Product Documentation
ADC
14.1 - Current Release 13.1 13.0 12.1
View PDF

Citrix ADC MPX FIPS certified appliances

May 9, 2023
Contributed by: 
S C

The Citrix ADC MPX 8900 FIPS and MPX 15000-50G FIPS certified appliances Cert #4043 have been tested by a third party laboratory for the security requirements of FIPS 140-2 Level-2. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.

Notes

  • The MPX 8900 FIPS and the MPX 15000-50G FIPS appliances no longer use a third-party Hardware Security Module. The requirements to be FIPS validated are build into the system.
  • Only the firmware versions listed under “Citrix ADC Release 12.1-FIPS” and “Citrix ADC Release 12.1-NDcPP” in the Citrix ADC downloads page are supported on the MPX 8900 FIPS, MPX 15000-50G FIPS, and VPX FIPS platforms.

Prerequisites

  • FIPS platform license in addition to a bandwidth license.

Ciphers supported on MPX 8900 FIPS and MPX 15000-50G FIPS certified appliances

All ciphers supported on a Citrix ADC MPX/SDX 14000 FIPS appliance, except the 3DES cipher, are supported on the MPX 8900 and MPX 15000-50G FIPS certified appliances. For the complete list of ciphers supported on these appliances, see Cipher support on Citrix ADC VPX FIPS and MPX FIPS certified appliances.

Limitation

TACACS authentication is not supported on the MPX FIPS certified appliance.

Configuration

  1. After the appliance starts, run the following command at the CLI:

    > show system fipsStatus
<!--NeedCopy-->

  2. You must get the following output.

    FipsStatus: "System is operating in FIPS mode"
Done
>
<!--NeedCopy-->

  3. In case you get the following output, check the license.

    FipsStatus: "System is operating in non FIPS mode"
Done
>
<!--NeedCopy-->

Perform the following steps to initialize the MPX appliance for the FIPS mode of operation.

  1. Enforce strong passphrase requirements.
  2. Replace the default TLS certificate.
  3. Disable HTTP access to the web GUI.
  4. Create the KEK master key.
  5. After initial configuration, disable local authentication and configure remote authentication using LDAP.

Enforce strong passphrase requirements using the GUI

Passphrases are used to derive keys using PBKDF2. As an admin, enable strong passphrase requirements using the GUI.

  1. Navigate to System > Settings.
  2. In the Settings section, click Change Global System Settings.
  3. In the Strong Password field, select Enable All.
  4. In the Min Password Length field, type “8.”
  5. Click OK.

Replace the default TLS certificate

By default, the MPX FIPS certified appliance includes a factory-provisioned RSA certificate for TLS connections (ns-server.cert and ns-server.key). This certificate is not intended for use in production deployments and must be replaced. Replace the default certificate with a new certificate after the initial installation.

To replace the default TLS certificate:

  1. At the command prompt, type the following command to set the host name of the appliance.

    set ns hostName <hostname>

Create a Certificate Signing Request (CSR) using the GUI

  1. Navigate to Traffic Management > SSL > SSL Files.
  2. In the CSR tab, click Create Certificate Signing Request (CSR).
  3. Enter the values and click Create. Note: The Common Name field contains the value of the host name set using the ADC CLI.
  4. Submit the CSR file to a trusted certificate authority (CA). The CSR file is available in the /nsconfig/ssl directory.
  5. After receiving the certificate from the CA, copy the file to the /nsconfig/ssl directory.
  6. Navigate to Traffic Management > SSL > Certificates > Server Certificates.
  7. Select ns-server-certificate.
  8. Click Update.
  9. Click Update the certificate and key.
  10. In the Certificate File Name field, choose the certificate file that was received from the certificate authority (CA). Choose Local if the file is on your local computer. Otherwise, choose Appliance.
  11. In the Key File Name field, specify the default private key file name (ns-server.key).
  12. Select the No Domain Check option.
  13. Click OK.

Disable HTTP access to the web GUI

To protect traffic to the administrative interface and web GUI, the appliance must be configured to use HTTPS. After adding new certificates, use the CLI to disable HTTP access to the GUI management interface.

At the command prompt, type:

set ns ip <NSIP> -gui SECUREONLY

Create the KEK key

The KEK master key is used to encrypt passphrases and other sensitive information. To prevent the default KEK from being used, use the CLI to create a KEK.

To create the KEK, at the command prompt, type:

create system kek

When prompted, enter a strong passphrase. The KEK is derived from this passphrase.

Disable local authentication and configure remote authentication using LDAP

The superuser account is a default account with root CLI access privileges that is required for initial configuration. During initial configuration, disable local system authentication to block access to all local accounts (including the superuser account), and to ensure that superuser privileges are not assigned to any user account.

To disable local system authentication and enable external system authentication using the CLI:

At the command prompt, type:

set system parameter -localauth disabled

Follow the instructions in Configuring LDAP authentication to configure external system authentication to use LDAP.

Configure remote authentication using RADIUS

Starting from release 12.1–55.282, you can configure RADIUS authentication on FIPS environments. Previously, RADIUS authentication was supported only on the UDP protocol. As a result, RADIUS authentication was not supported on FIPS environments as FIPS supported only TLS protocol.

Note:

The Test RADIUS Reachability option is not supported for RADIUS.

Configure RADIUS over TLS by using the CLI

At the command prompt type:

add authentication radiusAction <name> [-serverIP] [-serverPort ] [-transport <transport>] [-targetLBVserver <string>]
<!--NeedCopy-->

Example

add authentication radiusAction RadAction -serverIP 1.1.1.1 -radkey 123 -transport TLS -targetLBVserver rad-lb
<!--NeedCopy-->

Note:

  • For the TLS transport type, configure a target load balancing virtual server of type TCP and bind a service of type SSL_TCP to this virtual server.
  • Server name is not supported.
  • The IP address and the port number configured for RADIUS action must match the IP address and port number of the configured target load balancing virtual server.

Configure RADIUS over TLS by using the GUI

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > Servers.

  2. Select an existing server or create a server.

    For details about creating a server, see To configure a RADIUS server by using the GUI.

    RADIUS TLS transport

  3. In Transport, select TLS.

  4. In Target Load Balancing Virtual Server, select the virtual server. For details about creating a load balancing virtual server, see Creating a virtual server.

    Note:

    • For the TLS transport type, configure a target load balancing virtual server of type TCP and bind a service of type SSL_TCP to this virtual server.
    • Server name is not supported.
    • The IP address and the port number configured for RADIUS action must match the IP address and port number of the configured target load balancing virtual server.
  5. Click Create.
Citrix ADC MPX FIPS certified appliances
May 9, 2023
Contributed by: 
S C
May 9, 2023
Contributed by: 
S C

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.