How to Set Up SIM on FIPS-Enabled NetScaler Appliances of Different Types

How to Set Up SIM on FIPS-Enabled NetScaler Appliances of Different Types

book

Article ID: CTX130199

calendar_today

Updated On:

Description

This article contains information about setting up the Secure Information Management (SIM) on the Federal Information Processing Standards (FIPS) enabled NetScaler appliances of different types.

Background

SIM is used for management of FIPS keys between two FIPS-enabled appliances in a high availability setup or between HSM devices. You use SIM to securely transfer FIPS keys. The transfer process uses a public-private key pairs that are available on both appliances. You need to set up SIM on both appliances of the high availability setup systems by initializing the SIM and then enabling it. Citrix recommends you should install the same NetScaler software release on both appliances.

Note: You can only use the command line to configure SIM between two appliances that are not in high availability setup. Additionally, in a FIPS-enabled NetScaler MPX appliance, the entire process does not take more than six minutes.

The following graphic depicts an overview of the entire process:

User-added image

Instructions

WARNING:  Before proceeding (or after restarting each SIM attempt), ensure that the following files are NOT present on either node (remove them if necessary):

/nsconfig/ssl/source.cert
/nsconfig/ssl/target.key
/nsconfig/ssl/target.secret
/nsconfig/ssl/source.secret

To set up SIM on a FIPS-enabled NetScaler appliances of different types, complete the following procedure from the command line interfaces of the respective appliances:

  1. Run the following command to initialize SIM on the primary appliance,:
    Primary> init fipsSIMsource /nsconfig/ssl/source.cert

  2. Run the following command to copy the source certificate to the secondary appliance:
    Primary> scp /nsconfig/ssl/source.cert nsroot@<Secondary_IP>:/nsconfig/ssl/

  3. Run the following command on the secondary appliance to initialize the SIM on it:
    Secondary> init fipsSIMtarget /nsconfig/ssl/source.cert /nsconfig/ssl/target.key /nsconfig/ssl/target.secret

  4. Run the following command to copy target.secret to the primary appliance:
    Secondary> scp /nsconfig/ssl/target.secret nsroot@<Primary_IP>:/nsconfig/ssl/

  5. Run the following command to enable SIM on the primary appliance:
    Primary> enable fipsSIMsource /nsconfig/ssl/target.secret /nsconfig/ssl/source.secret

  6. Run the following command to copy source.secret to the secondary appliance:
    Primary> scp /nsconfig/ssl/source.secret nsroot@<secondaryIP>:/nsconfig/ssl/

  7. Run the following command to enable SIM on the secondary appliance:
    Secondary> enable fipsSIMtarget /nsconfig/ssl/target.secret /nsconfig/ssl/source.secret

    Now, you can import and export FIPS keys from one appliance to the other.

Issue/Introduction

This article contains information about setting up the Secure Information Management on the Federal Information Processing Standards enabled NetScaler appliances of different types.

Additional Information

Refer to the NetScaler MPX-FIPS Administrator Guide for more information.

Powered by Wolken Software