Configuring
and Maintaining a FIPS Security Domain
|
Release Date: |
12/22/04 |
|
Updated: |
04/19/05 |
|
Summary: |
This technical note describes how to configure and use the FIPS
solution added in BIG-IP version 9.0.3. |
|
Contents: |
- Understanding
the BIG-IP FIPS implementation |
Understanding the BIG-IP FIPS
implementation
The BIG-IP includes the
option to install a FIPS hardware security module (HSM). With this release, the
HSM and the BIG-IP key management software provide FIPS-140 level 2 support.
This level of support provides the following security benefits.
This document describes
how to configure a redundant system from the factory with one FIPS HSM
installed in each unit. To implement a FIPS solution in a BIG-IP redundant
system, you must perform the following tasks. Some of these tasks are described
in other documents. The sections in this document with tasks described in other
documents contain links or pointers to the related documentation.
[ Top ]
Installing the BIG-IP systems
and connecting a serial console
The tasks required to
install the systems and connect a serial console are described in detail in two
guides.
After the systems are set
up, and you have configured a console, you can create the FIPS security domain.
[ Top ]
Creating the FIPS security
domain
The first step to creating
a FIPS security domain is to initialize the FIPS HSM and create a security
officer (SO) password. The SO password is required to re-initialize the HSM. If
you are configuring a redundant system, you need to initialize the security
domain on one unit, and then initialize the card on the peer unit using the
same security domain name you used on the first unit.
To create a FIPS security
domain, you must perform the following tasks
NOTE: You can initialize the FIPS HSM and create
the security domain before you license the system and create a traffic
management configuration.
Initializing the first unit in a redundant system
To initialize the first
unit in a redundant system and create a security domain you must use the fipsutil utility. To initialize the HSM and create
an SO password, type the following command:
fipsutil -f init
After the utility starts,
you are prompted to create a security officer password, and then confirm the
password. After you create a password and confirm it, you are prompted for the
security domain name. Remember the security domain name you use. You need the
domain name when you initialize the HSM on the peer unit. The domain name
cannot be returned by the software or hardware once you use it.
After you complete the
initialization process on the first unit, you can initialize the peer system.
To initialize the peer
unit in the redundant system and add it to the security domain of the first
unit, you must use the fipsutil utility. Type
the following command:
fipsutil -f init
After the utility starts,
you are prompted to create a security officer (SO) password. You can use the SO
password you created on the first unit; however, you are not required to use
it.
When you are prompted for
the security domain name, you must type the security domain name you created on
the first unit.
After you initialize the HSMs in both units, you can log into each unit and run the
Configuration utility.
[ Top ]
Running the Configuration
utility
After you complete the
initialization of the HSMs and create a security
domain on the redundant system, you can run the Configuration utility.
The Configuration utility
provides the ability to license the system, configure the management interface,
configure failover, and create a base network configuration. After you
configure failover properly, and after you have run the fipscardsync
utility, every time you synchronize the configuration of the redundant system,
you are synchronizing card and key information for the security domain.
For details about running the Configuration utility
and creating a base network configuration, see the BIG-IP Quick Start
Instructions. These instructions are included in the BIG-IP Resource
Kit shipped with each unit. You can also access these instructions at http://tech.f5.com.
[ Top ]
Run the fipscardsync utility
to synchronize the FIPS HSMs
After you set up the
system with the Configuration utility, you can synchronize the FIPS HSMs with the fipscardsync
utility. Synchronizing the HSMs provides the ability
to exchange keys. To run the fipscardsync utility,
type the following command at the console.
fipscardsync peer
After you synchronize the HSMs, you can create a traffic management configuration.
[ Top ]
Generating and managing FIPS
keys
The web-based
Configuration utility provides a key management interface. You can use the
Configuration utility to create FIPS keys, convert existing keys to FIPS keys,
and import existing keys into the system.
NOTE: Once a key is converted to FIPS, the
process cannot be reversed.
To
create FIPS keys using the Configuration utility
To convert existing keys using the Configuration
utility
To
import existing keys using the Configuration utility
[ Top ]
There are several steps
you can take to plan for a system recovery. You can maintain a redundant
system. In the event of a failure, the standby unit becomes active and handles
incoming traffic. Another option is to configure a third unit with the same
configuration and storing it in a safe place. A last option, that is not FIPS
approved, is to copy the keys to a disk and put the disk in a safe place. Each
of these options is described in this section.
Configuring a redundant
system
The first step is to maintain a redundant system. In the event of a failure,
the standby unit becomes active and handles the incoming traffic. Creating a
redundant system configuration is one of the steps described in this document
as part of the initial configuration. After you configure failover properly,
every time you synchronize the configuration of the redundant system you are
synchronizing card and key information for the security domain.
Configuring an
additional unit for recovery
For additional system backup, you can take a third unit, fully configure it,
add it to the security domain, and synchronize the configurations. Remove the
unit from the network and store it in a safe location. If the BIG-IP system in
production is damaged or destroyed, you can take the backup unit from storage
and reconstitute the security domain.
Saving keys on a disk
Another possible method for preserving the keys is not
FIPS-approved. With this option, you generate your keys in software. Copy the
keys to a disk and put the disk in a secure place. Then you can import the keys
into the FIPS HSM. If there is a catastrophic system failure, you can use these
backup keys to create the security domain. This is not a FIPS compliant method
for backup.
[ Top ]
Recovering FIPS information
after a system failure
If one unit of a redundant
system fails, the failover unit becomes active and maintains FIPS information.
However, after you replace the failed unit in a redundant system, you need to
restore FIPS information on the replacement unit.
To
copy FIPS information from the currently active original system to a new
replacement system
Important: Ensure that you run the fipssync
peer command from the currently active unit. If you run the fipssync peer command from the new
replacement unit, you will lose the original FIPS information.
[ Top ]
Copyright 1996-2005,
F5 Networks, Inc.,
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl,
GLOBAL-SITE, SEE-IT, EDGE-FX, FireGuard, Internet
Control Architecture, IP Application Switch, iRules, OneConnect, Packet Velocity, SYN Check, Control Your World,
ZoneRunner, uRoam, FirePass, and TrafficShield are
registered trademarks or trademarks of F5 Networks, Inc., in the U.S. and
certain other countries. All other trademarks mentioned in this document are
the property of their respective owners. F5 Networks' trademarks may not be
used in connection with any product or service except as permitted in writing
by F5.
This product protected by U.S. Patents 6,374,300; 6,473,802. Other
patents pending.
Terms of web site use