MPX FIPS appliances

The NetScaler MPX 8900 FIPS, MPX 9100 FIPS, and MPX 15000-50G FIPS appliances are in the process of being validated (currently in IUT https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/iut-list) by a third party laboratory for the security requirements of FIPS 140-3 Level 1. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.

Notes

• The MPX 8900 FIPS, MPX 9100 FIPS, and the MPX 15000-50G FIPS appliances no longer use a third-party Hardware Security Module. The requirements to be FIPS validated are built into the system.
• Only the firmware versions listed under “NetScaler Release 13.1-FIPS” in the NetScaler downloads page are supported on the MPX 8900 FIPS, MPX 9100 FIPS, MPX 15000-50G FIPS, and VPX FIPS platforms.
• If you have configured classic policies on your NetScaler FIPS appliance running 12.1-FIPS software version, see https://support.citrix.com/article/CTX234821/citrix-adc-deprecated-classic-policy-based-features-and-functionalities-faqs before performing an upgrade to 13.1-FIPS.
• TLS 1.3 on 13.1-FIPS can only be configured using enhanced SSL profiles. For more information on how to configure TLS 1.3 using profiles, see TLS 1.3 protocol support as defined in RFC 8446.

Prerequisites

• FIPS platform license in addition to a bandwidth license.

Ciphers supported on MPX 8900 FIPS, MPX 9100 FIPS, and MPX 15000-50G FIPS appliances

All ciphers supported on a NetScaler MPX/SDX 14000 FIPS appliance, except the 3DES cipher, are supported on the MPX 8900, MPX 9100 FIPS, and MPX 15000-50G FIPS appliances. For the complete list of ciphers supported on these appliances, see Cipher support on NetScaler VPX FIPS and MPX FIPS appliances.

Upgrade an MPX FIPS appliance

Follow the steps in Upgrade a NetScaler standalone appliance to upgrade the MPX FIPS appliance.

Note:

When you upgrade to release 13.1 FIPS build 37.159 or later, adding a certificate-key pair using pfx files fails.

Workaround: Use FIPS-certified ciphers, such as AES256, to create a pfx file before the upgrade.

Example:

root@ns# cd /nsconfig/ssl/
root@ns# openssl pkcs12 -export -out example.name.pfx -inkey example.key -in example.pem -certpbe AES-256-CBC -keypbe AES-256-CBC
<!--NeedCopy-->

Limitation

TACACS authentication is not supported on the MPX FIPS appliance.

Configuration

1. After the appliance starts, run the following command at the CLI:

   > show system fipsStatus
   <!--NeedCopy-->
   

2. You must get the following output.

   FipsStatus: "System is operating in FIPS mode"
   Done
   >
   <!--NeedCopy-->
   

3. In case you get the following output, check the license.

   FipsStatus: "System is operating in non FIPS mode"
   Done
   >
   <!--NeedCopy-->
   

Perform the following steps to initialize the MPX appliance for the FIPS mode of operation.

1. Enforce strong passphrase requirements.
2. Replace the default TLS certificate.
3. Disable HTTP access to the web GUI.
4. After initial configuration, disable local authentication and configure remote authentication using LDAP.

Enforce strong passphrase requirements using the GUI

Passphrases are used to derive keys using PBKDF2. As an admin, enable strong passphrase requirements using the GUI.

1. Navigate to System > Settings.
2. In the Settings section, click Change Global System Settings.
3. In the Strong Password field, select Enable All.
4. In the Min Password Length field, type “8.”
5. Click OK.

Replace the default TLS certificate

By default, the MPX FIPS appliance includes a factory-provisioned RSA certificate for TLS connections (ns-server.cert and ns-server.key). This certificate is not intended for use in production deployments and must be replaced. Replace the default certificate with a new certificate after the initial installation.

To replace the default TLS certificate:

1. At the command prompt, type the following command to set the host name of the appliance.

   set ns hostName <hostname>

Create a Certificate Signing Request (CSR) using the GUI

1. Navigate to Traffic Management > SSL > SSL Files.
2. In the CSR tab, click Create Certificate Signing Request (CSR).
3. Enter the values and click Create.

   Note

   The Common Name field contains the value of the host name set using the ADC CLI.

4. Submit the CSR file to a trusted certificate authority (CA). The CSR file is available in the /nsconfig/ssl directory.
5. After receiving the certificate from the CA, copy the file to the /nsconfig/ssl directory.
6. Navigate to Traffic Management > SSL > Certificates > Server Certificates.
7. Select ns-server-certificate.
8. Click Update.
9. Click Update the certificate and key.
10. In the Certificate File Name field, choose the certificate file that was received from the certificate authority (CA). Choose Local if the file is on your local computer. Otherwise, choose Appliance.
11. In the Key File Name field, specify the default private key file name (ns-server.key).
12. Select the No Domain Check option.
13. Click OK.

Disable HTTP access to the web GUI

To protect traffic to the administrative interface and web GUI, the appliance must be configured to use HTTPS. After adding new certificates, use the CLI to disable HTTP access to the GUI management interface.

At the command prompt, type:

set ns ip <NSIP> -gui SECUREONLY

Disable local authentication and configure remote authentication using LDAP

The superuser account is a default account with root CLI access privileges that is required for initial configuration. During initial configuration, disable local system authentication to block access to all local accounts (including the superuser account), and to ensure that superuser privileges are not assigned to any user account.

To disable local system authentication and enable external system authentication using the CLI:

At the command prompt, type:

set system parameter -localauth disabled

Follow the instructions in Configuring LDAP authentication to configure external system authentication to use LDAP.

Configure remote authentication using RADIUS

You can configure RADIUS authentication on FIPS environments.

Note:

The Test RADIUS Reachability option is not supported for RADIUS.

Configure RADIUS over TLS by using the CLI

At the command prompt type:

add authentication radiusAction <name> [-serverIP] [-serverPort ] [-transport <transport>] [-targetLBVserver <string>]
<!--NeedCopy-->

Example

add authentication radiusAction RadAction -serverIP 1.1.1.1 -radkey 123 -transport TLS -targetLBVserver rad-lb
<!--NeedCopy-->

Note:

• For the TLS transport type, configure a target load balancing virtual server of type TCP and bind a service of type SSL_TCP to this virtual server.
• Server name is not supported.
• The IP address and the port number configured for RADIUS action must match the IP address and port number of the configured target load balancing virtual server.

Configure RADIUS over TLS by using the GUI

1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > Servers.

2. Select an existing server or create a server.

   For details about creating a server, see To configure a RADIUS server by using the GUI.

   

3. In Transport, select TLS.

4. In Target Load Balancing Virtual Server, select the virtual server. For details about creating a load balancing virtual server, see Creating a virtual server.

   Note:

   • For the TLS transport type, configure a target load balancing virtual server of type TCP and bind a service of type SSL_TCP to this virtual server.
   • Server name is not supported.
   • The IP address and the port number configured for RADIUS action must match the IP address and port number of the configured target load balancing virtual server.

5. Click Create.