MPX 9700/10500/12500/15500 FIPS appliances

Important! The MPX 9700/10500/12500/15500 FIPS platform has reached end of life.

The Federal Information Processing Standard (FIPS), issued by the US National Institute of Standards and Technologies, specifies the security requirements for a cryptographic module used in a security system. The NetScaler FIPS appliance complies with the second version of this standard, FIPS-140-2.

Note: Henceforth, all references to FIPS imply FIPS-140-2.

The FIPS appliance is equipped with a tamper-proof (tamper-evident) cryptographic module—and a Cavium CN1620-NFBE3-2.0-G on the MPX 9700/10500/12500/15500 FIPS appliances—designed to comply with the FIPS 140-2 Level-2 specifications. The Critical Security Parameters (CSPs), primarily the server’s private-key, are securely stored and generated inside the cryptographic module, also referred to as the Hardware Security Module (HSM). The CSPs are never accessed outside the boundaries of the HSM. Only the superuser can perform operations on the keys stored inside the HSM.

The following table summarizes the differences between standard NetScaler and NetScaler FIPS appliances.

Setting NetScaler appliance NetScaler FIPS appliance
Key storage On the hard disk On the FIPS card
Cipher support All ciphers FIPS approved ciphers
Accessing keys From the hard disk Not accessible

Configuring a FIPS appliance involves configuring the HSM immediately after completing the generic configuration process. You then create or import a FIPS key. After creating a FIPS key, you must export it for backup. You might also need to export a FIPS key so that you can import it to another appliance. For example, configuring FIPS appliances in a high availability setup requires transferring the FIPS key from the primary node to the secondary node immediately after completing the standard high availability setup.

You can upgrade the firmware version on the FIPS card from version 4.6.0 to 4.6.1. You can also reset an HSM that has been locked to prevent unauthorized logon. Only FIPS approved ciphers are supported on a NetScaler FIPS appliance.

HSM configuration

Before you can configure the HSM of your NetScaler FIPS appliance, you must complete the initial hardware configuration. For more information about MPX appliances, see Initial Configuration. For information about SDX appliances, click here.

Configuring the HSM of your NetScaler FIPS appliance erases all existing data on the HSM. To configure the HSM, you must be logged on to the appliance as the superuser. The HSM is preconfigured with default values for the Security Officer (SO) password and User password, which you use to configure the HSM or reset a locked HSM. The maximum length allowed for the password is 14 alphanumeric characters. Symbols are not allowed.

Important: Run the set ssl fips command only after first resetting the FIPS card and restarting the MPX FIPS appliance.

Although the FIPS appliance can be used with the default password values, you must modify them before using it. The HSM can be configured only when you log on to the appliance as the superuser and specify the SO and User passwords.

Important: Due to security constraints, the appliance does not provide a means for retrieving the SO password. Store a copy of the password safely. If you need to reinitialize the HSM, you need to specify this password as the old SO password.

Before initializing the HSM, you can upgrade to the latest build of the software. To upgrade to the latest build, see Upgrading or Downgrading the System Software.

After upgrading, verify that the /nsconfig/fips directory has been successfully created on the appliance.

Configure the HSM on the MPX 9700/10500/12500/15500 FIPS platform by using the CLI

After logging on to the appliance as the superuser and completing the initial configuration, at the command prompt, type the following commands to configure the HSM and verify the configuration:

show ssl fips

reset ssl fips

reboot

set ssl fips -initHSM Level-2 <newSOpassword> <oldSOpassword> <userPassword> [-hsmLabel <string>]

save ns config

reboot

show ssl fips
<!--NeedCopy-->

Example:

show fips

    FIPS Card is not configured
    Done
    reset fips
    reboot
    Are you sure you want to restart NetScaler (Y/N)? [N]:y

    set ssl fips -initHSM Level-2 sopin12345 so12345 user123 -hsmLabel cavium

    This command will erase all data on the FIPS card. You must save the configuration

    (saveconfig) after executing this command.


    Do you want to continue?(Y/N)y
    Done

    save ns config

    reboot

    Are you sure you want to restart NetScaler (Y/N)? [N]:y

    show fips

            FIPS HSM Info:
    HSM Label              : NetScaler FIPS
    Initialization         : FIPS-140-2 Level-2
    HSM Serial Number      : 2.1G1008-IC000021
    HSM State              : 2
    HSM Model              : NITROX XL CN1620-NFBE
    Firmware Version       : 1.1
    Firmware Release Date  : Jun04,2010
    Max FIPS Key Memory    : 3996
    Free FIPS Key Memory   : 3994
    Total SRAM Memory      : 467348
    Free SRAM Memory       : 62564
    Total Crypto Cores      : 3
    Enabled Crypto Cores    : 1
    Done

    Note: If you upgrade the firmware to version 2.2, the firmware release date is replaced with the firmware build.



    > show fips

    FIPS HSM Info:

    HSM Label                : NetScaler FIPS
    Initialization              : FIPS-140-2 Level-2
    HSM Serial Number    : 3.0G1235-ICM000264
    HSM State                : 2
    HSM Model               : NITROX XL CN1620-NFBE
    Hardware Version       : 2.0-G
    Firmware Version        : 2.2
    Firmware Build           : NFBE-FW-2.2-130009
    Max FIPS Key Memory : 3996
    Free FIPS Key Memory : 3958
    Total SRAM Memory    : 467348
    Free SRAM Memory     : 50524
    Total Crypto Cores      : 3
    Enabled Crypto Cores  : 3
    Done
<!--NeedCopy-->

Configure the HSM on the MPX 9700/10500/12500/15500 FIPS platform by using the GUI

  1. Navigate to Traffic Management > SSL > FIPS.

  2. In the details pane, on the FIPS Infotab, click Reset FIPS.

  3. In the navigation pane, click System.

  4. In the details pane, click Reboot.

  5. In the details pane, on the FIPS Info tab, click Initialize HSM.

  6. In the Initialize HSM dialog box, specify values for the following parameters:

    • Security Officer (SO) Password*—new SO password
    • Old SO Password*—old SO password
    • User Password*—user password
    • Level—initHSM (Currently set to Level2 and cannot be changed)
    • HSM Label—hsmLabel

    *A required parameter

  7. Click OK.

  8. In the details pane, click Save.

  9. In the navigation pane, click System.

  10. In the details pane, click Reboot.

  11. Under FIPS HSM Info, verify that the information displayed is correct for the FIPS HSM that you configured.

Create and transfer FIPS keys

After configuring the HSM of your FIPS appliance, you are ready to create a FIPS key. The FIPS key is created in the appliance’s HSM. You can then export the FIPS key to the appliance’s CompactFlash card as a secured backup. Exporting the key also enables you to transfer it by copying it to the /flash of another appliance and then importing it into the HSM of that appliance. Enable SIM between two standalone nodes before you export and transfer the keys. In a high availability setup, if one of the nodes is replaced with a new one, you must perform the following steps:

  1. Enable SIM between this new appliance and the existing appliance of the high availability setup.
  2. Export or import FIPS keys.

Instead of creating a FIPS key, you can import an existing FIPS key or import an external key as a FIPS key. If you are adding a certificate-key pair of 2048 bits on the MPX 9700/10500/12500/15500 FIPS appliances, make sure that you have the correct certificate and key pair.

Note: If you are planning a high availability setup, make sure that the FIPS appliances are configured in a high availability setup before creating a FIPS key.

Create FIPS keys

Before creating a FIPS key, make sure that the HSM is configured.

Specify the key type (RSA or ECDSA) and specify the curve for ECDSA keys.

Create a FIPS key by using the GUI

  1. Navigate to Traffic Management > SSL > FIPS.
  2. In the details pane, on the FIPS Keys tab, click Add.
  3. In the Create FIPS Key dialog box, specify values for the following parameters:

    • FIPS Key Name*—fipsKeyName
    • Modulus*—modulus
    • Exponent*—exponent

    *A required parameter

  4. Click Create, and then click Close.
  5. On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you created are correct.

Create a FIPS key by using the CLI

At the command prompt, type the following commands to create a FIPS key and verify the settings:

create ssl fipsKey <fipsKeyName> -modulus <positive_integer> [-exponent ( 3 | F4 )]

show ssl fipsKey [<fipsKeyName>]
<!--NeedCopy-->

Example:

    create fipskey Key-FIPS-1 -keytype RSA -modulus 2048 -exponent 3

    show ssl fipsKey Key-FIPS-1

                FIPS Key Name: Key-FIPS-1 Key Type: RSA Modulus: 2048   Public Exponent: F4 (Hex: 0x10001)
<!--NeedCopy-->

Export FIPS keys

Citrix recommends that you create a backup of any key created in the FIPS HSM. If a key in the HSM is deleted, there is no way to create the same key again, and all the certificates associated with it are rendered useless.

In addition to exporting a key as a backup, you might need to export a key for transfer to another appliance.

The following procedure provides instructions on exporting a FIPS key to the /nsconfig/ssl folder on the appliance’s CompactFlash and securing the exported key by using a strong asymmetric key encryption method.

Export a FIPS key by using the CLI

At the command prompt, type:

export ssl fipsKey <fipsKeyName> -key <string>
<!--NeedCopy-->

Example:

export fipskey Key-FIPS-1 -key Key-FIPS-1.key
<!--NeedCopy-->

Export a FIPS key by using the GUI

  1. Navigate to Traffic Management > SSL > FIPS.

  2. In the details pane, on the FIPS Keys tab, click Export.

  3. In the Export FIPS key to a file dialog box, specify values for the following parameters:

    • FIPS Key Name*—fipsKeyName
    • File Name*—key (To put the file in a location other than the default, you can either specify the complete path or click the Browse button and navigate to a location.)

    *A required parameter

  4. Click Export, and then click Close.

Import an existing FIPS key

To use an existing FIPS key with your FIPS appliance, you need to transfer the FIPS key from the hard disk of the appliance into its HSM.

Note: To avoid errors when importing a FIPS key, make sure that the name of the key imported is the same as the original key name when it was created.

Import a FIPS key on the MPX 9700/10500/12500/15500 FIPS appliances by using the CLI

At the command prompt, type the following commands to import a FIPS key and verify the settings:

-  import ssl fipsKey <fipsKeyName> -key <string> -inform SIM -exponent (F4 | 3)
-  show ssl fipskey <fipsKeyName>
<!--NeedCopy-->

Example:

import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform SIM -exponent F4
show ssl fipskey key-FIPS-2
FIPS Key Name: Key-FIPS-2 Modulus: 2048   Public Exponent: F4 (Hex value 0x10001)
<!--NeedCopy-->

Import a FIPS key by using the GUI

  1. Navigate to Traffic Management > SSL > FIPS.

  2. In the details pane, on the FIPS Keys tab, click Import.

  3. In the Import as a FIPS Key dialog box, select FIPS key file and set values for the following parameters:

    • FIPS Key Name*
    • Key File Name*—To put the file in a location other than the default, you can either specify the complete path or click Browse and navigate to a location.
    • Exponent*

    *A required parameter

  4. Click Import, and then click Close.

  5. On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you imported are correct.

Import an external key

You can transfer FIPS keys that are created within the NetScaler appliance’s HSM. You can also transfer external private keys (such as keys created on a standard NetScaler, Apache, or IIS) to a NetScaler FIPS appliance. External keys are created outside the HSM, by using a tool such as OpenSSL. Before importing an external key into the HSM, copy it to the appliance’s flash drive under /nsconfig/ssl.

On the MPX 9700/10500/12500/15500 FIPS appliances, the -exponent parameter in the import ssl fipskey command is not required while importing an external key. The correct public exponent is detected automatically when the key is imported, and the value of the -exponent parameter is ignored.

The NetScaler FIPS appliance does not support external keys with a public exponent other than 3 or F4.

You do not need a wrap key on the MPX 9700/10500/12500/15500 FIPS appliances.

You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 FIPS appliance. To import the key you need to first decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:

openssl rsa -in <EncryptedKey.key> > <DecryptedKey.out>
<!--NeedCopy-->

Note: If you import an RSA key as a FIPS key, Citrix recommends that you delete the RSA key from the appliance for security purposes.

Import an external key as a FIPS key to an MPX 9700/10500/12500/15500 FIPS appliance by using the CLI

  1. Copy the external key to the appliance’s flash drive.
  2. If the key is in .pfx format, you must first convert it to PEM format. At the command prompt, type:

    convert ssl pkcs12 <output file> -import -pkcs12File <input .pfx file name> -password <password>
    <!--NeedCopy-->
    
  3. At the command prompt, type the following commands to import the external key as a FIPS key and verify the settings:

    import ssl fipsKey <fipsKeyName> -key <string> -informPEM
    show ssl fipskey<fipsKeyName>
    <!--NeedCopy-->
    

Example:

convert ssl pkcs12 iis.pem -password 123456 -import -pkcs12File iis.pfx

import fipskey Key-FIPS-2 -key iis.pem -inform PEM

show ssl fipskey key-FIPS-2

FIPS Key Name: Key-FIPS-2 Modulus: 0   Public Exponent: F4 (Hex value 0x10001)
<!--NeedCopy-->

Import an external key as a FIPS key to an MPX 9700/10500/12500/15500 FIPS appliance by using the GUI

  1. If the key is in .pfx format, you must first convert it to PEM format.

    1. Navigate to Traffic Management > SSL.
    2. In the details pane, under Tools, click Import PKCS#12.
    3. In the Import PKCS12 File dialog box, set the following parameters:
      • Output File Name*
      • PKCS12 File Name*—Specify the .pfx file name.
      • Import Password*
      • Encoding Format *A required parameter
  2. Navigate to Traffic Management > SSL > FIPS.

  3. In the details pane, on the FIPS Keys tab, click Import.

  4. In the Import as a FIPS Key dialog box, select PEM file, and set values for the following parameters:

    • FIPS Key Name*
    • Key File Name*—To put the file in a location other than the default, you can either specify the complete path or click Browse and navigate to a location.

    *A required parameter

  5. Click Import, and then click Close.

  6. On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you imported are correct.

MPX 9700/10500/12500/15500 FIPS appliances