Product Documentation

Updating the Firmware to Version 2.2 on a FIPS Card

Feb 01, 2016

FIPS firmware version 2.2 supports TLS protocol versions 1.1 and 1.2. From the command line, you can update the firmware version of the FIPS card of a NetScaler MPX 9700/10500/12500/15500 FIPS appliance from version 1.1 to version 2.2.

For successful SIM key propagation from primary to secondary in a high availability (HA) pair, the Cavium firmware version on each appliance should be identical. Perform the firmware update on the secondary appliance first. If executed on the primary appliance first, the long-running update process causes a failover.

Limitations

  • Secure renegotiation is supported only on SSL virtual servers and front-end SSL services.
  • Creating a certificate signing request by using a key that was created on firmware version 1.1 and updated to firmware version 2.2 fails.
  • You cannot create a 1024-bit RSA key on firmware version 2.2. However, if you have imported or created a 1024-bit FIPS key on firmware version 1.1 and you then update to firmware version 2.2, you can use that FIPS key on firmware version 2.2.
  • 1024-bit RSA keys are not supported.
  • Secure renegotiation using SSLv3 protocol is not supported.
  • After you upgrade the firmware, TLSv1.1 and TLSv1.2 are disabled by default on the existing virtual server, internal, front end, and backend services. To use TLS 1.1/1.2, you must explicitly enable these protocols, on the SSL entities, after the upgrade.
  • FIPS keys that are created in firmware version 2.2 are not available if you downgrade the firmware to version 1.1.

Prerequisites

  1. Download the CN16XX-FW-2.2.tar tarball from the download page on www.citrix.com.
  2. Extract the contents. For example: tar -xvf CN16XX-FW-2.2.tar
    After extraction, a folder CN16XX-FW-2.2 is created containing the following 2 files:
    • FW 2.2 File: CN16XX-NFBE-FW-2.2-130009
    • FW 2.2 Signature File: CN16XX-NFBE-FW-2.2-130009.sign
    Note: To verify that the files are extracted correctly, run md5 on both the files and make sure that it matches the following:
    • $ md5 CN16XX-NFBE-FW-2.2-130009

      MD5 (CN16XX-NFBE-FW-2.2-130009) = 0a773c3709c9fd280349c0a38dde445c

    • $ md5 CN16XX-NFBE-FW-2.2-130009.sign

      MD5 (CN16XX-NFBE-FW-2.2-130009.sign) = 131388e39a347490db532da3b12cafa8

To update the FIPS firmware to version 2.2 on a standalone appliance

  1. Log on to the appliance by using the administrator credentials.
  2. At the prompt, type the following command to confirm that the FIPS card is initialized.

    show fips

    FIPS HSM Info: 
    		HSM Label		: NetScaler FIPS 
    		Initialization		: FIPS-140-2 Level-2 
    		HSM Serial Number	: 3.0G1235-ICM000264 
    		HSM State		: 2 
    		HSM Model		: NITROX XL CN1620-NFBE 
     
    		Hardware Version	: 2.0-G 
    		Firmware Version	: 1.1 
    		Firmware Release Date	: Jun04,2010 
     
    		Max FIPS Key Memory	: 3996 
    		Free FIPS Key Memory	: 3992 
    		Total SRAM Memory	: 467348 
    		Free SRAM Memory	: 62512 
    		Total Crypto Cores	: 3 
    		Enabled Crypto Cores	: 1 
     	Done
  3. Save the configuration. At the prompt, type:

    save config

  4. Perform the update. At the prompt, type:

    update ssl fips -fipsFW <path to the extracted contents>/CN16XX-NFBE-FW-2.2-130009

    and press Y when the following prompt appears:
    This command will update compatible version of the FIPS firmware.  You must save the current configuration (saveconfig) before executing this command. You must reboot the system after execution of this command, for the firmware update to take effect. Do you want to continue?(Y/N)Y 
    Done 
    
    Note: You only need to specify the firmware file, because the firmware signature file is placed in the same location.

    The update takes up to ten seconds. The update command is blocking, which means that no other actions are executed until the command finishes. The command prompt reappears when execution of the command is completed.

  5. Restart the appliance. At the prompt, type:

    reboot

    Are you sure you want to restart NetScaler (Y/N)? [N]:Y
  6. Verify that the update is successful. At the prompt, type:

    show fips

    The firmware version displayed in the output should be 2.2. For example:
    > sh fips 
    	FIPS HSM Info: 
    		HSM Label		: NetScaler FIPS 
    		Initialization		: FIPS-140-2 Level-2 
    		HSM Serial Number	: 2.1G1207-IC002429 
    		HSM State		: 2 
    		HSM Model		: NITROX XL CN1620-NFBE 
     
    		Hardware Version	: 2.0-G 
    		Firmware Version	: 2.2 
    		Firmware Build 	: NFBE-FW-2.2-130009 
    		Max FIPS Key Memory	: 3996 
    		Free FIPS Key Memory	: 3982 
    		Total SRAM Memory	: 467348 
    		Free SRAM Memory	: 50472 
    		Total Crypto Cores	: 3 
    		Enabled Crypto Cores	: 1 
     Done

To update the FIPS firmware to version 2.2 on appliances in a high availability pair

  1. Log on to the secondary node and perform the update as described in To update the FIPS firmware to version 2.2 on a standalone NetScaler.

    Force the secondary node to become primary. At the prompt, type:

    force failover

    and press Y at the confirmation prompt.

  2. Log on to the new secondary node (old primary) and perform the update as described in To update the FIPS firmware to version 2.2 on a standalone NetScaler.
  3. Force the new secondary node to become primary again. At the prompt, type:

    force failover

    and press Y at the confirmation prompt.

To update the FIPS firmware to version 1.1 on a standalone appliance

  1. Download the nfb_firmware-r1235_100604 and nfb_firmware-r1235_100604.sign files, to the same directory on the appliance, from the download page on www.citrix.com.

  2. Log on to the appliance by using the administrator credentials.

  3. At the prompt, type:

    update ssl fips -fipsFW /<full path to the file>/nfb_firmware-r1235_100604