FIPS: What goes in never comes out!
If you survived reading FIPS 140-2 and You! Then it may have left you with inevitable set of questions. I have my F5. It has a FIPs HSM (Hardware Security Module). Is there a button to turn it on? What happens if my system with the keys explodes? Why is the banana in a jar? All of these are very good questions, so let’s dive into answering them. First, what F5 platforms support a FIPs card? These F5 Platforms support FIPS as well as these Firepass platforms. Before we jump into the next steps, please read the following:
This process requires a service restart, it will affect traffic going across the system.
Initialization The HSM needs to be initialized prior to storing keys on it. To do that, log in to the command line of your system and enter in to the TMSH shell (use the command tmsh). First, confirm the system has the FIPS HSM, with the fips-util command:
run util fips-util info
Next, we initialize the card with: run util fips-util –f init
Are we reeeeaallllyy sure we want to do this? I’m all for it. Hitting enter gives us the ever popular message
Resetting the device
Once everything is initialized we are then presented with a prompt to enter a Security Officer Password as well as the security domain. These are two things that you DO NOT want to lose. Document and store them in a secure method. I recommend using some form of password vault.
For my environment, I created the security domain: monkeybusiness. Once it was all said and done, the identities created and device initialized, we are ready for the last step. To finish it all up we do:
restart sys service all
Ba daaa! Initialization is complete and we can move on to bigger and better things.
HSM Synchronization
As much as I love having all my eggs in one basket, I feel the need to have a little backup for my keys. There are a couple of different ways we can make sure to have some redundancy of our important bits.
1. Active/Standby Redundant Systems: This is just a good practice to have a HA Pair. When you add in the FIPS HSM, it becomes even more important.
2. Cold Storage Backup Unit: Configure a unit as if it was going to be HA pair. Then take the backup unit and store it away.
3. *NON-FIPS Compliant* Saving keys to another secure location.
For the first two options, you have to initialize the HSM on each unit. When you initialize them, you MUST use the same security domain (case sensitive). So for my units, the security domain on each unit must be set to monkeybusiness , if I want them to sync.
Once everything matches, run the fips sync to sync the security domains:
run util fips-card-sync <hostname or ip address>
Now you can sync your keys with the config sync process.
Now you can either leave them running as HA pair or take a unit down to be a cold box.
So, with those quick steps, you can get your FIPS HSM up and running. Stay tuned for the Tech Tip on Key Management!
|
- Dave_Gibbs_2016NimbostratusHi, please advise, your article states "a prompt to enter a Security Officer Password as well as the security domain. These are two things that you DO NOT want to lose." Then later it says "When you initialize them, you MUST use the same security domain (case sensitive)." It is my understanding that the SO password can be different on each HSM as long as the Security Domain is the same. I would have thought this would mean you could make a random sequence of numbers and letters up for the SO password and then do not store it anywhere? Have I misunderstood something?
To avoid confusion with the quote "a prompt to enter a Security Officer Password as well as the security domain. These are two things that you DO NOT want to lose."
Actually it's the domain name which matters. The password could be different. I learnt recently that Beginning in 10350, the SO passwords could be different. Earlier in 8900, it never worked from my experience.
If the above is wrong, please feel free to correct me.