In NetScaler 12.0
In Citrix ADC
In All products
Product Documentation
In NetScaler 12.0
In Citrix ADC
In All products
NetScaler 12.0 NetScaler 11.1 NetScaler 11.0 NetScaler 10.5 NetScaler 10.1 NetScaler 10.0
View PDF

Update the firmware to version 2.2 on a FIPS card

October 31, 2018
Contributed by:  S

FIPS firmware version 2.2 supports TLS protocol versions 1.1 and 1.2. From the command line, you can update the firmware version of the FIPS card of a NetScaler MPX 9700/10500/12500/15500 FIPS appliance from version 1.1 to version 2.2.

For successful SIM key propagation from primary to secondary in a high availability (HA) pair, the Cavium firmware version on each appliance should be identical. Perform the firmware update on the secondary appliance first. If executed on the primary appliance first, the long-running update process causes a failover.

Limitations

  • Secure renegotiation is supported only on SSL virtual servers and front-end SSL services.
  • Creating a certificate signing request by using a key that was created on firmware version 1.1 and updated to firmware version 2.2 fails.
  • You cannot create a 1024-bit RSA key on firmware version 2.2. However, if you have imported or created a 1024-bit FIPS key on firmware version 1.1 and you then update to firmware version 2.2, you can use that FIPS key on firmware version 2.2.
  • 1024-bit RSA keys are not supported.
  • Secure renegotiation using SSLv3 protocol is not supported.
  • After you upgrade the firmware, TLSv1.1 and TLSv1.2 are disabled by default on the existing virtual server, internal, front end, and backend services. To use TLS 1.1/1.2, you must explicitly enable these protocols, on the SSL entities, after the upgrade.
  • FIPS keys that are created in firmware version 2.2 are not available if you downgrade the firmware to version 1.1.

Prerequisites

Download the following files from the download page on www.citrix.com. The files must be stored in the /var/nsinstall directory on the appliance.

  • FW 2.2 File: FW-2.2-130013
  • FW 2.2 Signature File: FW-2.2-130013.sign

FW-2.2-130013 is the recommended firmware version. It includes fixes to improve DRBG.

Update the FIPS firmware to version 2.2 on a standalone appliance

  1. Log on to the appliance by using the administrator credentials.

  2. At the prompt, type the following command to confirm that the FIPS card is initialized.

    show fips

FIPS HSM Info:
HSM Label       : NetScaler FIPS
Initialization      : FIPS-140-2 Level-2
HSM Serial Number   : 3.0G1235-ICM000264
HSM State       : 2
HSM Model       : NITROX XL CN1620-NFBE

Hardware Version    : 2.0-G
Firmware Version    : 1.1
Firmware Release Date   : Jun04,2010

Max FIPS Key Memory : 3996
Free FIPS Key Memory    : 3992
Total SRAM Memory   : 467348
Free SRAM Memory    : 62512
Total Crypto Cores  : 3
Enabled Crypto Cores    : 1
Done

  3. Save the configuration. At the prompt, type:

    save config

  4. Perform the update. At the prompt, type:

    update ssl fips -fipsFW <path to the extracted contents>/CN16XX-NFBE-FW-2.2-1300013

    Press Y when the following prompt appears:

    This command will update compatible version of the FIPS firmware.  You must save the current configuration (saveconfig) before executing this command. You must reboot the system after execution of this command, for the firmware update to take effect. Do you want to continue?(Y/N)Y

Done

Note: You only need to specify the firmware file, because the firmware signature file is placed in the same location.

The update takes up to ten seconds. The update command is blocking, which means that no other actions are executed until the command finishes. The command prompt reappears when execution of the command is completed.

  1. Restart the appliance. At the prompt, type:

    reboot

Are you sure you want to restart NetScaler (Y/N)? [N]:Y

  2. Verify that the update is successful. At the prompt, type:

    show fips

    The firmware version displayed in the output should be 2.2. For example:

    sh fips
    FIPS HSM Info:
        HSM Label       : NetScaler FIPS
        Initialization      : FIPS-140-2 Level-2
        HSM Serial Number   : 2.1G1207-IC002429
        HSM State       : 2
        HSM Model       : NITROX XL CN1620-NFBE

        Hardware Version    : 2.0-G
        Firmware Version    : 2.2
        Firmware Build         : NFBE-FW-2.2-130013
        Max FIPS Key Memory : 3996
        Free FIPS Key Memory    : 3982
        Total SRAM Memory   : 467348
        Free SRAM Memory    : 50472
        Total Crypto Cores  : 3
        Enabled Crypto Cores    : 1
 Done

Update the FIPS firmware to version 2.2 on appliances in a high availability pair

  1. Log on to the secondary node and perform the update as described in [“Update the FIPS firmware to version 2.2 on a standalone appliance”.

    Force the secondary node to become primary. At the prompt, type:

    force failover

    Press Y at the confirmation prompt.

  2. Log on to the new secondary node (old primary) and perform the update as described in “Update the FIPS firmware to version 2.2 on a standalone appliance”.

  3. Force the new secondary node to become primary again. At the prompt, type:

    force failover

    Press Y at the confirmation prompt.

Update the FIPS firmware to version 1.1 on a standalone appliance

  1. Download the nfb_firmware-r1235_100604 and nfb_firmware-r1235_100604.sign files, to the same directory on the appliance, from the download page on www.citrix.com.

  2. Log on to the appliance by using the administrator credentials.

  3. At the prompt, type:

    update ssl fips -fipsFW /<full path to the file>/nfb_firmware-r1235_100604

Update the firmware to version 2.2 on a FIPS card

October 31, 2018
Contributed by:  S

In this article

Edit this article