Citrix ADC MPX FIPS certified appliances
The Citrix ADC MPX 8900 FIPS and MPX 15000-50G FIPS certified appliances have been tested by a third party laboratory for the security requirements of FIPS 140-2 Level-2. Formal review by NIST is in progress. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.
The MPX 8900 FIPS and the MPX 15000-50G FIPS appliances no longer use a third-party Hardware Security Module. The requirements to be FIPS validated are build into the system.
- FIPS license
- Platform license
Ciphers supported on MPX 8900 FIPS and MPX 15000-50G FIPS certified appliances
All ciphers supported on a Citrix ADC MPX/SDX 14000 FIPS appliance, except the 3DES cipher, are supported on the MPX 8900 and MPX 15000-50G FIPS certified appliances. For the complete list of ciphers supported on these appliances, see Cipher support on Citrix ADC VPX FIPS and MPX FIPS certified appliances.
RADIUS and TACACS authentication is not supported on the MPX FIPS certified appliance.
After the appliance starts, run the following command at the CLI:
> show system fipsStatus <!--NeedCopy-->
You must get the following output.
FipsStatus: "System is operating in FIPS mode" Done > <!--NeedCopy-->
In case you get the following output, check the license.
FipsStatus: "System is operating in non FIPS mode" Done > <!--NeedCopy-->
Perform the following steps to initialize the MPX appliance for the FIPS mode of operation.
- Enforce strong passphrase requirements.
- Replace the default TLS certificate.
- Disable HTTP access to the web GUI.
- Create the KEK
- After initial configuration, disable local authentication and configure remote authentication using LDAP.
Enforce strong passphrase requirements using the GUI
Passphrases are used to derive keys using PBKDF2. As an admin, enable strong passphrase requirements using the GUI.
- Navigate to System > Settings.
- In the Settings section, click Change Global System Settings.
- In the Strong Password field, select Enable All.
- In the Min Password Length field, type “8.”
- Click OK.
Replace the default TLS certificate
By default, the MPX FIPS certified appliance includes a factory-provisioned RSA certificate for TLS connections (
ns-server.key). This certificate is not intended for use in production deployments and must be replaced. Replace the default certificate with a new certificate after the initial installation.
To replace the default TLS certificate:
At the command prompt, type the following command to set the host name of the appliance.
set ns hostName <hostname>
Create a Certificate Signing Request (CSR) using the GUI
- Navigate to Traffic Management > SSL > SSL Files.
- In the CSR tab, click Create Certificate Signing Request (CSR).
- Enter the values and click Create. Note: The Common Name field contains the value of the host name set using the ADC CLI.
- Submit the CSR file to a trusted certificate authority (CA). The CSR file is available in the
- After receiving the certificate from the CA, copy the file to the
- Navigate to Traffic Management > SSL > Certificates > Server Certificates.
- Select ns-server-certificate.
- Click Update.
- Click Update the certificate and key.
- In the Certificate File Name field, choose the certificate file that was received from the certificate authority (CA). Choose Local if the file is on your local computer. Otherwise, choose Appliance.
- In the Key File Name field, specify the default private key file name (
- Select the No Domain Check option.
- Click OK.
Disable HTTP access to the web GUI
To protect traffic to the administrative interface and web GUI, the appliance must be configured to use HTTPS. After adding new certificates, use the CLI to disable HTTP access to the GUI management interface.
At the command prompt, type:
set ns ip <NSIP> -gui SECUREONLY
Create the KEK key
master key is used to encrypt passphrases and other sensitive information. To prevent the default KEK from being used, use the CLI to create a KEK.
To create the KEK, at the command prompt, type:
create system kek
When prompted, enter a strong passphrase. The KEK is derived from this passphrase.
Disable local authentication and configure remote authentication using LDAP
The superuser account is a default account with root CLI access privileges that is required for initial configuration. During initial configuration, disable local system authentication to block access to all local accounts (including the superuser account), and to ensure that superuser privileges are not assigned to any user account.
To disable local system authentication and enable external system authentication using the CLI
At the command prompt, type:
set system parameter -localauth disabled
Follow the instructions in Configuring LDAP authentication to configure external system authentication to use LDAP.