This article contains information about configuring a Hardware Security Module (HSM) card on the latest models of the Federal Information Processing Standards (FIPS) enabled NetScaler MPX appliance.

Background

Initializing the latest FIPS-enabled NetScaler MPX appliance is different from the earlier models of the FIPS-enabled NetScaler appliances. You can use the initializing procedure to initialize an HSM card for the first time from the factory or reinitializing it to the default values. Reinitializing the HSM card to the default values erases the existing FIPS keys on the appliance.

Instructions

Notes:

• 9700
• 10500
• 12500
• 15500

To configure the HSM card on a FIPS-enabled NetScaler MPX appliance, complete the following procedure:

1. Run the following command to verify that the HSM card is not configured:
   > show fips

2. Run the following command to start the configuration process:
   > reset fips

3. Restart the appliance.

4. Run the following command and specify the default values for the old values:
   > set ssl fips -initHSM Level-2 <New_SO_Password> <Old_SO_Password> <User_Password> [-hsmLabel <String>]

   For example:
   set ssl fips -initHSM Level-2 sopin12345 so12345 user123 -hsmLabel Cavium  
   Note: By default the HSM passwords are preconfigured. The <Old_SO_Password> = so12345, <User_Password> = user123, <New_SO_Password> = sopin12345 and Cavium is the <string> for the hsmLabel.

5. Run the following command to save the configuration:
   > save config

6. Restart the appliance.

7. Run the following command to verify that the HSM card is configured:
   > show fips

FIPS HSM Info: 
HSM Label: FIPS-140-2 
Initialization: FIPS-140-2 Level-2 
HSM Serial Number: 2.1G1008-IC000007
HSM State: 2
Firmware Version: 1.1 
Total Flash Memory: 1900428 
Free Flash Memory: 1899720 
Free SRAM Memory : 17201052
Total Crypto Cores: 3
Enabled Crypto Cores: 

Done

Citrix Documentation - Configuring the HSM