Citrix ADC VPX FIPS certified appliances
The Citrix ADC VPX FIPS appliance is validated for FIPS 140-2 Level 1 (Certificate #3732: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3732) by the National Institute of Standards and Technology (NIST). More information about the FIPS 140-2 standard and validation program is available on the NIST and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.
Note
Only the firmware versions listed under “Citrix ADC Release 12.1-FIPS” and “Citrix ADC Release 12.1-NDcPP” in the Citrix ADC downloads page are supported on the MPX 8900 FIPS, MPX 15000-50G FIPS, and VPX FIPS platforms.
Prerequisites
-
For on-prem hypervisors download the special build from the Citrix website. Download the complete VPX FIPS package for the respective hypervisor.
-
VPX FIPS is supported only on platforms on which the underlying Intel CPU supports RDRAND and RDSEED instruction sets. For more information about Intel CPU supporting RDRAND and RDSEED instruction sets, check the Intel architecture document.
-
A Citrix ADC VPX FIPS certified appliance requires a FIPS instance license and bandwidth pool to function as expected in the pooled licensing model. For non-pooled licenses, a single VPX FIPS license of the required bandwidth capacity is required.
Configuration
The module is available as a software package that includes both the application software and the operating system. After purchasing the Citrix ADC VPX FIPS license, get the latest Citrix ADC VPX FIPS image from the Citrix website.
Perform the following steps:
- Upload the latest Citrix ADC VPX FIPS image to one of the following hypervisors: ESXi, Citrix Hypervisor, Hyper-V, KVM, AWS, Azure, or GCP.
Note
VPX FIPS is qualified on ESX 6.5 U2 and ESX 7.0.1.c.
-
Apply the Citrix ADC VPX FIPS Platform license and Citrix ADC VPX Bandwidth license, and warm reboot the appliance.
-
After the appliance starts, run the following command at the CLI:
> show system fipsStatus <!--NeedCopy-->
You must get the following output.
FipsStatus: "System is operating in FIPS mode" Done > <!--NeedCopy-->
In case you get the following output, see the troubleshooting section for steps to resolve.
FipsStatus: "System is operating in non FIPS mode" Done > <!--NeedCopy-->
- Follow the configuration guidelines in Secure Deployment Guide.
For information about remote authentication using RADIUS see Configure remote authentication using RADIUS.
Ciphers supported on a VPX FIPS appliance
All ciphers supported on a Citrix ADC MPX/SDX 14000 FIPS appliance, except the 3DES cipher, are supported on a VPX FIPS appliance. For the complete list of ciphers supported on a Citrix ADC VPX FIPS appliance, see the following topic:
Upgrade a Citrix ADC VPX FIPS certified appliance
Follow the steps in Upgrade a Citrix ADC standalone appliance to upgrade the VPX FIPS certified appliance.
Important: Replace the ./installns
command with ./installns -F
.
Limitations
-
TACACS authentication is not supported on the VPX FIPS appliance.
-
VPX FIPS is a separate image. Software version upgrade from VPX version to VPX FIPS version is not supported. Also, the VPX FIPS software version cannot be downgraded or upgraded to the VPX software version.
-
VPX FIPS image is not supported on a Citrix ADC SDX and Citrix ADC SDX FIPS appliance.
-
Citrix ADC VPX FIPS on GCP currently supports standalone deployment only. HA deployment is not supported.
Troubleshooting
When you run the show system fipsStatus
command and the output is as follows:
FipsStatus: "System is operating in non FIPS mode"
Done
>
<!--NeedCopy-->
The reason might be one of the following;
-
License is expired or incorrect.
-
Hardware is not supported.
-
The system is unable to come up in FIPS mode. This error might be due to POST failure on the management core or packet engine.
To resolve:
-
Check that the correct Citrix ADC VPX FIPS license is installed and that the license has not expired.
-
Check that the underlying CPU supports RDRAND and RDSEED instruction sets. Run the following command:
>shell #nsconmsg -g drbg -g ssl_err -g fips -d statswt0 <!--NeedCopy-->
If the
nsssl_err_fips_drbg_rdrand_not_supported
counter increments, the underlying hardware does not support the RDRAND and RDSEED instruction set. -
Check for Power-on self-test (POST) failure on the management core or on a packet engine. Run the following command:
>shell #nsconmsg -g drbg -g ssl_err -g fips -d statswt0 <!--NeedCopy-->
The
nsssl_err_fips_post_failed counter
increments if POST fails during bootup on the packet engine. That is, there is a data plane failure.If the counter does not increment, check the log file
(/var/log/FIPS-post.log)
for a failed algorithm test entry. That is, check for POST failure on the management core (control plane failure).In both cases, contact Citrix support.