ADC

MPX FIPS appliances

September 11, 2024

Contributed by:

The NetScaler MPX 8900 FIPS, MPX 9100 FIPS, and MPX 15000-50G FIPS appliances are in the process of being validated (currently in IUT https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/iut-list) by a third party laboratory for the security requirements of FIPS 140-3 Level 1. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.

Notes

The MPX 8900 FIPS, MPX 9100 FIPS, and the MPX 15000-50G FIPS appliances no longer use a third-party Hardware Security Module. The requirements to be FIPS validated are built into the system.

Only the firmware versions listed under “NetScaler Release 13.1-FIPS” in the NetScaler downloads page are supported on the MPX 8900 FIPS, MPX 9100 FIPS, MPX 15000-50G FIPS, and VPX FIPS platforms.

If you have configured classic policies on your NetScaler FIPS appliance running 12.1-FIPS software version, see https://support.citrix.com/article/CTX234821/citrix-adc-deprecated-classic-policy-based-features-and-functionalities-faqs before performing an upgrade to 13.1-FIPS.

TLS 1.3 on 13.1-FIPS can only be configured using enhanced SSL profiles. For more information on how to configure TLS 1.3 using profiles, see TLS 1.3 protocol support as defined in RFC 8446.

Prerequisites

FIPS platform license in addition to a bandwidth license.

Ciphers supported on MPX 8900 FIPS, MPX 9100 FIPS, and MPX 15000-50G FIPS appliances

All ciphers supported on a NetScaler MPX/SDX 14000 FIPS appliance, except the 3DES cipher, are supported on the MPX 8900, MPX 9100 FIPS, and MPX 15000-50G FIPS appliances. For the complete list of ciphers supported on these appliances, see Cipher support on NetScaler VPX FIPS and MPX FIPS appliances.

Upgrade an MPX FIPS appliance

Follow the steps in Upgrade a NetScaler standalone appliance to upgrade the MPX FIPS appliance.

Note:

When you upgrade to release 13.1 FIPS build 37.159 or later, adding a certificate-key pair using pfx files fails.

Workaround: Use FIPS-certified ciphers, such as AES256, to create a pfx file before the upgrade.

Example:
root@ns# cd /nsconfig/ssl/
root@ns# openssl pkcs12 -export -out example.name.pfx -inkey example.key -in example.pem -certpbe AES-256-CBC -keypbe AES-256-CBC

Limitation

TACACS authentication is not supported on the MPX FIPS appliance.

Configuration

After the appliance starts, run the following command at the CLI:
```
> show system fipsStatus

```

You must get the following output.

FipsStatus: "System is operating in FIPS mode"
Done
>
<!--NeedCopy-->

In case you get the following output, check the license.

FipsStatus: "System is operating in non FIPS mode"
Done
>
<!--NeedCopy-->

Perform the following steps to initialize the MPX appliance for the FIPS mode of operation.

Enforce strong passphrase requirements.
Replace the default TLS certificate.
Disable HTTP access to the web GUI.
After initial configuration, disable local authentication and configure remote authentication using LDAP.

Enforce strong passphrase requirements using the GUI

Passphrases are used to derive keys using PBKDF2. As an admin, enable strong passphrase requirements using the GUI.

Navigate to System > Settings.
In the Settings section, click Change Global System Settings.
In the Strong Password field, select Enable All.
In the Min Password Length field, type “8.”
Click OK.

Replace the default TLS certificate

By default, the MPX FIPS appliance includes a factory-provisioned RSA certificate for TLS connections (ns-server.cert and ns-server.key). This certificate is not intended for use in production deployments and must be replaced. Replace the default certificate with a new certificate after the initial installation.

To replace the default TLS certificate:

At the command prompt, type the following command to set the host name of the appliance.

set ns hostName <hostname>

Create a Certificate Signing Request (CSR) using the GUI

Navigate to Traffic Management > SSL > SSL Files.
In the CSR tab, click Create Certificate Signing Request (CSR).
Enter the values and click Create.

Note

The Common Name field contains the value of the host name set using the ADC CLI.
Submit the CSR file to a trusted certificate authority (CA). The CSR file is available in the /nsconfig/ssl directory.
After receiving the certificate from the CA, copy the file to the /nsconfig/ssl directory.
Navigate to Traffic Management > SSL > Certificates > Server Certificates.
Select ns-server-certificate.
Click Update.
Click Update the certificate and key.
In the Certificate File Name field, choose the certificate file that was received from the certificate authority (CA). Choose Local if the file is on your local computer. Otherwise, choose Appliance.
In the Key File Name field, specify the default private key file name (ns-server.key).
Select the No Domain Check option.
Click OK.

Disable HTTP access to the web GUI

To protect traffic to the administrative interface and web GUI, the appliance must be configured to use HTTPS. After adding new certificates, use the CLI to disable HTTP access to the GUI management interface.

At the command prompt, type:

set ns ip <NSIP> -gui SECUREONLY

Disable local authentication and configure remote authentication using LDAP

The superuser account is a default account with root CLI access privileges that is required for initial configuration. During initial configuration, disable local system authentication to block access to all local accounts (including the superuser account), and to ensure that superuser privileges are not assigned to any user account.

To disable local system authentication and enable external system authentication using the CLI:

At the command prompt, type:

set system parameter -localauth disabled

Follow the instructions in Configuring LDAP authentication to configure external system authentication to use LDAP.

Configure remote authentication using RADIUS

You can configure RADIUS authentication on FIPS environments.

Note:

The Test RADIUS Reachability option is not supported for RADIUS.

Configure RADIUS over TLS by using the CLI

At the command prompt type:

add authentication radiusAction <name> [-serverIP] [-serverPort ] [-transport <transport>] [-targetLBVserver <string>]
<!--NeedCopy-->

Example

add authentication radiusAction RadAction -serverIP 1.1.1.1 -radkey 123 -transport TLS -targetLBVserver rad-lb
<!--NeedCopy-->

Note:

For the TLS transport type, configure a target load balancing virtual server of type TCP and bind a service of type SSL_TCP to this virtual server.

Server name is not supported.

The IP address and the port number configured for RADIUS action must match the IP address and port number of the configured target load balancing virtual server.

Configure RADIUS over TLS by using the GUI

Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > Servers.
Select an existing server or create a server.

For details about creating a server, see To configure a RADIUS server by using the GUI.
In Transport, select TLS.
In Target Load Balancing Virtual Server, select the virtual server. For details about creating a load balancing virtual server, see Creating a virtual server.
Note:
- For the TLS transport type, configure a target load balancing virtual server of type TCP and bind a service of type SSL_TCP to this virtual server.
- Server name is not supported.
- The IP address and the port number configured for RADIUS action must match the IP address and port number of the configured target load balancing virtual server.
Click Create.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

MPX FIPS appliances

September 11, 2024

Contributed by:

September 11, 2024

Contributed by:

MPX FIPS appliances

Prerequisites

Ciphers supported on MPX 8900 FIPS, MPX 9100 FIPS, and MPX 15000-50G FIPS appliances

Upgrade an MPX FIPS appliance

Limitation

Configuration

Enforce strong passphrase requirements using the GUI

Replace the default TLS certificate

Create a Certificate Signing Request (CSR) using the GUI

Disable HTTP access to the web GUI

Disable local authentication and configure remote authentication using LDAP

Configure remote authentication using RADIUS

Configure RADIUS over TLS by using the CLI

Configure RADIUS over TLS by using the GUI

In this article