For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Jan 16, 2017

Moving FIPS keys from 8900 to 10200

Hello,

 

According to DOC, it seems likely FIPS-2 keys sync is not possible between 8900 and 10200 due to FIPS hardware difference (no exact platform mention, but it's close enough): https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration.pdf?sr=32944290

 

Important: Because of hardware differences, it is not possible to synchronize security domains between the newer platforms(10000/11000/11050 platforms) and older platforms (6900/8900platforms).

 

  • Q: Assuming identical software version and security world configuration - is there an alternate way to move FIPS keys from 8900 to 10200?

Regards,

 

fips
security
TMOS

1 Reply

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jan 16, 2017

    My understanding is that the limitation is if you want to have the 2 devices in a HA pair, and having them sync automatically the fips keys.

     

    If you just want to migrate the keys to a new hardware:

     

    1 - Initialize the FIPS card in the new device, with same SO and Domain as the old.

     

    2 - Export the keys in the old device

     

    3 - Import the keys in the new device

     

    You will need to know the SO in the old device.

     

    Let me know if you need the commands, as I have some notes I use every time I need to do some stuff with FIPS (and generally, never works in the first time).