Update the firmware to version 2.2 on a FIPS card

FIPS firmware version 2.2 supports TLS protocol versions 1.1 and 1.2. From the command line, you can update the firmware version of the FIPS card of a NetScaler MPX 9700/10500/12500/15500 FIPS appliance from version 1.1 to version 2.2.

For successful SIM key propagation from primary to secondary in a high availability (HA) pair, the Cavium firmware version on each appliance should be identical. Perform the firmware update on the secondary appliance first. If executed on the primary appliance first, the long-running update process causes a failover.

Limitations

  • Secure renegotiation is supported only on SSL virtual servers and front-end SSL services.
  • Creating a certificate signing request by using a key that was created on firmware version 1.1 and updated to firmware version 2.2 fails.
  • You cannot create a 1024-bit RSA key on firmware version 2.2. However, if you have imported or created a 1024-bit FIPS key on firmware version 1.1 and you then update to firmware version 2.2, you can use that FIPS key on firmware version 2.2.
  • 1024-bit RSA keys are not supported.
  • Secure renegotiation using SSLv3 protocol is not supported.
  • After you upgrade the firmware, TLSv1.1 and TLSv1.2 are disabled by default on the existing virtual server, internal, front end, and backend services. To use TLS 1.1/1.2, you must explicitly enable these protocols, on the SSL entities, after the upgrade.
  • FIPS keys that are created in firmware version 2.2 are not available if you downgrade the firmware to version 1.1.

Prerequisites

Download the following files from the download page on www.citrix.com. The files must be stored in the /var/nsinstall directory on the appliance.

  • FW 2.2 File: FW-2.2-130013
  • FW 2.2 Signature File: FW-2.2-130013.sign

FW-2.2-130013 is the recommended firmware version. It includes fixes to improve DRBG.

Update the FIPS firmware to version 2.2 on a standalone appliance

  1. Log on to the appliance by using the administrator credentials.

  2. At the prompt, type the following command to confirm that the FIPS card is initialized.

    show fips
    
    FIPS HSM Info:
    HSM Label       : NetScaler FIPS
    Initialization      : FIPS-140-2 Level-2
    HSM Serial Number   : 3.0G1235-ICM000264
    HSM State       : 2
    HSM Model       : NITROX XL CN1620-NFBE
    
    Hardware Version    : 2.0-G
    Firmware Version    : 1.1
    Firmware Release Date   : Jun04,2010
    
    Max FIPS Key Memory : 3996
    Free FIPS Key Memory    : 3992
    Total SRAM Memory   : 467348
    Free SRAM Memory    : 62512
    Total Crypto Cores  : 3
    Enabled Crypto Cores    : 1
    Done
    
  3. Save the configuration. At the prompt, type:

    save config
    
  4. Perform the update. At the prompt, type:

    update ssl fips -fipsFW <path to the extracted contents>/CN16XX-NFBE-FW-2.2-1300013
    

    Press Y when the following prompt appears:

    This command will update compatible version of the FIPS firmware.  You must save the current configuration (saveconfig) before executing this command. You must reboot the system after execution of this command, for the firmware update to take effect. Do you want to continue?(Y/N)Y
    
    Done
    

Note: You only need to specify the firmware file, because the firmware signature file is placed in the same location.

The update takes up to ten seconds. The update command is blocking, which means that no other actions are executed until the command finishes. The command prompt reappears when execution of the command is completed.

  1. Restart the appliance. At the prompt, type:

    reboot
    
    Are you sure you want to restart NetScaler (Y/N)? [N]:Y
    
  2. Verify that the update is successful. At the prompt, type:

    show fips
    

    The firmware version displayed in the output should be 2.2. For example:

    sh fips
        FIPS HSM Info:
            HSM Label       : NetScaler FIPS
            Initialization      : FIPS-140-2 Level-2
            HSM Serial Number   : 2.1G1207-IC002429
            HSM State       : 2
            HSM Model       : NITROX XL CN1620-NFBE
    
            Hardware Version    : 2.0-G
            Firmware Version    : 2.2
            Firmware Build         : NFBE-FW-2.2-130013
            Max FIPS Key Memory : 3996
            Free FIPS Key Memory    : 3982
            Total SRAM Memory   : 467348
            Free SRAM Memory    : 50472
            Total Crypto Cores  : 3
            Enabled Crypto Cores    : 1
     Done
    

Update the FIPS firmware to version 2.2 on appliances in a high availability pair

  1. Log on to the secondary node and perform the update as described in [“Update the FIPS firmware to version 2.2 on a standalone appliance”.

    Force the secondary node to become primary. At the prompt, type:

    force failover
    

    Press Y at the confirmation prompt.

  2. Log on to the new secondary node (old primary) and perform the update as described in “Update the FIPS firmware to version 2.2 on a standalone appliance”.

  3. Force the new secondary node to become primary again. At the prompt, type:

    force failover
    

    Press Y at the confirmation prompt.

Update the FIPS firmware to version 1.1 on a standalone appliance

  1. Download the nfb_firmware-r1235_100604 and nfb_firmware-r1235_100604.sign files, to the same directory on the appliance, from the download page on www.citrix.com.

  2. Log on to the appliance by using the administrator credentials.

  3. At the prompt, type:

    update ssl fips -fipsFW /<full path to the file>/nfb_firmware-r1235_100604