Citrix ADC

Citrix ADC VPX FIPS certified appliances

October 23, 2020

Contributed by:

S S C

The Citrix ADC VPX FIPS appliance is validated for FIPS 140-2 Level 1 (Certificate #3732: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3732) by the National Institute of Standards and Technology (NIST). More information about the FIPS 140-2 standard and validation program is available on the NIST and the Canadian Center for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.

Prerequisites

For on-prem hypervisors download the special build from the Citrix website. Download the complete VPX FIPS package for the respective hypervisor.
VPX FIPS is supported only on platforms on which the underlying Intel CPU supports RDRAND and RDSEED instruction sets. For more information about Intel CPU supporting RDRAND and RDSEED instruction sets, check the Intel architecture document.
Citrix ADC VPX FIPS license.

Configuration

The module is available as a software package that includes both the application software and the operating system. After purchasing the Citrix ADC VPX FIPS license, get the latest Citrix ADC VPX FIPS image from the Citrix website.

Perform the following steps:

Upload the latest Citrix ADC VPX FIPS image to one of the following hypervisors: ESXi, Citrix Hypervisor, Hyper-V, KVM, AWS, Azure, or GCP (from build 12.1-55.190).
Apply the Citrix ADC VPX FIPS license and restart the appliance. Warm reboot does not bring the system in FIPS mode and hence restart is mandatory.
After the appliance starts, run the following command at the CLI:
```
> show system fipsStatus
```
You must get the following output.
```
FipsStatus: "System is operating in FIPS mode"
Done
>
```
In case you get the following output, see the troubleshooting section for steps to resolve.
```
FipsStatus: "System is operating in non FIPS mode"
Done
>
```
Follow the configuration guidelines in Secure Deployment Guide.

Ciphers supported on a VPX FIPS appliance

All ciphers supported on a Citrix ADC MPX/SDX 14000 FIPS appliance, except the 3DES cipher, are supported on a VPX FIPS appliance. For the complete list of ciphers supported on a Citrix ADC VPX FIPS appliance, see Cipher support on Citrix ADC VPX FIPS and MPX FIPS certified appliances.

Upgrade a Citrix ADC VPX FIPS certified appliance

Follow the steps in Upgrade a Citrix ADC standalone appliance to upgrade the VPX FIPS certified appliance.

Important: Replace the ./installns command with ./installns -F.

Limitations

RADIUS & TACACS authentication are not supported on the VPX FIPS appliance.
VPX FIPS is a separate image. Software version upgrade from VPX version to VPX FIPS version is not supported. Also, the VPX FIPS software version cannot be downgraded or upgraded to the VPX software version.
VPX FIPS image is not supported on a Citrix ADC SDX and Citrix ADC SDX FIPS appliance.
Citrix ADC VPX FIPS on GCP currently supports standalone deployment only. HA deployment is not supported.

Troubleshooting

When you run the show system fipsStatus command and the output is as follows:

FipsStatus: "System is operating in non FIPS mode"
Done
>

The reason might be one of the following;

License is expired or incorrect.
Hardware is not supported.
The system is unable to come up in FIPS mode due to POST failure on the management core or packet engine.

To resolve:

Check that the correct Citrix ADC VPX FIPS license is installed and that the license has not expired.
Check that the underlying CPU supports RDRAND and RDSEED instruction sets. Run the following command:
```
>shell
#nsconmsg -g drbg -g ssl_err -g fips -d statswt0
```
If the nsssl_err_fips_drbg_rdrand_not_supported counter increments, the underlying hardware does not support the RDRAND and RDSEED instruction set.
To check for Power-on self-test (POST) failure on the management core or on a packet engine, run the following command:
```
>shell
#nsconmsg -g drbg -g ssl_err -g fips -d statswt0
```
The nsssl_err_fips_post_failed counter increments if POST fails during bootup on the packet engine. That is, there is a data plane failure.

If the counter does not increment, check the log file (/var/log/FIPS-post.log) for a failed algorithm test entry. That is, check for POST failure on the management core (control plane failure).

In both cases, contact Citrix support.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Citrix ADC VPX FIPS certified appliances

October 23, 2020

Contributed by:

S S C

October 23, 2020

Contributed by:

S S C

Citrix ADC VPX FIPS certified appliances

Prerequisites

Configuration

Ciphers supported on a VPX FIPS appliance

Upgrade a Citrix ADC VPX FIPS certified appliance

Limitations

Troubleshooting

Citrix ADC VPX FIPS certified appliances

In this article