NetScaler cryptographic recommendations

This section details some key steps that must be followed to ensure that cryptographic material is correctly secured on the NetScaler. It also provides information on how to configure NetScaler to use this material to protect NetScaler, back-end servers, and end users.

Managing TLS certificates and keys

Configuring TLS cipher suites for FIPS and NDcPP deployments

The following TLS cipher suites are supported for FIPS and NDcPP deployments.

  • TLS1-AES-256-CBC-SHA
  • TLS1-AES-128-CBC-SHA
  • TLS1-ECDHE-RSA-AES256-SHA
  • TLS1-ECDHE-RSA-AES128-SHA
  • TLS1.2-ECDHE-RSA-AES-256-SHA384
  • TLS1.2-ECDHE-RSA-AES-128-SHA256
  • TLS1.2-AES256-GCM-SHA384
  • TLS1.2-AES128-GCM-SHA256
  • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
  • TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
  • TLS1.2-AES-256-SHA256
  • TLS1.2-AES-128-SHA256
  • TLS1-ECDHE-ECDSA-AES256-SHA
  • TLS1-ECDHE-ECDSA-AES128-SHA
  • TLS1.2-ECDHE-ECDSA-AES256-SHA384
  • TLS1.2-ECDHE-ECDSA-AES128-SHA256
  • TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
  • TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
  • TLS1.3-AES256-GCM-SHA384
  • TLS1.3-AES128-GCM-SHA256

    For the list of ciphers supported on MPX 14000 FIPS, see https://docs.netscaler.com/en-us/citrix-adc/downloads/cipher-support-on-netscaler-mpx-sdx-14000-fips.pdf.

To ensure that only the approved cipher suites are configured on NetScaler, complete the following configuration steps from the CLI:

  1. Unbind all ciphers from the virtual server

    unbind ssl vs v1 –cipherName FIPS
    <!--NeedCopy-->
    
  2. Bind only TLS1-AES-256-CBC-SHA and then TLS1-AES-128-CBC-SHA with the command:

    bind ssl vs v1 –cipherName <cipher>
    
    bind ssl vs v1 -cipherName TLS1-AES-256-CBC-SHA
    <!--NeedCopy-->
    

Installing certificates and key pairs using a trusted CA:

To obtain a certificate from a public or enterprise certificate authority (CA) you must first generate a private key and certificate signing request (CSR). Perform the following steps:

  1. Authenticate to the NetScaler CLI as a sysadmin or superuser.

  2. Create an RSA private key.

    create fipsKey m1 -keytype RSA -modulus 2048 -exponent F4
    <!--NeedCopy-->
    
  3. Create the certificate signing request (CSR):

    create certreq csr_1 -fipsKeyName m1 -countryName IN -stateName BA -organizationName citrix
    <!--NeedCopy-->
    
  4. Submit the CSR to the Certificate Authority.

For most commercial and enterprise CAs, the CSR is sent in an email request. However, the method of submission can vary across enterprise CA environments. The CA returns a valid certificate by email, but this action too can vary among enterprise CAs. After you receive the certificate from the CA, securely copy it to the /nsconfig/ssl directory.

Log in as a superuser or sysadmin and run the following command from the CLI: > add ssl certKey ck_1 -cert cert1_1 -fipsKey m1

NetScaler -FIPS recommendations

Configuring NetScaler SDX in a FIPS-based deployment

If you are an existing FIPS customer and using NetScaler SDX for true multitenancy, use the FIPS certified NetScaler MPX for terminating TLS and forwarding traffic to the NetScaler SDX. Alternatively, it is possible to use a Thales external HSM. Change FIPS crypto card passwords when using a FIPS certified version of NetScaler with a Hardware Security Module (HSM), change the default Security officer (SO) and set a new user password as follows. If you don’t know the default SO password of a FIPS-enabled NetScaler, contact NetScaler Support. Note: Only a super user or sysadmin can carry out this task.

set ssl fips -initHSM Level-2 <soPassword> <oldSoPassword> <user-Password> [-hsmLabel <string>]

save configuration

initHSM
<!--NeedCopy-->

FIPS initialization level. NetScaler currently supports Level-2 (FIPS 140-2). This argument is mandatory. Possible values: Level-2

hsmLabel

Label to identify the Hardware Security Module (HSM).

Maximum Length: 31

Note: All data on the FIPS card is erased with the preceding command.

Store the HSM password in a secure location

The password to the HSM must be stored in a secure location in accordance with your company’s operating procedures.

Note: The HSM is locked after three unsuccessful login attempts. When locked, it becomes nonoperational and you cannot alter its configuration.

NetScaler cryptographic recommendations