MPX 9700/10500/12500/15500 FIPS appliances
Note:
The MPX 9700/10500/12500/15500 FIPS platform has reached end of life.
The Federal Information Processing Standard (FIPS), issued by the US National Institute of Standards and Technologies, specifies the security requirements for a cryptographic module used in a security system. The Citrix ADC FIPS appliance complies with the second version of this standard, FIPS-140-2.
Note: Henceforth, all references to FIPS imply FIPS-140-2.
The FIPS appliance is equipped with a tamper-proof (tamper-evident) cryptographic module—and a Cavium CN1620-NFBE3-2.0-G on the MPX 9700/10500/12500/15500 FIPS appliances—designed to comply with the FIPS 140-2 Level-2 specifications. The Critical Security Parameters (CSPs), primarily the server’s private-key, are securely stored and generated inside the cryptographic module, also referred to as the Hardware Security Module (HSM). The CSPs are never accessed outside the boundaries of the HSM. Only the superuser (nsroot
) can perform operations on the keys stored inside the HSM.
The following table summarizes the differences between standard Citrix ADC and Citrix ADC FIPS appliances.
Setting | Citrix ADC appliance | Citrix ADC FIPS appliance |
---|---|---|
Key storage | On the hard disk | On the FIPS card |
Cipher support | All ciphers | FIPS approved ciphers |
Accessing keys | From the hard disk | Not accessible |
Configuring a FIPS appliance involves configuring the HSM immediately after completing the generic configuration process. You then create or import a FIPS key. After creating a FIPS key, export it for backup. You might also need to export a FIPS key so that you can import it to another appliance. For example, configuring FIPS appliances in a high availability (HA) setup requires transferring the FIPS key from the primary node to the secondary node immediately after completing the standard HA setup.
You can upgrade the firmware version on the FIPS card from version 4.6.0 to 4.6.1, and you can reset an HSM that has been locked to prevent unauthorized logon. Only FIPS approved ciphers are supported on a Citrix ADC FIPS appliance.
HSM configuration
Before you can configure the HSM of your Citrix ADC FIPS appliance, you must complete the initial hardware configuration. For more information about MPX appliances, see Initial Configuration. For information about SDX appliances, click here.
Configuring the HSM of your Citrix ADC FIPS appliance erases all existing data on the HSM. To configure the HSM, you must be logged on to the appliance as the superuser (nsroot
account). The HSM is preconfigured with default values for the Security Officer (SO) password and User password, which you use to configure the HSM or reset a locked HSM. The maximum length allowed for the password is 14 alphanumeric characters. Symbols are not allowed.
Important: Run the
set ssl fips
command only after resetting the FIPS card and restarting the MPX FIPS appliance.
Although the FIPS appliance can be used with the default password values, you must modify them before using it. The HSM can be configured only when you log on to the appliance as the superuser and specify the SO and User passwords.
Important: Due to security constraints, the appliance does not provide a means for retrieving the SO password. Store a copy of the password safely. If you need to reinitialize the HSM, you need to specify this password as the old SO password.
Before initializing the HSM, you can upgrade to the latest build of the software. To upgrade to the latest build, see Upgrading or Downgrading the System Software.
After upgrading, verify that the /nsconfig/fips directory has been successfully created on the appliance.
Configure the HSM on an MPX 9700/10500/12500/15500 FIPS appliance by using the CLI
After logging on to the appliance as the superuser and completing the initial configuration, at the command prompt, type:
show ssl fips
reset ssl fips
reboot
set ssl fips -initHSM Level-2 <newSOpassword> <oldSOpassword> <userPassword> [-hsmLabel <string>]
save ns config
reboot
show ssl fips
<!--NeedCopy-->
Example:
show fips
FIPS Card is not configured
Done
reset fips
reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:y
set ssl fips -initHSM Level-2 sopin12345 so12345 user123 -hsmLabel cavium
This command will erase all data on the FIPS card. You must save the configuration
(saveconfig) after executing this command.
Do you want to continue?(Y/N)y
Done
save ns config
reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:y
show fips
FIPS HSM Info:
HSM Label : Citrix ADC FIPS
Initialization : FIPS-140-2 Level-2
HSM Serial Number : 2.1G1008-IC000021
HSM State : 2
HSM Model : NITROX XL CN1620-NFBE
Firmware Version : 1.1
Firmware Release Date : Jun04,2010
Max FIPS Key Memory : 3996
Free FIPS Key Memory : 3994
Total SRAM Memory : 467348
Free SRAM Memory : 62564
Total Crypto Cores : 3
Enabled Crypto Cores : 1
Done
Note: If you upgrade the firmware to version 2.2, the firmware release date is replaced with the firmware build.
> show fips
FIPS HSM Info:
HSM Label : Citrix ADC FIPS
Initialization : FIPS-140-2 Level-2
HSM Serial Number : 3.0G1235-ICM000264
HSM State : 2
HSM Model : NITROX XL CN1620-NFBE
Hardware Version : 2.0-G
Firmware Version : 2.2
Firmware Build : NFBE-FW-2.2-130009
Max FIPS Key Memory : 3996
Free FIPS Key Memory : 3958
Total SRAM Memory : 467348
Free SRAM Memory : 50524
Total Crypto Cores : 3
Enabled Crypto Cores : 3
Done
<!--NeedCopy-->
Configure the HSM on an MPX 9700/10500/12500/15500 FIPS appliance by using the GUI
-
Navigate to Traffic Management > SSL > FIPS.
-
In the details pane, on the FIPS Infotab, click Reset FIPS.
-
In the navigation pane, click System.
-
In the details pane, click Reboot.
-
In the details pane, on the FIPS Info tab, click Initialize HSM.
-
In the Initialize HSM dialog box, specify values for the following parameters:
- Security Officer (SO) Password*—new SO password
- Old SO Password*—old SO password
- User Password*—user password
- Level—initHSM (Currently set to Level2 and cannot be changed)
- HSM Label—hsmLabel
*A required parameter
-
Click OK.
-
In the details pane, click Save.
-
In the navigation pane, click System.
-
In the details pane, click Reboot.
-
Under FIPS HSM Info, verify that the information displayed is correct for the FIPS HSM that you configured.
Create and transfer FIPS keys
After configuring the HSM of your FIPS appliance, you are ready to create a FIPS key. The FIPS key is created in the appliance’s HSM. You can then export the FIPS key to the appliance’s CompactFlash card as a secured backup. Exporting the key also enables you to transfer it by copying it to the /flash of another appliance and then importing it into the HSM of that appliance. Enable SIM between two standalone nodes before you export and transfer the keys. In an HA setup, if one of the nodes is replaced with a new appliance, enable SIM between this new appliance and the existing appliance of the HA setup before you export or import FIPS keys.
Instead of creating a FIPS key, you can import an existing FIPS key or import an external key as a FIPS key. If you are adding a certificate-key pair of 2048 bits on the MPX 9700/10500/12500/15500 FIPS appliances, make sure that you have the correct certificate and key pair.
Note: If you are planning an HA setup, make sure that the FIPS appliances are configured in an HA setup before creating a FIPS key.
Create FIPS keys
Before creating a FIPS key, make sure that the HSM is configured.
Specify the key type (RSA or ECDSA) and specify the curve for ECDSA keys.
Create a FIPS key by using the GUI
- Navigate to Traffic Management > SSL > FIPS.
- In the details pane, on the FIPS Keys tab, click Add.
-
In the Create FIPS Key dialog box, specify values for the following parameters:
- FIPS Key Name*—fipsKeyName
- Modulus*—modulus
- Exponent*—exponent
*A required parameter
- Click Create, and then click Close.
- On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you created are correct.
Create a FIPS key by using the CLI
At the command prompt, type the following commands to create a FIPS key and verify the settings:
create ssl fipsKey <fipsKeyName> -modulus <positive_integer> [-exponent ( 3 | F4 )]
show ssl fipsKey [<fipsKeyName>]
<!--NeedCopy-->
Example:
create fipskey Key-FIPS-1 -keytype RSA -modulus 2048 -exponent 3
show ssl fipsKey Key-FIPS-1
FIPS Key Name: Key-FIPS-1 Key Type: RSA Modulus: 2048 Public Exponent: F4 (Hex: 0x10001)
<!--NeedCopy-->
Export FIPS keys
Citrix recommends that you create a backup of any key created in the FIPS HSM. If a key in the HSM is deleted, there is no way to create the same key again, and all the certificates associated with it are rendered useless.
In addition to exporting a key as a backup, you might need to export a key for transfer to another appliance.
The following procedure provides instructions on exporting a FIPS key to the /nsconfig/ssl folder on the appliance’s CompactFlash and securing the exported key by using a strong asymmetric key encryption method.
Export a FIPS key by using the CLI
At the command prompt, type:
export ssl fipsKey <fipsKeyName> -key <string>
<!--NeedCopy-->
Example:
export fipskey Key-FIPS-1 -key Key-FIPS-1.key
<!--NeedCopy-->
Export a FIPS key by using the GUI
-
Navigate to Traffic Management > SSL > FIPS.
-
In the details pane, on the FIPS Keys tab, click Export.
-
In the Export FIPS key to a file dialog box, specify values for the following parameters:
- FIPS Key Name*—fipsKeyName
- File Name*—key (To put the file in a location other than the default, you can either specify the complete path or click the Browse button and navigate to a location.)
*A required parameter
-
Click Export, and then click Close.
Import an existing FIPS key
To use an existing FIPS key with your FIPS appliance, you need to transfer the FIPS key from the hard disk of the appliance into its HSM.
Note: To avoid errors when importing a FIPS key, ensure that the imported key name is the same as the original key name when it was created.
Import a FIPS key on the MPX 9700/10500/12500/15500 FIPS appliances by using the CLI
At the command prompt, type the following commands to import a FIPS key and verify the settings:
- import ssl fipsKey <fipsKeyName> -key <string> -inform SIM -exponent (F4 | 3)
- show ssl fipskey <fipsKeyName>
<!--NeedCopy-->
Example:
import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform SIM -exponent F4
show ssl fipskey key-FIPS-2
FIPS Key Name: Key-FIPS-2 Modulus: 2048 Public Exponent: F4 (Hex value 0x10001)
<!--NeedCopy-->
Import a FIPS key by using the GUI
-
Navigate to Traffic Management > SSL > FIPS.
-
In the details pane, on the FIPS Keys tab, click Import.
-
In the Import as a FIPS Key dialog box, select the FIPS key file and set values for the following required parameters:
- FIPS Key Name
- Key File Name—To put the file in a location other than the default, you can either specify the complete path or click Browse and navigate to a location.
- Exponent
-
Click Import, and then click Close.
-
On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you imported are correct.
Import an external key
In addition to transferring FIPS keys that are created within the Citrix ADC appliance’s HSM, you can transfer external private keys (such as keys created on a standard Citrix ADC, Apache, or IIS) to a FIPS Citrix ADC appliance. External keys are created outside the HSM, by using a tool such as OpenSSL. Before importing an external key into the HSM, copy it to the appliance’s flash drive under /nsconfig/ssl
.
On the MPX 9700/10500/12500/15500 FIPS appliances, the -exponent parameter in the import ssl fipskey
command is not required while importing an external key. The correct public exponent is detected automatically when the key is imported, and the value of the -exponent parameter is ignored.
The Citrix ADC FIPS appliance does not support external keys with a public exponent other than 3 or F4.
You do not need a wrap key on the MPX 9700/10500/12500/15500 FIPS appliances.
You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 FIPS appliance. To import the key you need to first decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:
openssl rsa -in <EncryptedKey.key> > <DecryptedKey.out>
<!--NeedCopy-->
Note: If you import an RSA key as a FIPS key, Citrix recommends that you delete the RSA key from the appliance for security purposes.
Import an external key as a FIPS key to an MPX 9700/10500/12500/15500 FIPS appliance by using the CLI
- Copy the external key to the appliance’s flash drive.
-
If the key is in .pfx format, you must first convert it to PEM format. At the command prompt, type:
convert ssl pkcs12 <output file> -import -pkcs12File <input .pfx file name> -password <password> <!--NeedCopy-->
-
At the command prompt, type the following commands to import the external key as a FIPS key and verify the settings:
import ssl fipsKey <fipsKeyName> -key <string> -informPEM show ssl fipskey<fipsKeyName> <!--NeedCopy-->
Example:
convert ssl pkcs12 iis.pem -password 123456 -import -pkcs12File iis.pfx
import fipskey Key-FIPS-2 -key iis.pem -inform PEM
show ssl fipskey key-FIPS-2
FIPS Key Name: Key-FIPS-2 Modulus: 0 Public Exponent: F4 (Hex value 0x10001)
<!--NeedCopy-->
Import an external key as a FIPS key to an MPX 9700/10500/12500/15500 FIPS appliance by using the GUI
-
If the key is in .pfx format, you must first convert it to PEM format.
- Navigate to Traffic Management > SSL.
- In the details pane, under Tools, click Import PKCS#12.
- In the Import PKCS12 File dialog box, set the following parameters:
- Output File Name*
- PKCS12 File Name*—Specify the .pfx file name.
- Import Password*
- Encoding Format *A required parameter
-
Navigate to Traffic Management > SSL > FIPS.
-
In the details pane, on the FIPS Keys tab, click Import.
-
In the Import as a FIPS Key dialog box, select PEM file, and set values for the following parameters:
- FIPS Key Name*
- Key File Name*—To put the file in a location other than the default, you can either specify the complete path or click Browse and navigate to a location.
*A required parameter
-
Click Import, and then click Close.
-
On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you imported are correct.