Product Documentation

Configuring the MPX 14000 FIPS Appliance

Dec 20, 2017

Important

Configuration steps for NetScaler MPX 14000 FIPS and NetScaler MPX 9700/10500/12500/15500 FIPS appliances are different. 

A FIPS appliance is equipped with a tamper-proof (tamper-evident) cryptographic module—a Cavium CNN3560-NFBE-G—designed to comply with the FIPS 140-2 Level-3 specifications (from release 12.0 build 56.x). The Critical Security Parameters (CSPs), primarily the server's private-key, are securely stored and generated inside the cryptographic module, also referred to as the Hardware Security Module (HSM). The CSPs are never accessed outside the boundaries of the HSM. Only the superuser (nsroot) can perform operations on the keys stored inside the HSM.

Before configuring a FIPS appliance, you must check the state of the FIPS card and then initialize the card. Create a FIPS key and server certificate, and add any additional SSL configuration. 

For information about the FIPS ciphers supported, see FIPS Approved Algorithms and Ciphers. The cipher/protocol matrix is available here.

For information about configuring FIPS appliances in a high availability setup, see Configuring FIPS Appliances in a High Availability Setup.

Limitations

  1. SSL renegotiation using the SSLv3 protocol is not supported on the back end of an MPX FIPS appliance.
  2. 1024-bit and 4096-bit keys and exponent value of 3 are not supported.