-
Getting Started with Citrix NetScaler
-
Deploy a Citrix NetScaler VPX instance
-
Install a Citrix NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for Installing NetScaler VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the NetScaler Virtual Appliance by using OpenStack
-
Provisioning the NetScaler Virtual Appliance by using the Virtual Machine Manager
-
Configuring NetScaler Virtual Appliances to Use SR-IOV Network Interface
-
Configuring NetScaler Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the NetScaler Virtual Appliance by using the virsh Program
-
-
Deploying NetScaler VPX Instances on AWS
-
-
-
-
-
-
-
Overriding Static Proximity Behavior by Configuring Preferred Locations
-
Example of a Complete Parent-Child Configuration Using the Metrics Exchange Protocol
-
Configuring Global Server Load Balancing for DNS Queries with NAPTR records
-
Using the EDNS0 Client Subnet Option for Global Server Load Balancing
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Use source IP address of the client when connecting to the server
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
-
-
MPX 9700/10500/12500/15500 FIPS appliances
-
Support for Gemalto SafeNet Network hardware security module
-
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
View PDF
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
MPX 9700/10500/12500/15500 FIPS appliances
The Federal Information Processing Standard (FIPS), issued by the US National Institute of Standards and Technologies, specifies the security requirements for a cryptographic module used in a security system. The NetScaler FIPS appliance complies with the second version of this standard, FIPS-140-2.
Note: Henceforth, all references to FIPS imply FIPS-140-2.
The FIPS appliance is equipped with a tamper-proof (tamper-evident) cryptographic module—and a Cavium CN1620-NFBE3-2.0-G on the MPX 9700/10500/12500/15500 FIPS appliances—designed to comply with the FIPS 140-2 Level-2 specifications. The Critical Security Parameters (CSPs), primarily the server’s private-key, are securely stored and generated inside the cryptographic module, also referred to as the Hardware Security Module (HSM). The CSPs are never accessed outside the boundaries of the HSM. Only the superuser (nsroot) can perform operations on the keys stored inside the HSM.
The following table summarizes the differences between standard NetScaler and NetScaler FIPS appliances.
| Setting | NetScaler appliance | NetScaler FIPS appliance |
|---|---|---|
| Key storage | On the hard disk | On the FIPS card |
| Cipher support | All ciphers | FIPS approved ciphers |
| Accessing keys | From the hard disk | Not accessible |
Configuring a FIPS appliance involves configuring the HSM immediately after completing the generic configuration process. You then create or import a FIPS key. After creating a FIPS key, you should export it for backup. You might also need to export a FIPS key so that you can import it to another appliance. For example, configuring FIPS appliances in a high availability (HA) setup requires transferring the FIPS key from the primary node to the secondary node immediately after completing the standard HA setup.
You can upgrade the firmware version on the FIPS card from version 4.6.0 to 4.6.1, and you can reset an HSM that has been locked to prevent unauthorized logon. Only FIPS approved ciphers are supported on a NetScaler FIPS appliance.
HSM configuration
Before you can configure the HSM of your NetScaler FIPS appliance, you must complete the initial hardware configuration. For more information about MPX appliances, see Initial Configuration. For information about SDX appliances, click here.
Configuring the HSM of your NetScaler FIPS appliance erases all existing data on the HSM. To configure the HSM, you must be logged on to the appliance as the superuser (nsroot account). The HSM is preconfigured with default values for the Security Officer (SO) password and User password, which you use to configure the HSM or reset a locked HSM. The maximum length allowed for the password is 14 alphanumeric characters. Symbols are not allowed.
Important: Do not perform the set ssl fips command without first resetting the FIPS card and restarting the MPX FIPS appliance.
Although the FIPS appliance can be used with the default password values, you should modify them before using it. The HSM can be configured only when you log on to the appliance as the superuser and specify the SO and User passwords.
Important: Due to security constraints, the appliance does not provide a means for retrieving the SO password. Store a copy of the password safely. Should you need to reinitialize the HSM, you will need to specify this password as the old SO password.
Before initializing the HSM, you can upgrade to the latest build of the software. To upgrade to the latest build, see Upgrading or Downgrading the System Software.
After upgrading, verify that the /nsconfig/fips directory has been successfully created on the appliance.
Configure the HSM on an MPX 9700/10500/12500/15500 FIPS appliances by using the CLI
After logging on to the appliance as the superuser and completing the initial configuration, at the command prompt, type the following commands to configure the HSM and verify the configuration:
show ssl fips
reset ssl fips
reboot
set ssl fips -initHSM Level-2 <newSOpassword> <oldSOpassword> <userPassword> [-hsmLabel <string>]
save ns config
reboot
show ssl fips
Example:
show fips
FIPS Card is not configured
Done
reset fips
reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:y
set ssl fips -initHSM Level-2 sopin12345 so12345 user123 -hsmLabel cavium
This command will erase all data on the FIPS card. You must save the configuration
(saveconfig) after executing this command.
Do you want to continue?(Y/N)y
Done
save ns config
reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:y
show fips
FIPS HSM Info:
HSM Label : NetScaler FIPS
Initialization : FIPS-140-2 Level-2
HSM Serial Number : 2.1G1008-IC000021
HSM State : 2
HSM Model : NITROX XL CN1620-NFBE
Firmware Version : 1.1
Firmware Release Date : Jun04,2010
Max FIPS Key Memory : 3996
Free FIPS Key Memory : 3994
Total SRAM Memory : 467348
Free SRAM Memory : 62564
Total Crypto Cores : 3
Enabled Crypto Cores : 1
Done
Note: If you upgrade the firmware to version 2.2, the firmware release date is replaced with the firmware build.
show fips
FIPS HSM Info:
HSM Label : NetScaler FIPS
Initialization : FIPS-140-2 Level-2
HSM Serial Number : 3.0G1235-ICM000264
HSM State : 2
HSM Model : NITROX XL CN1620-NFBE
Hardware Version : 2.0-G
Firmware Version : 2.2
Firmware Build : NFBE-FW-2.2-130009
Max FIPS Key Memory : 3996
Free FIPS Key Memory : 3958
Total SRAM Memory : 467348
Free SRAM Memory : 50524
Total Crypto Cores : 3
Enabled Crypto Cores : 3
Done
Configure the HSM on an MPX 9700/10500/12500/15500 FIPS appliances by using the GUI
-
Navigate to Traffic Management > SSL > FIPS.
-
In the details pane, on the FIPS Infotab, click Reset FIPS.
-
In the navigation pane, click System.
-
In the details pane, click Reboot.
-
In the details pane, on the FIPS Info tab, click Initialize HSM.
-
In the Initialize HSM dialog box, specify values for the following parameters:
- Security Officer (SO) Password*—new SO password
- Old SO Password*—old SO password
- User Password*—user password
- Level—initHSM (Currently set to Level2 and cannot be changed)
- HSM Label—hsmLabel
*A required parameter
-
Click OK.
-
In the details pane, click Save.
-
In the navigation pane, click System.
-
In the details pane, click Reboot.
-
Under FIPS HSM Info, verify that the information displayed for the FIPS HSM that you just configured is correct.
Create and transfer FIPS keys
After configuring the HSM of your FIPS appliance, you are ready to create a FIPS key. The FIPS key is created in the appliance’s HSM. You can then export the FIPS key to the appliance’s CompactFlash card as a secured backup. Exporting the key also enables you to transfer it by copying it to the /flash of another appliance and then importing it into the HSM of that appliance. You must enable SIM between two standalone nodes before you export and transfer the keys. In an HA setup, if one of the nodes is replaced with a new appliance, you must enable SIM between this new appliance and the existing appliance of the HA setup before you export or import FIPS keys.
Instead of creating a FIPS key, you can import an existing FIPS key or import an external key as a FIPS key. If you are adding a certificate-key pair of 2048 bits on the MPX 9700/10500/12500/15500 FIPS appliances, make sure that you have the correct certificate and key pair.
Note: If you are planning an HA setup, make sure that the FIPS appliances are configured in an HA setup before creating a FIPS key.
Create FIPS keys
Before creating a FIPS key, make sure that the HSM is configured.
You must specify the key type (RSA or ECDSA) and specify the curve for ECDSA keys.
Create a FIPS key by using the GUI
- Navigate to Traffic Management > SSL > FIPS.
- In the details pane, on the FIPS Keys tab, click Add.
-
In the Create FIPS Key dialog box, specify values for the following parameters:
- FIPS Key Name*—fipsKeyName
- Modulus*—modulus
- Exponent*—exponent
*A required parameter
- Click Create, and then click Close.
- On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you just created are correct.
Create a FIPS key by using the CLI
At the command prompt, type the following commands to create a FIPS key and verify the settings:
create ssl fipsKey <fipsKeyName> -modulus <positive_integer> [-exponent ( 3 | F4 )]
show ssl fipsKey [<fipsKeyName>]
Example:
create fipskey Key-FIPS-1 -keytype RSA -modulus 2048 -exponent 3
show ssl fipsKey Key-FIPS-1
FIPS Key Name: Key-FIPS-1 Key Type: RSA Modulus: 2048 Public Exponent: F4 (Hex: 0x10001)
Export FIPS keys
Citrix recommends that you create a backup of any key created in the FIPS HSM. If a key in the HSM is deleted, there is no way to create the same key again, and all the certificates associated with it are rendered useless.
In addition to exporting a key as a backup, you might need to export a key for transfer to another appliance.
The following procedure provides instructions on exporting a FIPS key to the /nsconfig/ssl folder on the appliance’s CompactFlash and securing the exported key by using a strong asymmetric key encryption method.
Export a FIPS key by using the CLI
At the command prompt, type:
export ssl fipsKey <fipsKeyName> -key <string>
Example:
export fipskey Key-FIPS-1 -key Key-FIPS-1.key
Export a FIPS key by using the GUI
-
Navigate to Traffic Management > SSL > FIPS
-
In the details pane, on the FIPS Keys tab, click Export.
-
In the Export FIPS key to a file dialog box, specify values for the following parameters:
- FIPS Key Name*—fipsKeyName
- File Name*—key (To put the file in a location other than the default, you can either specify the complete path or click the Browse button and navigate to a location.)
*A required parameter
-
Click Export, and then click Close.
Import an existing FIPS key
To use an existing FIPS key with your FIPS appliance, you need to transfer the FIPS key from the hard disk of the appliance into its HSM.
Note: To avoid errors when importing a FIPS key, make sure that the name of the key imported is the same as the original key name when it was created.
Import a FIPS key on the MPX 9700/10500/12500/15500 FIPS appliances by using the CLI
At the command prompt, type the following commands to import a FIPS key and verify the settings:
- import ssl fipsKey <fipsKeyName> -key <string> -inform SIM -exponent (F4 | 3)
- show ssl fipskey <fipsKeyName>
Example:
import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform SIM -exponent F4
show ssl fipskey key-FIPS-2
FIPS Key Name: Key-FIPS-2 Modulus: 2048 Public Exponent: F4 (Hex value 0x10001)
Import a FIPS key by using the GUI
-
Navigate to Traffic Management > SSL > FIPS
-
In the details pane, on the FIPS Keys tab, click Import.
-
In the Import as a FIPS Key dialog box, select FIPS key file and set values for the following parameters:
- FIPS Key Name*
- Key File Name*—To put the file in a location other than the default, you can either specify the complete path or click Browse and navigate to a location.
- Exponent*
*A required parameter
-
Click Import, and then click Close.
-
On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you just imported are correct.
Import an external key
In addition to transferring FIPS keys that are created within the NetScaler appliance’s HSM, you can transfer external private keys (such as those created on a standard NetScaler, Apache, or IIS) to a FIPS NetScaler appliance. External keys are created outside the HSM, by using a tool such as OpenSSL. Before importing an external key into the HSM, copy it to the appliance’s flash drive under /nsconfig/ssl.
On the MPX 9700/10500/12500/15500 FIPS appliances, the -exponent parameter in the import ssl fipskey command is not required while importing an external key. The correct public exponent is detected automatically when the key is imported, and the value of the -exponent parameter is ignored.
The NetScaler FIPS appliance does not support external keys with a public exponent other than 3 or F4.
You do not need a wrap key on the MPX 9700/10500/12500/15500 FIPS appliances.
You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 FIPS appliance. To import the key you need to first decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:
openssl rsa -in <EncryptedKey.key> > <DecryptedKey.out>
Import an external key as a FIPS key to an MPX 9700/10500/12500/15500 FIPS appliance by using the CLI
- Copy the external key to the appliance’s flash drive.
-
If the key is in .pfx format, you must first convert it to PEM format. At the command prompt, type:
convert ssl pkcs12 <output file> -import -pkcs12File <input .pfx file name> -password <password> - At the command prompt, type the following commands to import the external key as a FIPS key and verify the settings:
import ssl fipsKey <fipsKeyName> -key <string> -informPEM` show ssl fipskey<fipsKeyName>Example:
convert ssl pkcs12 iis.pem -password 123456 -import -pkcs12File iis.pfx
import fipskey Key-FIPS-2 -key iis.pem -inform PEM
show ssl fipskey key-FIPS-2
FIPS Key Name: Key-FIPS-2 Modulus: 0 Public Exponent: F4 (Hex value 0x10001)
Import an external key as a FIPS key to an MPX 9700/10500/12500/15500 FIPS appliance by using the GUI
-
If the key is in .pfx format, you must first convert it to PEM format.
- Navigate to Traffic Management > SSL.
- In the details pane, under Tools, click Import PKCS#12.
- In the Import PKCS12 File dialog box, set the following parameters:
- Output File Name*
- PKCS12 File Name*—Specify the .pfx file name.
- Import Password*
- Encoding Format *A required parameter
-
Navigate to Traffic Management > SSL > FIPS.
-
In the details pane, on the FIPS Keys tab, click Import.
-
In the Import as a FIPS Key dialog box, select PEM file, and set values for the following parameters:
- FIPS Key Name*
- Key File Name*—To put the file in a location other than the default, you can either specify the complete path or click Browse and navigate to a location.
*A required parameter
-
Click Import, and then click Close.
-
On the FIPS Keys tab, verify that the settings displayed for the FIPS key that you just imported are correct.
MPX 9700/10500/12500/15500 FIPS appliances
Share