NetScaler secure deployment guide

NetScaler cryptographic recommendations

August 20, 2024

Contributed by:

This section details some key steps that must be followed to ensure that cryptographic material is correctly secured on the NetScaler. It also provides information on how to configure NetScaler to use this material to protect NetScaler, back-end servers, and end users.

Managing TLS certificates and keys

Configuring TLS cipher suites for FIPS and NDcPP deployments

The following TLS cipher suites are supported for FIPS and NDcPP deployments.

TLS1-AES-256-CBC-SHA
TLS1-AES-128-CBC-SHA
TLS1-ECDHE-RSA-AES256-SHA
TLS1-ECDHE-RSA-AES128-SHA
TLS1.2-ECDHE-RSA-AES-256-SHA384
TLS1.2-ECDHE-RSA-AES-128-SHA256
TLS1.2-AES256-GCM-SHA384
TLS1.2-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-AES-256-SHA256
TLS1.2-AES-128-SHA256
TLS1-ECDHE-ECDSA-AES256-SHA
TLS1-ECDHE-ECDSA-AES128-SHA
TLS1.2-ECDHE-ECDSA-AES256-SHA384
TLS1.2-ECDHE-ECDSA-AES128-SHA256
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.3-AES256-GCM-SHA384
TLS1.3-AES128-GCM-SHA256

For the list of ciphers supported on MPX 14000 FIPS, see https://docs.netscaler.com/en-us/citrix-adc/downloads/cipher-support-on-netscaler-mpx-sdx-14000-fips.pdf.

To ensure that only the approved cipher suites are configured on NetScaler, complete the following configuration steps from the CLI:

Unbind all ciphers from the virtual server

unbind ssl vs v1 –cipherName FIPS
<!--NeedCopy-->

Bind only TLS1-AES-256-CBC-SHA and then TLS1-AES-128-CBC-SHA with the command:

bind ssl vs v1 –cipherName <cipher>

bind ssl vs v1 -cipherName TLS1-AES-256-CBC-SHA
<!--NeedCopy-->

Installing certificates and key pairs using a trusted CA:

To obtain a certificate from a public or enterprise certificate authority (CA) you must first generate a private key and certificate signing request (CSR). Perform the following steps:

Authenticate to the NetScaler CLI as a sysadmin or superuser.

Create an RSA private key.

create fipsKey m1 -keytype RSA -modulus 2048 -exponent F4
<!--NeedCopy-->

Create the certificate signing request (CSR):

create certreq csr_1 -fipsKeyName m1 -countryName IN -stateName BA -organizationName citrix
<!--NeedCopy-->

Submit the CSR to the Certificate Authority.

For most commercial and enterprise CAs, the CSR is sent in an email request. However, the method of submission can vary across enterprise CA environments. The CA returns a valid certificate by email, but this action too can vary among enterprise CAs. After you receive the certificate from the CA, securely copy it to the /nsconfig/ssl directory.

Log in as a superuser or sysadmin and run the following command from the CLI: > add ssl certKey ck_1 -cert cert1_1 -fipsKey m1

NetScaler -FIPS recommendations

Configuring NetScaler SDX in a FIPS-based deployment

If you are an existing FIPS customer and using NetScaler SDX for true multitenancy, use the FIPS certified NetScaler MPX for terminating TLS and forwarding traffic to the NetScaler SDX. Alternatively, it is possible to use a Thales external HSM. Change FIPS crypto card passwords when using a FIPS certified version of NetScaler with a Hardware Security Module (HSM), change the default Security officer (SO) and set a new user password as follows. If you don’t know the default SO password of a FIPS-enabled NetScaler, contact NetScaler Support. Note: Only a super user or sysadmin can carry out this task.

set ssl fips -initHSM Level-2 <soPassword> <oldSoPassword> <user-Password> [-hsmLabel <string>]

save configuration

initHSM
<!--NeedCopy-->

FIPS initialization level. NetScaler currently supports Level-2 (FIPS 140-2). This argument is mandatory. Possible values: Level-2

hsmLabel

Label to identify the Hardware Security Module (HSM).

Maximum Length: 31

Note: All data on the FIPS card is erased with the preceding command.

Store the HSM password in a secure location

The password to the HSM must be stored in a secure location in accordance with your company’s operating procedures.

Note: The HSM is locked after three unsuccessful login attempts. When locked, it becomes nonoperational and you cannot alter its configuration.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler cryptographic recommendations

August 20, 2024

Contributed by:

August 20, 2024

Contributed by:

NetScaler cryptographic recommendations

Managing TLS certificates and keys

Configuring TLS cipher suites for FIPS and NDcPP deployments

NetScaler -FIPS recommendations

Configuring NetScaler SDX in a FIPS-based deployment

Store the HSM password in a secure location

In this article