How to Add New NetScaler FIPS Device to HA Setup Using CLI

How to Add New NetScaler FIPS Device to HA Setup Using CLI

book

Article ID: CTX207970

calendar_today

Updated On:

Description

This article provides step by step instruction for adding a new NetScaler FIPS device to HA setup using CLI. The objective is to define the values that should be entered in command parameters.

Instructions

Enabling FIPS Card

Use the following commands to enable the FIPS card on NetScaler:
  1. show ssl fips 
  2. reset ssl fips 
  3. reboot 
  4. set ssl fips -initHSM Level-2 <newSOpassword> <oldSOpassword> <userPassword> [-hsmLabel<string>]
    Note: Here the default values for old and user passwords are
    SO PasswordDefault is: so12345 
    User PasswordDefault is: user12345
  5. save ns config 
  6. reboot 
  7. show ssl fips

    User-added image

Once the HSM is initiated on both the NetScaler devices, follow the below mentioned steps to establish secure communication between the devices for HA.

Setting Up HA

  1. Log on to the primary appliance using the administrator credentials.
  2. Initialize appliance A as the source appliance. Following command should be executed for initialization:
    init ssl fipsSIMsource <certFile>

    <Certfile>  

    This can be any new name which is not available on the box

  3. Copy this <certFile> file to appliance B, in the /nconfig/ssl folder.
  4. Log on to the secondary appliance, using the administrator credentials.
  5. Initialize appliance B as the target appliance. Following command should be executed for initialization:
    init ssl fipsSIMtarget <certFile> <keyVector> <targetSecret>

    <certFile>

    is the file transferred from source box

    <keyVector>

    is any name which is not available on the box

    <targetSecret>

    is any new name

  6. Copy this <targetSecret> file to appliance A.
  7. On appliance A, enable appliance A as the source appliance. At the command prompt, type:
    enable ssl fipsSIMSource <targetSecret> <sourceSecret>

    <targetSecret>

    is file created in appliance B

    <sourceSecret>

    is any new name

  8. Copy this <sourceSecret> file to appliance B.
  9. On appliance B, enable appliance B as the target appliance. At the command prompt, type:
    enable ssl fipsSIMtarget <keyVector> <sourceSecret>

    <keyVector>

    place the same name as given in step 7

    <sourceSecret>

    the file created in appliance A

  10. The secure communication is now established.
  11. On appliance A, create a FIPS key, as described in Creating a FIPS Key.
  12. Export the FIPS key to the appliance’s hard disk, as described in Exporting a FIPS Key.
  13. Copy the FIPS key to the hard disk of the secondary appliance by using a secure file transfer utility, such as SCP.
  14. On appliance B, import the FIPS key from the hard disk into the HSM of the appliance, as described in Importing an Existing FIPS Key.
  15. Add the new node under High Availability.

Issue/Introduction

This article provides step by step instruction for adding a new NetScaler FIPS device to HA setup using CLI. The objective is to define the values that should be entered in command parameters.

Additional Information

http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/fips/configure-hsm.html?_ga=1.1856945.1632263450.1445879020

http://support.citrix.com/article/CTX200441

http://support.citrix.com/article/ctx129543

Powered by Wolken Software