Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

FIPS card - How to tell if it has been initialised

We have some 8900 LTM's that have a FIPS card installed. Long story short is that we need to re-use these boxes in a non-FIPS mode. The boxes have never been put live but they are installed and on the network.

What we're not sure of is if a previous, now left, staff member actually initialised the FIPS card or not. There does not appear to be an easy way to determine this (sho sys crypto fips key shows no keys in the FIPS card but that doesn't guarantee it hasn't been intialised).

Anybody know a way to check the intialisation state of a FIPS card (without activating it :) )

1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have some FIPS boxes and here's what I've found from testing. If you run 'fipsutil info' from bash shell, there can be two results:

Uninitialized FIPS card will present an error like this:

fipsutil error (line 1159): Library Initialization : 0x05 : Undefined Error Code

Initialized FIPS card will display something like this:

Label:             F5FIPS
HSM Serial Number: xxxxxxx
Hardware ID:       0x0
Firmware Version:  4.7.1
Total FLASH:       14286412
Free FLASH:        14239436
Total SRAM:        16984736
Free SRAM:         16979488

As Kevin states though, keys don't have to be stored in the HSM even though it's initialized. You can create keys without putting them in the HSM. You can also move them to the HSM at a later point if you so choose.

1
Comments on this Answer
Comment made 23-May-2014 by Chris_FP 163
I ran the fipsutil info command on some other boxes and it didn't show the error code but the info. However I know for a fact that the fips card wasn't initialised as I put the boxes in and I specifically didn't initialise them - maybe they were done by F5 before shipping? My follow up question is:- Does that mean that all SSL is being processed by the FIPS card, even though no cert/key are stored there or is SSL still being processed by the dedicated [F5] SSL hardware
0
Comment made 23-May-2014 by Cory 3580
I suppose it's possible as part of their testing before shipping the device that they initialized the FIPS HSM to ensure there were no hardware issues. Would make sense. We've had to RMA a couple of 6900s due to faulty FIPS HSMs. If you don't have the key stored in the FIPS HSM, then the key isn't protected according to NIST standards. You can still use FIPS approved encryption algorithms to build SSL connections without having the key stored in the HSM though.
0
Comment made 23-May-2014 by Chris_FP 163
thanks Cory. It's not so much the "is it protected by FIPS", more the "which SSL 'engine' will be used to process SSL requests - The FIPS card or the F5 SSL card". It was my understanding that if the FIPS card is initialised then all SSL goes via the FIPS card and thus the SSL performance for an 8900 drops from 10,000 TPS to 4,000 TPS. This is the crucial bit as we're expecting around 6-7,000 TPS
0
Comment made 23-May-2014 by Cory 3580
That's a good question Chris. I would expect that the HSM wouldn't be used unless the key is stored there. Perhaps someone in the community can confirm or deny.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I would expect that the HSM wouldn't be used unless the key is stored there.

Cory is correct (this is correct).

by the way, fipsutil init will report an error if card is already initialized.

e.g.

# tmsh

root@(B6900-R69-S5)(cfg-sync Standalone)(Active)(/Common)(tmos)# run util fips-util init
fipsutil error (line 1302): HSM already initialized

# fipsutil

[root@B6900-R69-S5:Active:Standalone] config # fipsutil init
fipsutil error (line 1302): HSM already initialized

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

To check the FIPS-card in v10, I think the easiest would be to try a FIPS key generation. The below output will be seen for an uninitialized FIPS card:

# fipskey generate test-fips 2048        
Key generation failed: error 18 - ERR_HSM_NOT_INITIALIZED

While for an initialized FIPS card, the key generation will be successful, like so:

<pre class="prettyprint lang-tcl"># fipskey generate test-fips 2048 PUBLIC: <hex value> PRIVATE: <hex value> </pre>
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

There are a few fips* utilities in the shell. I don't have a FIPS platform in front of me to test now, but try fipscheck and fipsutil.

I'd also note that you shouldn't have to use FIPS if it was enabled. You can selectively use or not use the FIPS HSM to store private keys.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

the above command works on a v11 box , on v10 the info command fails. any other way to check if FIPS card is initialized on v10.2.x box 'without actually initializing it' ?

0
Comments on this Answer
Comment made 5 months ago by LoyalSoldier 106

You can go into bash and type "fipscheck". I'm running 12.1.2 and mine gave me:

usage: fipscheck <paths-to-files>
fips mode is off
0