root account.2. Open the Traffic Management Shell (tmsh).

tmsh

3. View information about the HSM.run util fips-util infoA summary similar to this example displays:

Label: F5FIPSHSM Serial Number: 8100298Hardware ID: 0x0Firmware Version: 4.7.1Total FLASH: 14286412Free FLASH: 14286412Total SRAM: 16984956Free SRAM: 16981884

4. Initialize the HSM and set a security officer (SO) password.run util fips-util -f init

Important: Running the fipsutil init command deletes all keys in the FIPS HSM and makes anypreviously exported keys unusable.

Note: F5® recommends that you choose a strong value for the SO password.

The initialization process begins. When prompted, type an SO password.

NFB Initialization Process

WARNING - all private keys in NFB will be erased after SO password is entered!Any configuration objects dependent on FIPS keys will cause the configuration fail to load.Passwords must be at least 7 characters in length.Enter no password if you instead wish to cancel.

10

About FIPS hardware-based HSMs

New SO Password:Re-enter new SO Password:

5. When this message displays, type a security domain name.

Initializing NFB...The security domain name must be the same on all FIPS machines.Please enter your security domain name:

Keep the security domain name and password in a secure location. You need the domain name andpassword when you initialize the HSM on the peer unit. This information is also required when replacinga unit (for RMA or other reasons).

Important: The domain name cannot be extracted or displayed by the software or hardware after youset it.

When the initialization process completes successfully, this message displays: The FIPS device hasbeen initialized.

6. Enable the HSM device by either rebooting the unit or restarting all services.restart sys service all

Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessions tothe system.

After you complete the initialization process on the first unit, you can initialize the peer system and add itto the security domain of the first unit.

Initializing the HSM in the 10000/11000/11050 platforms

You must initialize the hardware security module (HSM) installed in each unit (internal HSM) before youcan use it. When you are creating a device group using more than one FIPS platform, you initialize the HSMon one unit, and then initialize the HSM on a peer unit using the same security domain name that you usedon the first unit.

Note: You can initialize the HSM and create the security domain before you license the system and createa traffic management configuration.


tmsh

3. View information about the HSM.run util fips-util infoA summary similar to the following displays:

Label: f5site09Model: NITROX XL CN16XX-NFBE

Serial Number: k8vjumsaportsaksFIPS state: 2

MaxSessionCount: 10240SessionCount: 1

11


MaxPinLen: 14MinPinLen: 7TotalPublicMemory: 467348FreePublicMemory: 62876TotalUserKeys: 3996AvailableUserKeys: 3996

Loging failures:user: 0officer: 0

HW version: 2.0Firmware version: CN16XX-NFBE-FW-1.2-101022

4. Initialize the HSM and set a security officer (SO) password.run util fips-util -f init

Note: The initialization process takes a few minutes to complete.

The initialization process begins. When prompted, type an SO password.

WARNING: This erases all keys from the FIPS 140 device.Any configuration objects dependent on FIPS keys will causethe configuration fail to load.

==================== WARNING ================================The FIPS device will be reset to factory default state.All keys and user identities currently stored in the devicewill be erased.Any configuration objects dependent on FIPS keys will causethe configuration fail to load.

Press <ENTER> to continue or Ctrl-C to cancel

Resetting the device ...

The FIPS device is now in factory default state.Enter new Security Officer password (min. 7, max. 14 characters):Re-enter Security Officer password:

5. When the following message displays, type a security domain name.

NOTE: security domain label must be identical on peerFIPS devices in order to be able to synchronize with them.Enter security domain label (max. 50 chars, default: F5FIPS):

Keep the security domain name and password in a secure location. You need the domain name andpassword when you initialize the internal HSM on the peer unit. This information is also required whenreplacing a unit (for RMA or other reasons).

Important: The domain name cannot be extracted or displayed by the software or hardware after youset it.

Initializing new security domain (f5site09)...Creating crypto user and crypto officer identitiesWaiting for the device to re-initialize ...Creating key encryption key (KEK)The FIPS device has been initialized.

6. Enable the HSM device using one of the following options:

• Reboot the unit.• Restart all services: restart sys service all.

12


Note: Restarting services disrupts load-balanced traffic and might terminate remote login sessionsto the system.

After you complete the initialization process on the first unit, you can initialize the peer system and add itto the security domain of the first unit. Optionally, you can use the same SO password that you used on thefirst unit.

Synchronizing the HSMs

Before you can synchronize the FIPS hardware security modules (HSMs), you must ensure that the targetHSM:

• Is already initialized• Has an identical security domain label• Does not contain existing keys

The target device must also be reachable using SSH from the source device.

Synchronizing the HSMs enables you to copy keys from one HSM to another. This is also required tosynchronize BIG-IP® configuration in a device group.

Note: You only need to perform the synchronization process during the initial configuration of a pair ofdevices. After the two devices are in sync, they remain in sync.


tmsh

3. Synchronize the Master Symmetric key used to encrypt/decrypt keys when they are imported/exportedinto the HSM, where <hostname> is the address or hostname of the synchronization target.run util fips-card-sync <hostname>

About managing FIPS keys using the Configuration utility

You can use the Configuration utility to create FIPS (internal HSM) keys, import existing keys into thesystem, and convert existing keys to FIPS keys.

Creating FIPS keys using the Configuration utility

You can use the Configuration utility to create FIPS keys.

1. On the Main tab, click System > File Management > SSL Certificate List.This displays the list of certificates installed on the system.

2. Click Create.The New SSL Certificate screen opens.

3. In the Name field, type a unique name for the certificate.

13


4. From the Issuer list, specify the type of certificate that you want to use.

• To request a certificate from a CA, select Certificate Authority.• For a self-signed certificate, select Self.

5. Configure the Common Name setting and any other settings as needed.6. In the Key Properties area, select a key size from the Size list.7. From the Security Type list, select FIPS.8. Click Finished.

Importing keys using the Configuration utility

You can use the Configuration utility to import existing keys into the system.


2. Click Import.3. From the Import Type list, select Key.4. For the Key Name setting, click Create New.5. In the Key Name field, type a name for the key.6. From the Key Source setting, click either Upload File or Paste Text.

• If you click Upload File, type a file name or click Browse and select a file.• If you click Paste Text, copy the text from another source and paste the text into the Key Source

screen.

7. Click Import.

After you import the key, you can convert it to a FIPS key.

Converting a key to FIPS using the Configuration utility

You can use the Configuration utility to convert an existing key to a FIPS key.


2. Click a certificate name.This displays the properties of that certificate.

3. On the menu bar, click Key.This displays the type and size of the key associated with the certificate.

4. Click Convert to FIPS to convert the key to a FIPS key.The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannotbe reversed.

14


About managing FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to create FIPS (internal HSM) keys, import existing keysinto the BIG-IP ® system, and convert existing keys to FIPS keys.

Creating FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to create FIPS keys.


tmsh

3. Create a basic key.create sys crypto key <key_object_name> security-type fips

For information about additional options for this command, view the sys crypto key man page:help sys crypto key

Note: The key creation process takes a few minutes to complete. If you are using a 4096 bit key, F5®

recommends that you create the key externally and then import it.

Importing FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to import existing keys into the system.


tmsh

3. Import a key.install sys crypto key <key_object_name> from-local-file <path_to_key_file>security-type fips

This example imports an internal HSMkey named mykey from a local key file stored in the /shared/tmpdirectory: install sys crypto key mykey from-local-file /shared/tmp/mykey.pemsecurity-type fips

Converting a key to FIPS using tmsh

You can use the Traffic Management Shell (tmsh) to convert a key to a FIPS key.


tmsh

3. Convert an existing key to FIPS.install sys crypto key <key_object_name> security-type fips

15


FIPS system recovery options

DescriptionOption

Maintain a device group so that in the event of a failure,the standby unit becomes active and handles the

Configure a device group

incoming traffic. After you configure failover properly,you need to synchronize FIPSHSM and key informationfor the security domain every time you synchronize theconfiguration of the device group.

Fully configure a third unit, add it to the security domain,and synchronize the configurations. Remove the unit

Configure an additional unit for recovery

from the network and store it in a secure location. If theBIG-IP® system in production is damaged or destroyed,you can use the backup unit to reconstitute the securitydomain.

Copy and save the keys to a disk. Generate the keys insoftware, copy the keys to a disk, and then store the disk

Save the keys on a disk

in a secure location. If there is a catastrophic systemfailure, import the keys into the internal HSM and usethese backup keys to create the security domain.

Caution: This method for backup is not FIPS-compliant.

Recovering HSM information after a system failure

Before you recover hardware security module (HSM) information, ensure that the BIG-IP® software isconfigured and then install your saved UCS file on the new replacement system. For information aboutbackup and recovery of a BIG-IP system UCS file, see http://support.f5.com.

If one unit of a device group fails, the failover unit becomes active and maintains the HSM information.After you replace the failed unit in a device group, you need to restore the HSM information on thereplacement unit.

1. Connect the currently active unit to the replacement unit.2. On the replacement unit, initialize the FIPS card.

fipsutil -f init

Caution: Be sure to run this command sequence on the replacement unit. If you run it on the currentlyactive unit, you will overwrite your existing FIPS unit and lose all of your keys.

Note: Be sure that you use the same security domain that you specified when you initially set up thecurrently active unit.

3. On the currently active unit, copy information from the currently active unit to the replacement unit.fipscardsync peer

16


Caution: Be sure to run this command sequence from the currently active unit. If you run this commandfrom the replacement unit, you will lose the original FIPS information.

4. On the currently active unit, copy the full configuration to the replacement system using either theConfiguration utility or tmsh.

Important: Synchronizing the configuration also synchronizes the keys stored in the HSM.

The replacement system is now ready to function as the failover unit in a device group.

Other FIPS platform management tmsh commands

This table lists other tmsh commands that you can use to manage your FIPS platform.

DescriptionCommand

Lists keys in the FIPS card.show sys crypto fips

Lists keys in the BIG-IP® configuration.list sys crypto key

Deletes a key from the BIG-IP configuration and theFIPS card.

delete sys crypto key <key_object_name>

Deletes a key from the FIPS card only. Key handlesare obtained using the show sys crypto fipscommand sequence.

Caution: Use this command sequence only in therare circumstance when you need to delete keys that

delete sys crypto fips by-handle<key_handle>

no longer have configuration objects from the card(for example, keys that do not show up when you runthe list sys crypto key command sequence).

17


Chapter

3About external HSMs and LTM

Thales® nShield™ Connect is an external HSM that is available foruse with BIG-IP® systems. Because it is network-based, rather than

• Prerequisites for implementing BIG-IP andThales nShield Connect

hardware-based, you can use the Thales nShield Connect solution• Installing Thales nShield Connectcomponents on the BIG-IP system with all BIG-IP platforms, including VIPRION® Series chassis.

You can also use the Thales nShield Connect solution with BIG-IPVirtual Edition (VE).

• Setting up the RFS on the BIG-IP system• Setting up the Thales nShield Connect client

on the BIG-IP system The Thales nShield Connect architecture includes a componentcalled the Remote File System (RFS) that stores and manages the• Generating a key/certificate using Thales

nShield Connect encrypted key files. The RFS can be installed on the BIG-IP systemor on another server on your network.

• Importing external HSM keys using tmshThe BIG-IP system is a client of the RFS, and all BIG-IP systemsthat are enrolled with the RFS can access the encrypted keys from

• Importing existing SSL keys into ThalesnShield device for use by the BIG-IP system

this central location. The RFS helps automate the key distributionprocess, but it is not required that you use RFS with this solution.

• Importing certificates using tmsh• Creating a backup of the Thales RFS

For additional information about using Thales nShield Connect,see the Thales Customer Support Portal(https://support.thales-esecurity.com/).

• Creating a client SSL profile to use anexternal HSM key and certificate

• About using external HSMs with VIPRIONsystems Important: If you are installing Thales nShield Connect on a

BIG-IP system that will be licensed for Appliance mode, you mustinstall the Thales nShield Connect software prior to licensing theBIG-IP system for Appliance mode.

Prerequisites for implementing BIG-IP and Thales nShield Connect

Before you can use Thales® nShield™ Connect with the BIG-IP® system, you must ensure that:

• The Thales nShield Connect device is installed on your network.• The RFS is installed on your network, or you plan to install and set up the RFS on the BIG-IP system.• The Thales nShield Connect device, the RFS, and the BIG-IP system can initiate connections with each

other through port 9004.• You have created the Thales Security World (security architecture).• The BIG-IP system is licensed for external interface and network HSM.• The BIG-IP system has FIPS 140-2 or FIPS 140-3 compliant ciphers, depending upon your security

needs. For information about FIPS compliant ciphers, see Annex A: Approved Security Functions forFIPS PUB 140-2(http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) andSOL8802for a complete list of supported ciphers on http://support.f5.com.

• The BIG-IP system does not contain a FIPS Cavium card.

Important: You cannot run the BIG-IP system with both internal and external HSMs at the same time.

Additionally, before you begin the installation process, ensure that you have access to:

• The Thales Security World Software for Linux 64bit (Release 11.40 or higher)• The nShield_Connect_User_Guide.pdf

Installing Thales nShield Connect components on the BIG-IP system

Before you can set up the Thales® nShield™ Connect components on a BIG-IP® system, you must obtainthe Thales 64 bit Linux ISO CD and copy files from the CD to specific locations on the BIG-IP systemusing secure copy (SCP).

You need to install files from the Thales 64 bit Linux ISO CD to the BIG-IP system.

1. Log on to the command line of the system using the root account.2. Create a directory under /shared named thales_install/amd64/nfast.

mkdir /shared/thales_install/amd64/nfast

3. Copy files from the CD and place them in the specified directories:Location to place file on BIG-IPFile to copy from the CD

/shared/thales_install/amd64/nfast/ctls/agg.tar/linux/libc6_3/amd64/nfast/ctls/agg.tar

/shared/thales_install/amd64/nfast/hwcrhk/user.tar/linux/libc6_3/amd64/nfast/hwcrhk/user.tar

/shared/thales_install/amd64/nfast/hwsp/agg.tar/linux/libc6_3/amd64/nfast/hwsp/agg.tar

/shared/thales_install/amd64/nfast/pkcs11/user.tar/linux/libc6_3/amd64/nfast/pkcs11/user.tar

If you are not using an RFS installed on another server in your network, you must set up the RFS on theBIG-IP system. Additionally, you must set up the Thales client on the BIG-IP system.

20

About external HSMs and LTM

Setting up the RFS on the BIG-IP system

Before you set up the RFS on the BIG-IP® system, ensure that the Thales® nShield™ Connect device isinstalled on your network and the Thales Security World is set up. Ensure that the RFS is installed on theBIG-IP system as well.

Important: Setting up the RFS on the BIG-IP system is optional. If the RFS is running on another serveron your network, do not perform this task.

You can run the Thales Remote File System (RFS) on the BIG-IP system. To set up the RFS, you must runa script on the BIG-IP® system.

Note: You only need one RFS on your network to store all HSM keys. All Thales nShield Connect clientsuse the same RFS to access the HSM keys.

1. Log on to the command line of the system using the root account.2. Set up the RFS.

nethsm-thales-rfs-install.sh --hsm_ip_addr=<Thales_nShield Connect device IPaddress> --rfs_interface=<local interface name>

This example sets up the RFS to run on the BIG-IP system, when the IP address of the Thales nShieldConnect device has an IP address of 192.27.13.59: nethsm-thales-rfs-install.sh--hsm_ip_addr=192.27.13.59 --rfs_interface=eth0

DescriptionAdditional Option

Displays help-h

Prints verbose output about operations-v

Indicates message verbosity level (The default value is zero, and alllevels greater than zero indicate verbose output.)

--verbose=<level>

After you set up the RFS on the BIG-IP system, you must set up the Thales nShield Connect client on eachBIG-IP system that you want to use with the Thales nShield Connect device.

Setting up the Thales nShield Connect client on the BIG-IP system

Before you set up the Thales client, ensure that the Thales® nShield™ Connect client is installed on theBIG-IP® system and that the Security World has been set up. Additionally, ensure that the RFS is installedand set up on either a remote server or on the BIG-IP system on your network.

Note: If the Thales nShield Connect client was installed on a BIG-IP system before the RFS was installedon the network, then you must reinstall the client on the BIG-IP system.

Important: If there is a firewall between the BIG-IP system and the RFS, validate that both systems caninitiate a connection through port 9004.

Before you can use the Thales nShield Connect device with the BIG-IP system, you must set up the Thalesclient on the BIG-IP system.

21


1. Log on to the command line of the system using the root account.2. Set up the Thales nShield Connect client, using one of these options:

• Set up the client when the RFS is remote.

nethsm-thales-install.sh--hsm_ip_addr=<nShield_Connect_device_IP_address>--rfs_ip_addr=<remote_RFS_IP_address>--rfs_username=<remote_RFS_server_username_for_SSH_login>--interface=<Interface_name_of_Thales_client_on_BIG-IP>

This example sets up the client where the Thales nShield Connect device has an IP address of192.27.13.59, the remote RFS has an IP address of 192.27.13.58, the user name for an SSHlogin to the RFS is root, and the Thales client interface is the default of eth0 :

nethsm-thales-install.sh --hsm_ip_addr=192.27.13.59--rfs_ip_addr=192.27.12.58 --rfs_username=root --interface=eth0

• Set up the client when the RFS is set up on the BIG-IP system:

nethsm-thales-install.sh--hsm_ip_addr=<nShield_Connect_device_IP_address>--rfs_interface=<local_RFS_server_interface>

This example sets up the client where the Thales nShield Connect device has an IP address of172.27.13.59 and the RFS is installed on the BIG-IP system using the eth0 interface:

nethsm-thales-install.sh --hsm_ip_addr=172.27.13.59 --rfs_interface=eth0

Generating a key/certificate using Thales nShield Connect

Before you generate a key/certificate, ensure that the Thales® nShield™ Connect client is running on theBIG-IP® LTM® system.

You can use the fipskey.nethsm utility to generate private keys and self-signed certificates on the BIG-IPsystem.

1. Set the external HSM to Thales nShield Connect.fipskey.nethsm --hsm=Thales

2. Generate a key.fipskey.nethsm --genkey -o <output_file>

This example generates three files: /config/ssl/ssl.key/www.siterequest.com.key,/config/ssl/ssl.csr/www.siterequest.com.csr, and/config/ssl/ssl.crt/www.siterequest.com.crt:

fipskey.nethsm --genkey -o www.siterequest.com

DescriptionAdditional OptionName applied to .key, .csr, and .crt output files

Important: This parameter is required.

-o

Type of protection-c <token/module/softcard>

22



Public exponent to use when generating RSA keys only.

Tip: Do not provide a value for this option, unless advised to doso by F5 Technical Support.

-e <hex>

Digest used to sign key and certificate-g sha1

Key name-k <name>

Store key in non-volatile RAM-m <yes/no>

Slot to read cards from-n <integer>

Key recovery available-r <yes/no>

Size of key/certificate pair in bits-s <integer>

Key type-t RSA

Verification available-v <yes/no>

Country identifier-C

Domain name-D

Email address to contact about key-E

Locality identifier-L

Organization identifier-O

Province identifier-P

Organization unit identifier-U

The key is saved in /config/ssl/ssl.key/<output_file>.key. The certificate request is savedin /config/ssl/ssl.csr/output_file>.csr. The self-signed certificate is saved in/config/ssl/ssl.crt/<output_file>.crt.

After you generate a key and certificates, you need to import them into the BIG-IP configuration usingtmsh.

About key protection

There are three types of key protection available for use with the BIG-IP® system and Thales® nShield™

Connect:

• Module-protected keys are directly protected by the external HSM through the security world and canbe used at any time without further authorization.

• Softcard-protected keys are protected by a softcard and can be used by only an operator who possessesthe assigned passphrases.

• Token-protected keys are protected by a cardset and can be used by only an operator who possesses theOperator Card Set (OCS) token and any assigned passphrases.

23


Importing external HSM keys using tmsh

You can use the Traffic Management Shell (tmsh) to import existing external HSM keys into the system.


tmsh

3. Import a key, by using these parametersinstall sys crypto key <key_object_name> from-local-file <keyname>

This example imports an external HSM key named www.siterequest.com.key from a local key filestored in the /config/ssl/ssl.key/ directory: install sys crypto keywww.siterequest.com.key from-local-file/config/ssl/ssl.key/www.siterequest.com.key

Importing existing SSL keys into Thales nShield device for use by the BIG-IPsystem

You import existing SSL keys when you have pre-existing keys you want the BIG-IP® system to use. Youneed to perform these steps for each key you want to import into the Thales system.

1. Log in to the command-line interface of the system using an account with administrator privileges.2. Copy certificate(s) and key(s) youwant to import onto the BIG-IP system and place them in the /var/tmp

directory on the BIG-IP system.

/var/tmp/user.key/var/tmp/user.crt

3. Ensure adequate permissions are set so that other users on the system are not able to view the .key filescopied.chmod 600 /var/tmp/user.key

4. Import the key into Thales nShield Connect external HSM using the generatekey utility./opt/nfast/bin/generatekey --import pkcs11 certreq=yesThe system interactively prompts you for information.

5. When prompted to enter the name of the PEM file that contains the RSA key, enter the full path to thekey copied to the BIG-IP system (pemreadfile).For example, /var/tmp/user.key.

6. When prompted to enter the file name where the key will be written, enter the full path to the pseudokey (embedsavefile).This is the pseudo key required by BIG-IP system.For example, /var/tmp/imported_user.key.

7. When prompted to enter the key name, type a name for the key (plainname).This is the name with which the key is associated in the nShield RFS. No path is required, as plainnameis not written to a file on disk.For example, userkey.When the key import is complete, the generatekey utility will generate two files.

24


• imported_user.key

• imported_user_req

8. Modify the ownership and permissions of the key you created. After successful import, take note of thepath to key to modify ownership.

chown nfast:nfast /opt/nfast/kmdata/local/key_pkcs11_uced028e5251b7b6891e7e59dec5428d871f92241b-c70e6451e8d793ca80a497267ccb9bc73bd55edbchmod 755 /opt/nfast/kmdata/local/key_pkcs11_uced028e5251b7b6891e7e59dec5428d871f92241b-c70e6451e8d793ca80a497267ccb9bc73bd55edb

Important: If this step is omitted, you might see permission errors when running rfs-sync.

9. Sync the nShield generated pseudo-key (embedsavefile) to the RFS.

[root@LBHAS64:Active:Standalone] tmp # rfs-sync --update[root@LBHAS64:Active:Standalone] tmp # rfs-sync --commit

If the BIG-IP system this procedure is performed on is also the RFS, the rfs-sync commands abovewill report 0 committed. This is expected behavior, as the keys imported are automatically storedin the RFS directory.

10. Import the pseudo key and SSL certificate using tmsh for use by BIG-IP client SSL profile using thissyntax:

tmsh install sys crypto key [name] from-local-file [/path/to/pseudo_key.key]tmsh install sys crypto cert [name] from-local-file [/path/to/real_certificate.crt]

For example:

tmsh install sys crypto key import.key from-local-file /var/tmp/imported_user.keytmsh install sys crypto cert import.crt from-local-file /var/tmp/user.crt

11. Save the configuration.tmsh save sys config

If you need to import more SSL certificates and keys, repeat all preceding steps for each certificate andkey pair.

12. Create an SSL profile that references the above key and certificate.13. Create a virtual server that uses the above SSL profile (or assign to an existing virtual server).14. Verify that the virtual server passes traffic correctly.15. You can safely remove the certificates and keys from /var/tmp directory used in this procedure as

they are no longer required by the BIG-IP system.

Note: Once the pseudo key has been installed with tmsh, the copy in /var/tmp is no longer used.

Note: Unless the SSL key file is deleted in a secure manner, it might be possible for someone to recoverthe file from the disk. Consider using the shred utility (type: man shred at the command line fordetails) to delete any key files copied to the BIG-IP system once they have been successfully importedinto the Thales nShield device.

25


Importing certificates using tmsh

You can use the Traffic Management Shell (tmsh) to import existing certificates into the system.


tmsh

3. Import a certificate.

install sys crypto cert <cert_object_name>from-local-file <path_to_cert_file>

install sys crypto cert www.siterequest.com.crt from-local-file/config/ssl/ssl.crt/www.siterequest.com.cert

Creating a backup of the Thales RFS

Before you back up the RFS, ensure that the Thales® nShield™ Connect Remote File System (RFS) serveris installed on your network.

Back up the /shared/nfast/kmdata/local/ directory of the RFS to recover the RFS state, if needed.The RFS contains all of the Thales nShield Connect keys.

1. If the RFS is not installed on the BIG-IP system, rename the /shared/nfast directory to/shared/nfast.org.This directory can be used to recover old data, if necessary.

2. Follow the Thales best practices for backing up the RFS server.

Creating a client SSL profile to use an external HSM key and certificate

After you have installed the external HSM key and certificate to the BIG-IP® system, you can use the keyand certificate as part of a client SSL profile.

1. On the Main tab, click Local Traffic > Profiles > SSL > Client.The Client screen opens.

2. Click Create.The New Client SSL Profile screen opens.

3. In the Name field, type a name for the profile.4. Select clientssl in the Parent Profile list.5. From the Configuration list, select Advanced.

This selection makes it possible for you to modify additional default settings.

6. Select the Custom check box for Configuration.The settings in the Configuration area become available for configuring.

7. From the Certificate list, select the certificate that you imported.

26


8. From the Key list, select the key that you imported.9. Click Finished.

About using external HSMs with VIPRION systems

There are some important considerations when configuring the Thales® nShield™ Connect client softwareon a VIPRION® system:

• The Thales software and configuration files do not sync between blades. You will need to install andconfigure the client software on each blade installed in the chassis.

• You will need to add the cluster management IP address and the cluster member IP address for eachblade installed in the chassis to the Thales nShield Connect device for remote connectivity between theVIPRION system and the Thales device.

27


Chapter

4About external HSMs and DNSSEC

Thales® nShield™ Connect is an external HSM that is available foruse with BIG-IP® systems. Because it is network-based, rather than

• Prerequisites for implementing BIG-IP andThales nShield Connect

hardware-based, you can use the Thales nShield Connect solution• Installing Thales nShield Connectcomponents on the BIG-IP system with all BIG-IP platforms, including VIPRION® Series chassis.

You can also use the Thales nShield Connect solution with BIG-IPVirtual Edition (VE).

• Setting up the RFS on the BIG-IP system• Setting up the Thales nShield Connect client

on the BIG-IP system The Thales nShield Connect architecture includes a componentcalled the Remote File System (RFS) that stores and manages the• Generating a key using Thales nShield

Connect for use in creatingmanually-managed DNSSEC keys

encrypted key files. The RFS can be installed on the BIG-IP systemor on another server on your network.

The BIG-IP system is a client of the RFS, and all BIG-IP systemsthat are enrolled with the RFS can access the encrypted keys from

• Importing external HSM keys using tmsh• Importing certificates using tmsh

this central location. The RFS helps automate the key distributionprocess, but it is not required that you use RFS with this solution.

• Creating a backup of the Thales RFS• Creating a DNSSEC key using an imported

external HSM key and certificate When the BIG-IP system is a BIG-IP Global Traffic Manager™

(GTM™), you can also use the Thales nShield™ Connect to storeand manage DNSSEC keys.

• About using external HSMs with VIPRIONsystems

For additional information about using Thales nShield Connect,see the Thales Customer Support Portal(https://support.thales-esecurity.com/).

Important: If you are installing Thales nShield Connect on aBIG-IP system that will be licensed for Appliance mode, you mustinstall the Thales nShield Connect software prior to licensing theBIG-IP system for Appliance mode.

Prerequisites for implementing BIG-IP and Thales nShield Connect

Before you can use Thales® nShield™ Connect with the BIG-IP® system, you must ensure that:

• The Thales nShield Connect device is installed on your network.• The RFS is installed on your network, or you plan to install and set up the RFS on the BIG-IP system.• The Thales nShield Connect device, the RFS, and the BIG-IP system can initiate connections with each

other through port 9004.• You have created the Thales Security World (security architecture).• The BIG-IP system is licensed for external interface and network HSM.• The BIG-IP system has FIPS 140-2 or FIPS 140-3 compliant ciphers, depending upon your security

needs. For information about FIPS compliant ciphers, see Annex A: Approved Security Functions forFIPS PUB 140-2(http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) andSOL8802for a complete list of supported ciphers on http://support.f5.com.

• The BIG-IP system does not contain a FIPS Cavium card.

Important: You cannot run the BIG-IP system with both internal and external HSMs at the same time.

Additionally, before you begin the installation process, ensure that you have access to:

• The Thales Security World Software for Linux 64bit (Release 11.40 or higher)• The nShield_Connect_User_Guide.pdf

Installing Thales nShield Connect components on the BIG-IP system

Before you can set up the Thales® nShield™ Connect components on a BIG-IP® system, you must obtainthe Thales 64 bit Linux ISO CD and copy files from the CD to specific locations on the BIG-IP systemusing secure copy (SCP).

You need to install files from the Thales 64 bit Linux ISO CD to the BIG-IP system.

1. Log on to the command line of the system using the root account.2. Create a directory under /shared named thales_install/amd64/nfast.

mkdir /shared/thales_install/amd64/nfast

3. Copy files from the CD and place them in the specified directories:Location to place file on BIG-IPFile to copy from the CD

/shared/thales_install/amd64/nfast/ctls/agg.tar/linux/libc6_3/amd64/nfast/ctls/agg.tar

/shared/thales_install/amd64/nfast/hwcrhk/user.tar/linux/libc6_3/amd64/nfast/hwcrhk/user.tar

/shared/thales_install/amd64/nfast/hwsp/agg.tar/linux/libc6_3/amd64/nfast/hwsp/agg.tar

/shared/thales_install/amd64/nfast/pkcs11/user.tar/linux/libc6_3/amd64/nfast/pkcs11/user.tar

If you are not using an RFS installed on another server in your network, you must set up the RFS on theBIG-IP system. Additionally, you must set up the Thales client on the BIG-IP system.

30

About external HSMs and DNSSEC

Setting up the RFS on the BIG-IP system

Before you set up the RFS on the BIG-IP® system, ensure that the Thales® nShield™ Connect device isinstalled on your network and the Thales Security World is set up. Ensure that the RFS is installed on theBIG-IP system as well.

Important: Setting up the RFS on the BIG-IP system is optional. If the RFS is running on another serveron your network, do not perform this task.

You can run the Thales Remote File System (RFS) on the BIG-IP system. To set up the RFS, you must runa script on the BIG-IP® system.

Note: You only need one RFS on your network to store all HSM keys. All Thales nShield Connect clientsuse the same RFS to access the HSM keys.

1. Log on to the command line of the system using the root account.2. Set up the RFS.

nethsm-thales-rfs-install.sh --hsm_ip_addr=<Thales_nShield Connect device IPaddress> --rfs_interface=<local interface name>

This example sets up the RFS to run on the BIG-IP system, when the IP address of the Thales nShieldConnect device has an IP address of 192.27.13.59: nethsm-thales-rfs-install.sh--hsm_ip_addr=192.27.13.59 --rfs_interface=eth0


Displays help-h

Prints verbose output about operations-v

Indicates message verbosity level (The default value is zero, and alllevels greater than zero indicate verbose output.)

--verbose=<level>

After you set up the RFS on the BIG-IP system, you must set up the Thales nShield Connect client on eachBIG-IP system that you want to use with the Thales nShield Connect device.

Setting up the Thales nShield Connect client on the BIG-IP system

Before you set up the Thales client, ensure that the Thales® nShield™ Connect client is installed on theBIG-IP® system and that the Security World has been set up. Additionally, ensure that the RFS is installedand set up on either a remote server or on the BIG-IP system on your network.

Note: If the Thales nShield Connect client was installed on a BIG-IP system before the RFS was installedon the network, then you must reinstall the client on the BIG-IP system.

Important: If there is a firewall between the BIG-IP system and the RFS, validate that both systems caninitiate a connection through port 9004.

Before you can use the Thales nShield Connect device with the BIG-IP system, you must set up the Thalesclient on the BIG-IP system.

31


1. Log on to the command line of the system using the root account.2. Set up the Thales nShield Connect client, using one of these options:

• Set up the client when the RFS is remote.

nethsm-thales-install.sh--hsm_ip_addr=<nShield_Connect_device_IP_address>--rfs_ip_addr=<remote_RFS_IP_address>--rfs_username=<remote_RFS_server_username_for_SSH_login>--interface=<Interface_name_of_Thales_client_on_BIG-IP>

This example sets up the client where the Thales nShield Connect device has an IP address of192.27.13.59, the remote RFS has an IP address of 192.27.13.58, the user name for an SSHlogin to the RFS is root, and the Thales client interface is the default of eth0 :

nethsm-thales-install.sh --hsm_ip_addr=192.27.13.59--rfs_ip_addr=192.27.12.58 --rfs_username=root --interface=eth0

• Set up the client when the RFS is set up on the BIG-IP system:

nethsm-thales-install.sh--hsm_ip_addr=<nShield_Connect_device_IP_address>--rfs_interface=<local_RFS_server_interface>

This example sets up the client where the Thales nShield Connect device has an IP address of172.27.13.59 and the RFS is installed on the BIG-IP system using the eth0 interface:

nethsm-thales-install.sh --hsm_ip_addr=172.27.13.59 --rfs_interface=eth0

Generating a key using Thales nShield Connect for use in creatingmanually-managed DNSSEC keys

Before you generate the key, ensure that the Thales® nShield™ Connect client is running on all BIG-IP®

GTM™ devices in the configuration synchronization group.

Use the fipskey.nethsm utility to generate keys to be used to create manually-managed DNSSEC privatekeys.

Tip: For instructions about creating automatically-managed DNSSEC private keys, see ConfiguringDNSSECwith an external HSM in BIG-IP®DNS Services: Implementations at http://support.f5.com.

1. Set the external HSM to Thales nShield Connect.fipskey.nethsm --hsm=Thales

2. Generate a key.fipskey.nethsm --genkey -o <output_file>

This example generates three files: /config/ssl/ssl.key/www.siterequest.com.key,/config/ssl/ssl.csr/www.siterequest.com.csr, and/config/ssl/ssl.crt/www.siterequest.com.crt:

fipskey.nethsm --genkey -o www.siterequest.com

32



Name applied to .key, .csr, and .crt output files

Important: This parameter is required.

-o

Type of protection-c <token/module/softcard>

Public exponent to use when generating RSA keys only.

Tip: Do not provide a value for this option, unless advised to doso by F5 Technical Support.

-e <hex>

Digest used to sign key and certificate-g sha1

Key name-k <name>

Store key in non-volatile RAM-m <yes/no>

Slot to read cards from-n <integer>

Key recovery available-r <yes/no>

Size of key/certificate pair in bits-s <integer>

Key type-t RSA

Verification available-v <yes/no>

Country identifier-C

Domain name-D

Email address to contact about key-E

Locality identifier-L

Organization identifier-O

Province identifier-P

Organization unit identifier-U

The key is saved in /config/ssl/ssl.key/<output_file>.key. The certificate request is savedin /config/ssl/ssl.csr/output_file>.csr. The self-signed certificate is saved in/config/ssl/ssl.crt/<output_file>.crt.

After you generate a key and certificates, you need to import them into the BIG-IP configuration usingtmsh.

About key protection

There are three types of key protection available for use with the BIG-IP® system and Thales® nShield™

Connect:

• Module-protected keys are directly protected by the external HSM through the security world and canbe used at any time without further authorization.

• Softcard-protected keys are protected by a softcard and can be used by only an operator who possessesthe assigned passphrases.

• Token-protected keys are protected by a cardset and can be used by only an operator who possesses theOperator Card Set (OCS) token and any assigned passphrases.

33


Importing external HSM keys using tmsh

You can use the Traffic Management Shell (tmsh) to import existing external HSM keys into the system.


tmsh

3. Import a key, by using these parametersinstall sys crypto key <key_object_name> from-local-file <keyname>

This example imports an external HSM key named www.siterequest.com.key from a local key filestored in the /config/ssl/ssl.key/ directory: install sys crypto keywww.siterequest.com.key from-local-file/config/ssl/ssl.key/www.siterequest.com.key

Importing certificates using tmsh

You can use the Traffic Management Shell (tmsh) to import existing certificates into the system.


tmsh

3. Import a certificate.

install sys crypto cert <cert_object_name>from-local-file <path_to_cert_file>

install sys crypto cert www.siterequest.com.crt from-local-file/config/ssl/ssl.crt/www.siterequest.com.cert

Creating a backup of the Thales RFS

Before you back up the RFS, ensure that the Thales® nShield™ Connect Remote File System (RFS) serveris installed on your network.

Back up the /shared/nfast/kmdata/local/ directory of the RFS to recover the RFS state, if needed.The RFS contains all of the Thales nShield Connect keys.

1. If the RFS is not installed on the BIG-IP system, rename the /shared/nfast directory to/shared/nfast.org.This directory can be used to recover old data, if necessary.

2. Follow the Thales best practices for backing up the RFS server.

34


Creating a DNSSEC key using an imported external HSM key and certificate

Before you create a DNSSEC key using an imported key and certificate, ensure that you have generated akey and certificate using Thales® nShield™ Connect, and that you have imported the key and certificate.

You can create manually-managed DNSSEC zone-signing and key-signing keys for use with an externalHSM. For more information, see Configuring DNSSEC with an external HSM in BIG-IP® DNS Services:Implementations at http://support.f5.com.

About using external HSMs with VIPRION systems

There are some important considerations when configuring the Thales® nShield™ Connect client softwareon a VIPRION® system:

• The Thales software and configuration files do not sync between blades. You will need to install andconfigure the client software on each blade installed in the chassis.

• You will need to add the cluster management IP address and the cluster member IP address for eachblade installed in the chassis to the Thales nShield Connect device for remote connectivity between theVIPRION system and the Thales device.

35


Index

10000/11000/11050 platformsfipsutil 11initializing HSM 11security domain 11security officer (SO) password 11SO (security officer) password 11

6900/8900 platformsfipsutil 10initializing HSM 10security domain 10security officer (SO) password 10SO (security officer) password 10

A

Appliance mode 19, 29

C

client SSL profileusing with external HSM key and certificate 26

converting keysusing the Configuration utility 14using tmsh 15

D

device groupsetting up FIPS platforms 10

DNSSECusing with external HSM 29

DNSSEC keyscreating 35

E

external HSMgenerating external HSM keys for use with DNSSEC 32generating keys 22installing components 20, 30prerequisites for installing 20, 30using with Appliance mode 19using with Appliance mode and DNSSEC 29using with DNSSEC 29using with VIPRION systems 27, 35

external HSM clientsetting up on BIG-IP system 21, 31

external HSM key and certificateusing with client SSL profile 26

F

FIPS card, See hardware-based HSM.FIPS keys

converting a key to FIPS using tmsh 15creating keys using the Configuration utility 13creating keys using tmsh 15

FIPS keys (continued)key management using the Configuration utility 13key management using tmsh 15managing keys using the Configuration utility 13managing keys using tmsh 15

H

hardware-based HSMabout 9initializing, 10000/11000/11050 platforms 11initializing, 6900/8900 platforms 10recovering after a system failure 16synchronizing HSMs 13system backup 16system recovery 16system recovery options 16

hardware security module (HSM)external 19internal 9

I

importing certificates using tmsh 26, 34importing external HSM keys using tmsh 24, 34importing keys

24using the Configuration utility 14using tmsh 15

initializing HSMon the 10000/11000/11050 platforms 11on the 6900/8900 platforms 10

internal HSMSee also hardware-based HSM.

implementation options 7See also hardware-based HSM.

internal HSM keys, See FIPS keys.

K

key protectionabout 23, 33

keysconverting a key to FIPS using the Configuration utility 14importing using the Configuration utility 14importing using tmsh 15

M

module-protected keysabout 23, 33

N

network-based HSM, See external HSM.

37

Index

O

OCS, See Operator Card Set.Operator Card Set (OCS) 23, 33

R

redundant system configuration, See device group.Remote File System (RFS)

defined 19, 29setting up on BIG-IP 21, 31

RFS, See Remote File System (RFS)

S

security domainsynchronizing between platforms 9

softcard-protected keysabout 23, 33

SSL keysimporting into Thales nShield device 24

synchronizing HSMshardware-based HSM 13

T

Thales HSMusing with VIPRION systems 27, 35

Thales nShield Connectprerequisites for installing 20, 30

Thales nShield Connect clientsetting up on BIG-IP system 21, 31

Thales nShield Connect componentsinstalling 20, 30

tmsh commandsconverting keys to FIPS 15creating FIPS keys 15for FIPS platform 17importing certificates 26, 34importing external HSM keys 24, 34importing keys 15

token-protected keysabout 23, 33

38

Index

Documents

BIG-IP® Platform FIPS Administration - F5 Networks · BIG-IP® Platform FIPS Administration. Chapter 3 About external HSMs and LTM Thales