ADC

Configure FIPS appliances in a high availability setup

Note:

The MPX 9700/10500/12500/15500 FIPS platform has reached end of life.

You can configure two appliances in a high availability (HA) pair as FIPS appliances. For information about configuring an HA setup, see High availability.

Note: Citrix recommends that you use the configuration utility (GUI) for this procedure. If you use the command line (CLI), make sure that you carefully follow the steps as listed in the procedure. Changing the order of steps or specifying an incorrect input file might cause an inconsistency that requires that you restart the appliance. In addition, if you use the CLI, the create ssl fipskey command is not propagated to the secondary node. When you run the command with the same input values for modulus size and exponent on two different FIPS appliances, the keys generated are not identical. Create the FIPS key on one of the nodes and then transfer it to the other node. But if you use the configuration utility to configure FIPS appliances in an HA setup, the FIPS key that you create is automatically transferred to the secondary node. The process of managing and transferring the FIPS keys is known as secure information management (SIM).

Important: On the MPX 9700/10500/12500/15500 FIPS appliances, the HA setup must be completed within six minutes. If the process takes longer than six minutes, the internal timer of the FIPS card expires and the following error message appears:

ERROR: Operation timed out or repeated, please wait for 10 mins and redo the SIM/HA configuration steps.

If this message appears, restart the appliance or wait for 10 minutes, and then repeat the HA setup procedure.

In the following procedure, appliance A is the primary node and appliance B is the secondary node.

Configure FIPS appliances in a high availability setup by using the CLI

  1. On appliance A, open an SSH connection to the appliance by using an SSH client, such as PuTTY.

  2. Log on to the appliance, using the administrator credentials.

  3. Initialize appliance A as the source appliance. At the command prompt, type:

    init ssl fipsSIMsource <certFile>
    <!--NeedCopy-->
    

    Example:

    init fipsSIMsource /nsconfig/ssl/nodeA.cert

  4. Copy this <certFile> file to appliance B, in the /nconfig/ssl folder.

    Example:

    scp /nsconfig/ssl/nodeA.cert nsroot@198.51.100.10:/nsconfig/ssl

  5. On appliance B, open an SSH connection to the appliance by using an SSH client, such as PuTTY.

  6. Log on to the appliance, using the administrator credentials.

  7. Initialize appliance B as the target appliance. At the command prompt, type:

    init ssl fipsSIMtarget <certFile> <keyVector> <targetSecret>
    <!--NeedCopy-->
    

    Example:

    init fipsSIMtarget /nsconfig/ssl/nodeA.cert /nsconfig/ssl/nodeB.key /nsconfig/ssl/nodeB.secret

  8. Copy this <targetSecret> file to appliance A.

    Example:

    scp /nsconfig/ssl/fipslbdal0801b.secret nsroot@198.51.100.20:/nsconfig/ssl

  9. On appliance A, enable appliance A as the source appliance. At the command prompt, type:

    enable ssl fipsSIMSource <targetSecret> <sourceSecret>
    <!--NeedCopy-->
    

    Example:

    enable fipsSIMsource /nsconfig/ssl/nodeB.secret /nsconfig/ssl/nodeA.secret

  10. Copy this <sourceSecret> file to appliance B.

    Example: scp /nsconfig/ssl/fipslbdal0801b.secret nsroot@198.51.100.10:/nsconfig/ssl

  11. On appliance B, enable appliance B as the target appliance. At the command prompt, type:

    enable ssl fipsSIMtarget <keyVector> <sourceSecret>
    <!--NeedCopy-->
    

    Example:

    enable fipsSIMtarget /nsconfig/ssl/nodeB.key /nsconfig/ssl/nodeA.secret

  12. On appliance A, create a FIPS key, as described in Create a FIPS key.

  13. Export the FIPS key to the appliance’s hard disk, as described in Export a FIPS key.

  14. Copy the FIPS key to the hard disk of the secondary appliance by using a secure file transfer utility, such as SCP.

  15. On appliance B, import the FIPS key from the hard disk into the HSM of the appliance, as described in Import an existing FIPS key.

Configure FIPS appliances in a high availability setup by using the GUI

  1. On the appliance to be configured as the source appliance, navigate to Traffic Management > SSL > FIPS.
  2. In the details pane, on the FIPS Info tab, click Enable SIM.
  3. In the Enable HA Pair for SIM dialog box, go to the Certificate File Name text box. Type the file name, with the path to the location at which the FIPS certificate must be stored on the source appliance.
  4. In the Key Vector File Name text box, type the file name, with the path to the location at which the FIPS key vector must be stored on the source appliance.
  5. In the Target Secret File Name text box, type the location for storing the secret data on the target appliance.
  6. In the Source Secret File Name text box, type the location for storing the secret data on the source appliance.
  7. Click OK. The FIPS appliances are now configured in HA mode.
  8. Create a FIPS key, as described in Create a FIPS key. The FIPS key is automatically transferred from the primary to the secondary.

The following diagram summarizes the transfer process.

Figure 1. Transfer the FIPS key-summary

Sim process detail

Configure FIPS appliances in a high availability setup