This article describes how to enable Hybrid FIPS Mode on NetScaler 14000 FIPS Series.

Background

On a FIPS platform, all the cryptographic operations (asymmetric and symmetric) are performed on the FIPS card for security and strict FIPS compliance reasons. Utilizing Hybrid mode you can perform part of the cryptographic operations (asymmetric) on the FIPS card, and offload the bulk encryption and decryption (symmetric) to another card without compromising the security of your keys.

The new MPX 14000 FIPS platform contains one primary card (the FIPS card) and one or more secondary cards. If you enable the hybrid FIPS mode, any crypto operations that use the private key stored inside the hardware security module (HSM) are done on the FIPS card (for example, premaster secret decryption), and the bulk encryption and decryption operation is offloaded to one or more secondary cards. In the event of the secondary card is nearing maximum capacity, the system will begin to use the FIPS card for processing bulk encryption and decryption. This significantly increases the bulk encryption throughput of the MPX 14000 FIPS platform as compared to the non-hybrid FIPS mode using the existing MPX 9700/10500/12500/15000 FIPS platform.

Enabling the hybrid FIPS mode also improves the SSL transaction per second (TPS) on this platform.

Note: The hybrid FIPS mode is disabled by default in order to satisfy stricter certification requirements, where all of the crypto-computation must be done on the FIPS certified module. You must enable the hybrid mode to offload the bulk encryption and decryption to the secondary card.

Instructions

Complete the following steps to enable NetScaler Hybrid FIPS mode:

1. Navigate to Traffic Management > SSL.

2. In the details pane, under Settings, click Change advanced SSL settings.

3. In the Change Advanced SSL Settings dialog box, select Hybrid FIPS Mode.