Product Documentation

Support for a Hybrid FIPS Mode on the MPX/SDX 14000 FIPS Platform

May 18, 2017

Note

This feature is supported only on the new MPX/SDX 14000 FIPS platform containing one primary FIPS card and one or more secondary cards. It is not supported on a VPX platform or a platform containing only one type of hardware card.

On a FIPS platform, all the encryption and decryption (asymmetric and symmetric) is performed on the FIPS card for security reasons. However, you can perform part of this activity (asymmetric) on a FIPS card and offload the bulk encryption and decryption (symmetric) to another card without compromising the security of your keys. 

The new MPX/SDX 14000 FIPS platform contains one primary card and one or more secondary cards. If you enable the hybrid FIPS mode, the pre-master secret decryption commands are run on the primary card because the private key is stored on this card, but the bulk encryption and decryption is offloaded to the secondary card. This significantly increases the bulk encryption throughput on an MPX/SDX 14000 FIPS platform as compared to non-hybrid FIPS mode and the existing MPX 9700/10500/12500/15000 FIPS platform. Enabling the hybrid FIPS mode also improves the SSL transaction per second on this platform.

The hybrid FIPS mode is disabled by default to meet the strict certification requirements where all the crypto-computation must be done inside a FIPS certified module. You must enable the hybrid mode to offload the bulk encryption and decryption to the secondary card.

Note

On an SDX 14000 FIPS platform, you must first assign an SSL chip to the VPX instance before you enable the hybrid mode.

To enable hybrid FIPS mode by using the NetScaler CLI

At the command prompt, type:

set SSL parameter -hybridFIPSMode {ENABLED|DISABLED}

Arguments

hybridFIPSMode

When this mode is enabled, system will use additional crypto hardware to accelerate symmetric crypto operations.               

Possible values: ENABLED, DISABLED

Default value: DISABLED

Example Copy

set SSL parameter -hybridFIPSMode ENABLED

> show SSL parameter

Advanced SSL Parameters

-----------------------

. . . . . . . . . . . .

Hybrid FIPS Mode    : ENABLED

. . . . . . . . . . . .

Done

>

To enable hybrid FIPS mode by using the NetScaler GUI

  1. Navigate to Traffic Management > SSL.
  2. In the details pane, under Settings, click Change advanced SSL settings.
  3. In the Change Advanced SSL Settings dialog box, select Hybrid FIPS Mode.

Limitations

1. Renegotiation is not supported.

2. The “stat ssl parameter” command on an SDX 14000 platform does not display the correct secondary card utilization percentage. It always displays 0.00% utilization.

> stat ssl

SSL Summary

 

# SSL cards present                                1

# SSL cards UP                                     1

# Secondary SSL cards present                      4

# Secondary SSL cards UP                           4

SSL engine status                                  1

SSL sessions (Rate)                            963

Secondary card utilization (%)                  0.00