Product Documentation

Configuring FIPS Appliances in a High Availability Setup

Sep 01, 2016

You can configure two appliances in a high availability (HA) pair as FIPS appliances. For information about configuring an HA setup, see .

Note: Citrix recommends that you use the configuration utility (GUI) for this procedure. If you use the command line (CLI), make sure that you carefully follow the steps as listed in the procedure. Changing the order of steps or specifying an incorrect input file might cause inconsistency that requires that the appliance be restarted. In addition, if you use the CLI, the create ssl fipskey command is not propagated to the secondary node. When you execute the command with the same input values for modulus size and exponent on two different FIPS appliances, the keys generated are not identical. You have to create the FIPS key on one of the nodes and then transfer it to the other node. But if you use the configuration utility to configure FIPS appliances in an HA setup, the FIPS key that you create is automatically transferred to the secondary node. The process of managing and transferring the FIPS keys is known as secure information management (SIM).
Important: On the MPX 9700/10500/12500/15500 FIPS appliances, the HA setup should be completed within six minutes. If the process takes longer than six minutes, the internal timer of the FIPS card expires and the following error message appears:

ERROR: Operation timed out or repeated, please wait for 10 mins and redo the SIM/HA configuration steps.

If this message appears, restart the appliance or wait for 10 minutes, and then repeat the HA setup procedure.

In the following procedure, appliance A is the primary node and appliance B is the secondary node.

To configure FIPS appliances in a high availability setup by using the command line interface

  1. On appliance A, open an SSH connection to the appliance by using an SSH client, such as PuTTY.
  2. Log on to the appliance, using the administrator credentials.
  3. Initialize appliance A as the source appliance. At the command prompt, type:

    init ssl fipsSIMsource <certFile>

  4. Copy this <certFile> file to appliance B, in the /nconfig/ssl folder.
  5. On appliance B, open an SSH connection to the appliance by using an SSH client, such as PuTTY.
  6. Log on to the appliance, using the administrator credentials.
  7. Initialize appliance B as the target appliance. At the command prompt, type:

    init ssl fipsSIMtarget <certFile> <keyVector> <targetSecret>

  8. Copy this <targetSecret> file to appliance A.
  9. On appliance A, enable appliance A as the source appliance. At the command prompt, type:

    enable ssl fipsSIMSource <targetSecret> <sourceSecret>

  10. Copy this <sourceSecret> file to appliance B.
  11. On appliance B, enable appliance B as the target appliance. At the command prompt, type:

    enable ssl fipsSIMtarget <keyVector> <sourceSecret>

  12. On appliance A, create a FIPS key, as described in Creating a FIPS Key.
  13. Export the FIPS key to the appliance’s hard disk, as described in Exporting a FIPS Key.
  14. Copy the FIPS key to the hard disk of the secondary appliance by using a secure file transfer utility, such as SCP.
  15. On appliance B, import the FIPS key from the hard disk into the HSM of the appliance, as described in Importing an Existing FIPS Key.

To configure FIPS appliances in a high availability setup by using the configuration utility

  1. On the appliance to be configured as the source appliance, navigate to Traffic Management > SSL > FIPS.
  2. In the details pane, on the FIPS Info tab, click Enable SIM.
  3. In the Enable HA Pair for SIM dialog box, in the Certificate File Name text box, type the file name, with the path to the location at which the FIPS certificate should be stored on the source appliance.
  4. In the Key Vector File Name text box, type the file name, with the path to the location at which the FIPS key vector should be stored on the source appliance.
  5. In the Target Secret File Name text box, type the location for storing the secret data on the target appliance.
  6. In the Source Secret File Name text box, type the location for storing the secret data on the source appliance.
  7. Click OK. The FIPS appliances are now configured in HA mode.
  8. Create a FIPS key, as described in Creating a FIPS Key. The FIPS key is automatically transferred from the primary to the secondary.

Example

In the following example, source.cert is the certificate on the source appliance, stored in the default directory, /nsconfig/ssl. This certificate must be transferred to the same location (/nsconfig/ssl) on the target appliance. The file target.secret is created on the target appliance and copied to the source appliance. The file source.secret is created on the source appliance and copied to the target appliance.

On the source appliance
 
 init fipsSIMsource /nsconfig/ssl/source.cert 
On the target appliance
 
 init fipsSIMtarget /nsconfig/ssl/source.cert /nsconfig/ssl/target.key /nsconfig/ssl/target.secret 
On the source appliance
 
 enable fipsSIMsource /nsconfig/ssl/target.secret /nsconfig/ssl/source.secret 
On the target appliance
 
 enable fipsSIMtarget /nsconfig/ssl/target.key /nsconfig/ssl/source.secret 
On the source appliance
 
 create ssl fipskey fips1 -modulus 2048 -exponent f4 
 export fipskey fips1 -key /nsconfig/ssl/fips1.key 

Copy this key into the hard disk of the target appliance.

On the target appliance
 
 import fipskey fips1 -key /nsconfig/ssl/fips1.key 

The following diagram summarizes the transfer process.

Figure 1. Transferring the FIPS Key-Summary