How to Set Up SIM on a FIPS-Enabled NetScaler Appliance

How to Set Up SIM on a FIPS-Enabled NetScaler Appliance

book

Article ID: CTX118684

calendar_today

Updated On:

Description

On a NetScaler appliance, the SIM is used for management of FIPS keys between two high availability FIPS-enabled NetScaler appliances or between the Hardware Security Module (HSM) device and the external private keys. On a high availability setup, the FIPS key commands are not propagated to the secondary appliance. You need to create the FIPS Key on the primary appliance and then copy the same to the secondary appliance.

The appliance uses the SIM to securely transfer FIPS keys and it uses a public-private key pair that is available on both appliances. You need to set up the appliances in a high availability pair for the SIM by initializing and then enabling the SIM. The procedure in this article covers all models of FIPS-enabled appliances and current supported version of the operating system.

The following diagram displays the graphical overview of the procedure:

User-added image

Instructions

To set up SIM on a FIPS-enabled NetScaler appliance, complete the following procedures:

  1. Initializing the SIM
  2. Enabling the SIM

Initializing the SIM

To initialize the SIM, complete the following procedure:

  1. On the primary NetScaler appliance, run the following command to initialize the SIM:
    Primary> init fipsSIMsource /nsconfig/ssl/source.cert

  2. Run the following command to copy the source.cert file to the /nsconfig/ssl directory of the secondary appliance:
    scp /nsconfig/ssl/source.cert nsroot@<IP_Address_of_Secondary_Appliance>:/nsconfig/ssl/

  3. On the secondary appliance, run the following command to initialize the SIM:
    Secondary> init fipsSIMtarget /nsconfig/ssl/source.cert /nsconfig/ssl/target.key /nsconfig/ssl/target.secret

  4. Run the following command to copy the target.secret file to the /nsconfig/ssl directory of the primary appliance:
    scp /nsconfig/ssl/target.secret nsroot@< IP_Address_of_Primary_Appliance >:/nsconfig/ssl/

Enabling the SIM

To enable the SIM, complete the following procedure:

  1. On the primary appliance, run the following command to enable the SIM:
    Primary> enable fipsSIMsource /nsconfig/ssl/target.secret /nsconfig/ssl/source.secret

  2. Run the following command to copy the source.secret file to the /nsconfig/ssl directory of the secondary appliance:
    < scp /nsconfig/ssl/source.secret nsroot@< IP_Address_of_Secondary_Appliance >:/nsconfig/ssl/>
    scp /nsconfig/ssl/source.secret nsroot@<ip_of_secondary>:/nsconfig/ssl/

  3. On the secondary appliance, run the following command to enable the SIM:
    Secondary> enable fipsSIMtarget /nsconfig/ssl/target.key /nsconfig/ssl/source.secret

After completing the preceding procedures, you can import and export the FIPS keys between the primary and secondary appliances.

Issue/Introduction

This article contains information about setting up the Secure Information Management (SIM) on a Federal Information Processing System (FIPS) enabled NetScaler appliance.
Powered by Wolken Software