Citrix ADC VPX FIPS appliances

The Citrix ADC VPX FIPS appliance has been tested by a third party laboratory for the security requirements of FIPS 140-2 Level-1 and is in the formal review process by NIST. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.

Prerequisites

  • For on-prem hypervisors download the special build from the Citrix website. Download the complete VPX FIPS package for the respective hypervisor.

  • VPX FIPS is supported only on platforms on which the underlying Intel CPU supports RDRAND and RDSEED instruction sets. For more information about Intel CPU supporting RDRAND and RDSEED instruction sets, check the Intel architecture document.

  • Citrix ADC VPX FIPS license.

Configuration

The module is available as a software package that includes both the application software and the operating system. After purchasing the Citrix ADC VPX FIPS license, get the latest Citrix ADC VPX FIPS image from the Citrix website.

Perform the following steps:

  1. Upload the latest Citrix ADC VPX FIPS image to one of the following hypervisors: ESXi, XenServer, Hyper-V, or KVM.

  2. Apply the Citrix ADC VPX FIPS license and restart the appliance. Warm reboot will not bring the system in FIPS mode and hence restart is mandatory.

  3. After the appliance starts, run the following command at the CLI:

    > show system fipsStatus
    

    You must get the following output.

    FipsStatus: "System is operating in FIPS mode"
    Done
    >
    

    In case you get the following output, see the troubleshooting section for steps to resolve.

    FipsStatus: "System is operating in non FIPS mode"
    Done
    >
    
  4. Follow the configuration guidelines in Secure Deployment Guide.

Ciphers supported on a VPX FIPS appliance

All ciphers supported on a Citrix ADC MPX/SDX 14000 FIPS appliance, except the 3DES cipher, are supported on a VPX FIPS appliance. For the complete list of ciphers supported on a Citrix ADC VPX FIPS appliance, see Cipher support on a VPX FIPS appliance.

Limitations

  • Clustering is not supported on a VPX FIPS appliance.

  • RADIUS & TACACS authentication are not supported on VPX FIPS appliance.

  • VPX FIPS is a separate image. Software version upgrade from non-VPX FIPS version to VPX FIPS version is not supported. Also, VPX FIPS software version cannot be downgraded or upgraded to non-FIPS software version.

Troubleshooting

When you run the show system fipsStatus command and the output is as follows:

FipsStatus: "System is operating in non FIPS mode"
Done
>

The reason might be one of the following;

  1. License is expired or incorrect.

  2. Hardware is not supported.

  3. The system is unable to come up in FIPS mode due to POST failure on management core or packet engine.

To resolve:

  1. Check that the correct Citrix ADC VPX FIPS license is installed and that the license has not expired.

  2. Check that the underlying CPU supports RDRAND and RDSEED instruction sets. Run the following command:

    >shell
    #nsconmsg -g drbg -g ssl_err -g fips -d statswt0
    

    If the nsssl_err_fips_drbg_rdrand_not_supported counter increments, the underlying hardware does not support RDRAND and RDSEED instruction set.

  3. To check for Power-on self-test (POST) failure on the management core or on a packet engine, run the following command:

    >shell
    #nsconmsg -g drbg -g ssl_err -g fips -d statswt0
    

    The nsssl_err_fips_post_failed counter increments if POST fails during bootup on the packet engine. That is, there is a data plane failure.

    If the counter does not increment, check the log file (/var/log/FIPS-post.log) for a failed algorithm test entry. That is, check for POST failure on the management core (control plane failure).

    In both cases, contact Citrix support.