How Do I Only Use FIPS Approved Ciphers on NetScaler?

How Do I Only Use FIPS Approved Ciphers on NetScaler?

book

Article ID: CTX205252

calendar_today

Updated On:

Description

This article describes how to configure NetScaler to only use FIPS approved Ciphers on NetScaler.
Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

Introduction

Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors.

FIPS provide a benchmark for implementing cryptographic software. They specify best practices for implementing crypto algorithms, handling key material and data buffers, and working with the operating system.

In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher the original information is known as plaintext, and the encrypted form as ciphertext. The ciphertext message contains all the information of the plaintext message, but is not in a format readable by a human or computer without the proper mechanism to decrypt it. The operation of a cipher usually depends on a piece of secondary information, called a key. The encrypting procedure is varied depending on the key, which changes the detailed operation of the algorithm.

Instructions

To use FIPS approved ciphers refer the below configuration steps:

  1. During the process of creation of Load Balancing Virtual Server for SSL traffic (Protocol: SSL) under Advanced Settings go to SSL Ciphers.

    User-added image

  2. Select Cipher Groups option and select FIPS in the Cipher Groups.

    User-added image

  3. Click Ok and Done to apply the configuration changes.

To configure FIPS approved ciphers for SSL Services and SSL Service Groups perform similar to step 1 to step 3 during the creation of SSL Services and SSL Service Groups.
Note: On a NetScaler FIPS appliances, only FIPS approved ciphers are supported and by default FIPS cipher group is bound to the vservers.

To check the configuration, at the command prompt, type:
sh ssl cipher FIPS

The following is the list from NetScaler 11.0:

1)    Cipher Name: TLS1-EXP1024-RC4-SHA
Description: TLSv1 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 Export 
2)    Cipher Name: SSL3-EXP-RC4-MD5
Description: SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 Export 
3)    Cipher Name: SSL3-EXP-DES-CBC-SHA
Description: SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 
4)    Cipher Name: SSL3-EXP-RC2-CBC-MD5
Description: SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 Export 
5)    Cipher Name: SSL2-EXP-RC4-MD5
Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 Export 
6)    Cipher Name: TLS1-EXP1024-DHE-DSS-DES-CBC-SHA
Description: TLSv1 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 Export 
7)    Cipher Name: TLS1-EXP1024-DHE-DSS-RC4-SHA
Description: TLSv1 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 Export 
8)    Cipher Name: SSL3-EXP-EDH-DSS-DES-CBC-SHA
Description: SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 Export 
9)    Cipher Name: SSL3-EXP-EDH-RSA-DES-CBC-SHA
Description: SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 
10)    Cipher Name: TLS1-EXP1024-RC4-MD5
Description: TLSv1 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 Export 
11)    Cipher Name: TLS1-EXP1024-RC2-CBC-MD5
Description: TLSv1 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 Export 
12)    Cipher Name: SSL2-EXP-RC2-CBC-MD5
Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 Export 
13)    Cipher Name: SSL3-EXP-ADH-RC4-MD5
Description: SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 Export 
14)    Cipher Name: SSL3-EXP-ADH-DES-CBC-SHA
Description: SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 Export 
Done
> SH VERSION
NetScaler NS10.5: Build 57.7.nc, Date: May 14 2015, 08:01:05

Note: The list of ciphers might vary based on the NetScaler version.The list provided only as a reference.

To bind only FIPS approved cipher group to an SSL virtual server, service, or service group

At the command prompt, follow the below steps:

  1. Check if any ciphers are already bound. To check if any ciphers are already bound use the command:
    sh ssl vserver <vServerName>
    sh ssl services <serviceName>
    sh ssl servicegroup <serviceGroupName>

    User-added image

  2. If you have a Cipher Name in the result, execute unbind command. To unbind ciphers use the command:
    unbind ssl vserver <vServerName> -cipherName ALL
    unbind ssl services <serviceName> -cipherName ALL
    unbind ssl servicegroup <serviceGroupName> -cipherName ALL

    User-added image

  3. To bind only FIPS cipher use the command:
    bind ssl vserver <vServerName> -cipherName <FIPS>
    bind ssl service <serviceName> -cipherName <FIPS>
    bind ssl serviceGroup <serviceGroupName> -cipherName <FIPS>

    User-added image

Issue/Introduction

This article describes how to configure NetScaler to only use FIPS approved Ciphers on NetScaler.

Additional Information

Citrix Documentation -  Configuring User-Defined Cipher Groups on the NetScaler Appliance

Powered by Wolken Software