ADC

VPX FIPS appliances

The NetScaler VPX FIPS appliance is in the process of being validated (currently in IUT https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/iut-list) for FIPS 140-3 Level 1 by the National Institute of Standards and Technology (NIST). More information about the FIPS 140-3 standard and validation program is available on the NIST and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.

Note

Prerequisites

  • For on-prem hypervisors download the special build from the Citrix website. Download the complete VPX FIPS package for the respective hypervisor.

  • A NetScaler VPX FIPS appliance requires a FIPS instance license and bandwidth pool to function as expected in the pooled licensing model. For non-pooled licenses, a single VPX FIPS license of the required bandwidth capacity is required.

Configuration

The module is available as a software package that includes both the application software and the operating system. After purchasing the NetScaler VPX FIPS license, get the latest NetScaler VPX FIPS image from the Citrix website.

Perform the following steps:

  1. Upload the latest NetScaler VPX FIPS image to one of the following hypervisors: ESXi, Citrix Hypervisor, Hyper-V, KVM, AWS, Azure, or GCP.

    Note

    VPX FIPS is planned to be qualified on ESXi 7.0.3.

  2. Apply the NetScaler VPX FIPS Platform license and NetScaler VPX Bandwidth license, and warm reboot the appliance.

  3. After the appliance starts, run the following command at the CLI:

    > show system fipsStatus
    <!--NeedCopy-->
    

    You must get the following output.

    FipsStatus: System is operating in FIPS mode
    Done
    <!--NeedCopy-->
    

    In case you get the following output, see the troubleshooting section for steps to resolve.

    FipsStatus: "System is operating in non FIPS mode"
    Done
    >
    <!--NeedCopy-->
    
  4. Follow the configuration guidelines in the Secure Deployment Guide.

For information about remote authentication using RADIUS see Configure remote authentication using RADIUS.

Ciphers supported on a VPX FIPS appliance

All ciphers supported on a NetScaler MPX/SDX 14000 FIPS appliance, except the 3DES cipher, are supported on a VPX FIPS appliance. For the complete list of ciphers supported on a NetScaler VPX FIPS appliance, see the following topic:

Upgrade a VPX FIPS appliance

Follow the steps in Upgrade a NetScaler standalone appliance to upgrade the VPX FIPS appliance.

Important: Replace the ./installns command with ./installns -F.

Note:

When you upgrade to release 13.1 FIPS build 37.159 or later, adding a certificate-key pair using pfx files fails.

Workaround: Use FIPS-certified ciphers, such as AES256, to create a pfx file before the upgrade.

Example:

root@ns# cd /nsconfig/ssl/
root@ns# openssl pkcs12 -export -out example.name.pfx -inkey example.key -in example.pem -certpbe AES-256-CBC -keypbe AES-256-CBC
<!--NeedCopy-->

Limitations

  • TACACS authentication is not supported on the VPX FIPS appliance.

  • VPX FIPS is a separate image. Software version upgrade from VPX version to VPX FIPS version is not supported. Also, the VPX FIPS software version cannot be downgraded or upgraded to the VPX software version.

  • VPX FIPS image is not supported on a NetScaler SDX and NetScaler SDX FIPS appliance.

Troubleshooting

When you run the show system fipsStatus command and the output is as follows:

FipsStatus: "System is operating in non FIPS mode"
Done
>
<!--NeedCopy-->

The reason might be one of the following;

  1. License is expired or incorrect.

  2. The system is unable to come up in FIPS mode. This error might be due to POST failure on the management core or packet engine.

To resolve:

  1. Check that the correct NetScaler VPX FIPS license is installed and that the license has not expired.

  2. Check for Power-on self-test (POST) failure on the management core or on a packet engine. Run the following command:

    >shell
    #nsconmsg -g drbg -g ssl_err -g fips -d statswt0
    <!--NeedCopy-->
    

    The nsssl_err_fips_post_failed counter increments if POST fails during bootup on the packet engine. That is, there is a data plane failure.

    If the counter does not increment, check the log file (/var/log/FIPS-post.log) for a failed algorithm test entry. That is, check for POST failure on the management core (control plane failure).

    In both cases, contact NetScaler support.

VPX FIPS appliances