For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_FP's avatar
Chris_FP
Icon for Cirrus rankCirrus
May 23, 2014

FIPS card - How to tell if it has been initialised

We have some 8900 LTM's that have a FIPS card installed. Long story short is that we need to re-use these boxes in a non-FIPS mode. The boxes have never been put live but they are installed and on t...
application delivery
deployment
LTM
TMSH
Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
May 23, 2014

I have some FIPS boxes and here's what I've found from testing. If you run 'fipsutil info' from bash shell, there can be two results:

Uninitialized FIPS card will present an error like this:

fipsutil error (line 1159): Library Initialization : 0x05 : Undefined Error Code

Initialized FIPS card will display something like this:

 

Label:             F5FIPS
HSM Serial Number: xxxxxxx
Hardware ID:       0x0
Firmware Version:  4.7.1
Total FLASH:       14286412
Free FLASH:        14239436
Total SRAM:        16984736
Free SRAM:         16979488

 

As Kevin states though, keys don't have to be stored in the HSM even though it's initialized. You can create keys without putting them in the HSM. You can also move them to the HSM at a later point if you so choose.

Chris_FP's avatar
Chris_FP
Icon for Cirrus rankCirrus
May 23, 2014
thanks Cory. It's not so much the "is it protected by FIPS", more the "which SSL 'engine' will be used to process SSL requests - The FIPS card or the F5 SSL card". It was my understanding that if the FIPS card is initialised then all SSL goes via the FIPS card and thus the SSL performance for an 8900 drops from 10,000 TPS to 4,000 TPS. This is the crucial bit as we're expecting around 6-7,000 TPS