Product Documentation

Configuring the HSM

May 07, 2015

Before you can configure the HSM of your NetScaler FIPS appliance, you must complete the initial hardware configuration. For more information, see .

Configuring the HSM of your NetScaler FIPS appliance erases all existing data on the HSM. To configure the HSM, you must be logged on to the appliance as the superuser (nsroot account). The HSM is preconfigured with default values for the Security Officer (SO) password and User password, which you use to configure the HSM or reset a locked HSM. The maximum length allowed for the password is 14 alphanumeric characters. Symbols are not allowed.
Important: Do not perform the set ssl fips command without first resetting the FIPS card and restarting the MPX FIPS appliance.

Although the FIPS appliance can be used with the default password values, you should modify them before using it. The HSM can be configured only when you log on to the appliance as the superuser and specify the SO and User passwords.

Important: Due to security constraints, the appliance does not provide a means for retrieving the SO password. Store a copy of the password safely. Should you need to reinitialize the HSM, you will need to specify this password as the old SO password.

Before initializing the HSM, you can upgrade to the latest build of the software. To upgrade to the latest build, see Upgrading or Downgrading the System Software.

After upgrading, verify that the /nsconfig/fips directory has been successfully created on the appliance.

To configure the HSM on an MPX 9700/10500/12500/15500 FIPS appliances by using the command line interface

After logging on to the appliance as the superuser and completing the initial configuration, at the command prompt, type the following commands to configure the HSM and verify the configuration:

  1. show ssl fips
  2. reset ssl fips
  3. reboot
  4. set ssl fips -initHSM Level-2 <newSOpassword> <oldSOpassword> <userPassword> [-hsmLabel <string>]
  5. save ns config
  6. reboot
  7. show ssl fips

Example

show fips 
FIPS Card is not configured 
Done 
reset fips 
reboot 
Are you sure you want to restart NetScaler (Y/N)? [N]:y 
set ssl fips -initHSM Level-2 sopin12345 so12345 user123 -hsmLabel cavium 
This command will erase all data on the FIPS card. You must save the configuration  
(saveconfig) after executing this command.  
 
Do you want to continue?(Y/N)y 
Done 
save ns config 
reboot 
Are you sure you want to restart NetScaler (Y/N)? [N]:y 
show fips 
        FIPS HSM Info: 
HSM Label              : NetScaler FIPS 
Initialization         : FIPS-140-2 Level-2 
HSM Serial Number      : 2.1G1008-IC000021 
HSM State              : 2 
HSM Model              : NITROX XL CN1620-NFBE 
Firmware Version       : 1.1 
Firmware Release Date  : Jun04,2010 
 
Max FIPS Key Memory    : 3996 
Free FIPS Key Memory   : 3994 
Total SRAM Memory      : 467348 
Free SRAM Memory       : 62564 
Total Crypto Cores      : 3 
Enabled Crypto Cores    : 1 
Done
Note: If you upgrade the firmware to version 2.2, the firmware release date is replaced with the firmware build.
 

> show fips
FIPS HSM Info:
HSM Label                : NetScaler FIPS
Initialization              : FIPS-140-2 Level-2
HSM Serial Number    : 3.0G1235-ICM000264 
HSM State                : 2
HSM Model               : NITROX XL CN1620-NFBE
Hardware Version       : 2.0-G
Firmware Version        : 2.2
Firmware Build           : NFBE-FW-2.2-130009 

Max FIPS Key Memory : 3996
Free FIPS Key Memory : 3958 
Total SRAM Memory    : 467348
Free SRAM Memory     : 50524
Total Crypto Cores      : 3
Enabled Crypto Cores  : 3 
Done

To configure the HSM on an MPX 9700/10500/12500/15500 FIPS appliances by using the configuration utility

  1. Navigate to Traffic Management > SSL > FIPS.
  2. In the details pane, on the FIPS Infotab, click Reset FIPS.
  3. In the navigation pane, click System.
  4. In the details pane, click Reboot.
  5. In the details pane, on the FIPS Info tab, click Initialize HSM.
  6. In the Initialize HSM dialog box, specify values for the following parameters:
    • Security Officer (SO) Password*—new SO password
    • Old SO Password*—old SO password
    • User Password*—user password
    • Level—initHSM (Currently set to Level2 and cannot be changed)
    • HSM Label—hsmLabel

    *A required parameter

  7. Click OK.
  8. In the details pane, click Save.
  9. In the navigation pane, click System.
  10. In the details pane, click Reboot.
  11. Under FIPS HSM Info, verify that the information displayed for the FIPS HSM that you just configured is correct.