Regarding SSL-offload on 6900 box (FIPS-HSM enable)

Question

I have four 6900 boxes (FIPS-HSM enable) which are handling traffic coming from above ha pair (3900 boxs). Now if these four 6900boxes have to off-load traffic for https://abc.com, do have to generated CSR request for each box (which means four private key) for CN-abc.com? or i can generate one CSR and use the same key & certificate ?

cheer

mishpan

hooleylist · Answer

Hi mishpan, 
&nbsp;  
&nbsp; I think you should be able to join each of the 6900s into the same FIPS domain and then generate a single CSR on one unit.  You could check the manual, test and/or open a case with F5 Support to confirm. 
&nbsp;  
&nbsp; Manual Chapter: BIG-IP Platform FIPS 140 Options 
&nbsp; https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration/1.html 
&nbsp;  
&nbsp; Aaron

mishpan_70054 · Answer

Thanks for reply,  
&nbsp;  
&nbsp; but the problem here is that, as per design i con not put these 6900 under same domain. And they have to work separately.

hooleylist · Answer

If you can't add the FIPS devices to the same domain then I think you'll need to generate separate CSRs on each.  You could confirm this with F5 Support. 
&nbsp;  
&nbsp; Aaron

eduardo_n__1674 · Answer

Is the FIPS external HSM's (ie a networked one like Thales) or the integrated FIPS module (these models usually end in F)?&nbsp;

Forum Discussion

Regarding SSL-offload on 6900 box (FIPS-HSM enable)

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

SSL Offload with HTTP/2.0

SSL Offloading for specific IPs or range of IPs

FIPS HSM License Installation

Query Regarding extramb

F5 SSL Offload behind Nginx Reverse Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS