Citrix ADC MPX FIPS certified appliances
The Citrix ADC MPX 8900 FIPS and MPX 15000-50G FIPS certified appliances Cert #4043 have been tested by a third party laboratory for the security requirements of FIPS 140-2 Level-2. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.
Notes
- The MPX 8900 FIPS and the MPX 15000-50G FIPS appliances no longer use a third-party Hardware Security Module. The requirements to be FIPS validated are build into the system.
- Only the firmware versions listed under “Citrix ADC Release 12.1-FIPS” and “Citrix ADC Release 12.1-NDcPP” in the Citrix ADC downloads page are supported on the MPX 8900 FIPS, MPX 15000-50G FIPS, and VPX FIPS platforms.
Prerequisites
- FIPS platform license in addition to a bandwidth license.
Ciphers supported on MPX 8900 FIPS and MPX 15000-50G FIPS certified appliances
All ciphers supported on a Citrix ADC MPX/SDX 14000 FIPS appliance, except the 3DES cipher, are supported on the MPX 8900 and MPX 15000-50G FIPS certified appliances. For the complete list of ciphers supported on these appliances, see Cipher support on Citrix ADC VPX FIPS and MPX FIPS certified appliances.
Limitation
TACACS authentication is not supported on the MPX FIPS certified appliance.
Configuration
-
After the appliance starts, run the following command at the CLI:
> show system fipsStatus <!--NeedCopy-->
-
You must get the following output.
FipsStatus: "System is operating in FIPS mode" Done > <!--NeedCopy-->
-
In case you get the following output, check the license.
FipsStatus: "System is operating in non FIPS mode" Done > <!--NeedCopy-->
Perform the following steps to initialize the MPX appliance for the FIPS mode of operation.
- Enforce strong passphrase requirements.
- Replace the default TLS certificate.
- Disable HTTP access to the web GUI.
- Create the KEK
master
key. - After initial configuration, disable local authentication and configure remote authentication using LDAP.
Enforce strong passphrase requirements using the GUI
Passphrases are used to derive keys using PBKDF2. As an admin, enable strong passphrase requirements using the GUI.
- Navigate to System > Settings.
- In the Settings section, click Change Global System Settings.
- In the Strong Password field, select Enable All.
- In the Min Password Length field, type “8.”
- Click OK.
Replace the default TLS certificate
By default, the MPX FIPS certified appliance includes a factory-provisioned RSA certificate for TLS connections (ns-server.cert
and ns-server.key
). This certificate is not intended for use in production deployments and must be replaced. Replace the default certificate with a new certificate after the initial installation.
To replace the default TLS certificate:
-
At the command prompt, type the following command to set the host name of the appliance.
set ns hostName <hostname>
Create a Certificate Signing Request (CSR) using the GUI
- Navigate to Traffic Management > SSL > SSL Files.
- In the CSR tab, click Create Certificate Signing Request (CSR).
- Enter the values and click Create. Note: The Common Name field contains the value of the host name set using the ADC CLI.
- Submit the CSR file to a trusted certificate authority (CA). The CSR file is available in the
/nsconfig/ssl
directory. - After receiving the certificate from the CA, copy the file to the
/nsconfig/ssl
directory. - Navigate to Traffic Management > SSL > Certificates > Server Certificates.
- Select ns-server-certificate.
- Click Update.
- Click Update the certificate and key.
- In the Certificate File Name field, choose the certificate file that was received from the certificate authority (CA). Choose Local if the file is on your local computer. Otherwise, choose Appliance.
- In the Key File Name field, specify the default private key file name (
ns-server.key
). - Select the No Domain Check option.
- Click OK.
Disable HTTP access to the web GUI
To protect traffic to the administrative interface and web GUI, the appliance must be configured to use HTTPS. After adding new certificates, use the CLI to disable HTTP access to the GUI management interface.
At the command prompt, type:
set ns ip <NSIP> -gui SECUREONLY
Create the KEK key
The KEK master
key is used to encrypt passphrases and other sensitive information. To prevent the default KEK from being used, use the CLI to create a KEK.
To create the KEK, at the command prompt, type:
create system kek
When prompted, enter a strong passphrase. The KEK is derived from this passphrase.
Disable local authentication and configure remote authentication using LDAP
The superuser account is a default account with root CLI access privileges that is required for initial configuration. During initial configuration, disable local system authentication to block access to all local accounts (including the superuser account), and to ensure that superuser privileges are not assigned to any user account.
To disable local system authentication and enable external system authentication using the CLI:
At the command prompt, type:
set system parameter -localauth disabled
Follow the instructions in Configuring LDAP authentication to configure external system authentication to use LDAP.
Configure remote authentication using RADIUS
Starting from release 12.1–55.282, you can configure RADIUS authentication on FIPS environments. Previously, RADIUS authentication was supported only on the UDP protocol. As a result, RADIUS authentication was not supported on FIPS environments as FIPS supported only TLS protocol.
Note:
The Test RADIUS Reachability option is not supported for RADIUS.
Configure RADIUS over TLS by using the CLI
At the command prompt type:
add authentication radiusAction <name> [-serverIP] [-serverPort ] [-transport <transport>] [-targetLBVserver <string>]
<!--NeedCopy-->
Example
add authentication radiusAction RadAction -serverIP 1.1.1.1 -radkey 123 -transport TLS -targetLBVserver rad-lb
<!--NeedCopy-->
Note:
- For the TLS transport type, configure a target load balancing virtual server of type TCP and bind a service of type SSL_TCP to this virtual server.
- Server name is not supported.
- The IP address and the port number configured for RADIUS action must match the IP address and port number of the configured target load balancing virtual server.
Configure RADIUS over TLS by using the GUI
- Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > Servers.
-
Select an existing server or create a server.
For details about creating a server, see To configure a RADIUS server by using the GUI.
- In Transport, select TLS.
-
In Target Load Balancing Virtual Server, select the virtual server. For details about creating a load balancing virtual server, see Creating a virtual server.
Note:
- For the TLS transport type, configure a target load balancing virtual server of type TCP and bind a service of type SSL_TCP to this virtual server.
- Server name is not supported.
- The IP address and the port number configured for RADIUS action must match the IP address and port number of the configured target load balancing virtual server.
- Click Create.