1.0 Introduction
This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with F5 Networks Big IP Virtual Edition (VE) version 15.1.2.1 or later.
It also contains the information that a user requires to:
Set inbound traffic rules if using Azure Marketplace platform
Set admin password for BIG-IP VE
2.0 Prerequisites
NOTE
The minimum supported BIG IP Version is 15.1.2.1.
2.1 F5 BIG-IP Local Traffic Manager (LTM) 15.1.2.1 or Later
Virtual Edition (VE) is utilized for this article. Both hardware and virtual edition platforms support network Hardware Security Module (HSM) integration. Additionally, you will need to provide a license covering the network HSM module.
2.2 Creating Inbound Traffic Rules if Using Azure Marketplace Platform
To access the BIG-IP Configuration utility, you must open port 8443. To connect to BIG-IP VE using SSH, use the open port 22. To connect to your application through BIG-IP VE, use the open port 443 (in this example).
In the Azure portal, click All Services → Network security groups.
Filter the list to find your group and click it.
In the left menu, under Settings, click Inbound security rules.
Click Add.
Name
Value
Source Port Ranges
An IP range on your network.
Destination Port Ranges
22
Protocol
TCP
Name
A description, like
SSH access.Click Add again.
Repeat Steps 4 and 5, using
8443as the Destination port range. This allows management traffic for the port8443to reach BIG-IP VE.Repeat Steps 4 and 5, using
443as the Destination port range. This allows traffic for your application (in this example).
2.3 Setting Admin Password for BIG-IP VE
Give BIG-IP VE six to ten minutes to finish deploying before you attempt to connect.
The first time you boot BIG-IP VE, you must connect to the instance and create a strong admin password. You will use the admin account and password to access the BIG-IP Configuration utility.
This management interface may be accessible to the Internet, so ensure the password is secure.
Connect to BIG-IP VE.
To change to the
tmshprompt, type:tmshModify the admin password.
modify auth password adminThe terminal screen displays the message:
changing password for admin new password:Type the new password and press Enter.
The terminal screen displays the message:confirm passwordRe-type the new password, and then press Enter.
Ensure that the system retains the password change and press Enter.
Save the system configuration.
save sys configTraffic goes through BIG-IP VE to a pool. Your application servers should be members of this pool.
Now, open a web browser and go to the BIG-IP Configuration utility, for example:
https://<external-ip-address>:8443.
3.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
3.1 Signing Up
To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
3.2 Creating an Account
Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.
Figure 1: Logging In
3.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.
Figure 2: Add Groups
On the Adding new group page, enter the following details:
Title: Enter a title for your group.
Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.
The new group has been added to the Fortanix DSM successfully.
3.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.
Figure 3: Add Application
On the Adding new app page, enter the following details:
App name: Enter the name of your application.
Interface (optional): Keep the default value.
ADD DESCRIPTION (optional): Enter a short description for the application.
Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.
Click the SAVE button to add the new application.
The new application has been added to the Fortanix DSM successfully.
3.5 Copying the API Key
Perform the following steps to copy the API key from the Fortanix DSM:
Click the Apps menu item in the DSM left navigation bar and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click the VIEW API KEY DETAILS button.
From the API Key Details dialog box, copy the API Key of the app to be used later.
4.0 Install the Fortanix Plugin
In this step, use the ssh client to log in to the BIG-IP as root. From there use the following commands to download and install the Fortanix plugin onto the BIG-IP. The plugin, (RPM) is available for download from here.
cd /shared/
mkdir nethsm
cd nethsm
curl -O https://download.fortanix.com/clients/3.11.1281/fortanix-pkcs11-3.11.1281-0.x86_64.rpm
rpm -ivh ./fortanix-pkcs11-3.11.1281-0.x86_64.rpm5.0 Configure BIG-IP netHSM Integration
Add the Fortanix HSM library to the BIG-IP.
tmsh create sys crypto fips external-hsm vendor auto pkcs11-lib-path /opt/fortanix/pkcs11/fortanix_pkcs11.soCreate the
/config/fortanix.cfgfile.vi /config/fortanix.cfgAdd the following lines and save the file:
##### sample fortanix config file # cat /config/fortanix.cfg api_endpoint="https://<fortanix_dsm_url>" api_key="" # specify if endpoint uses self-signed certificate ca_certs_file = "" [log] file = "/var/log/fortanix.log"Configure the netHSM partition.
tmsh create sys crypto fips nethsm-partition auto password "file:///config/fortanix.cfg"Restart the pkcs11d service.
bigstart restart pkcs11d tmmTest the connectivity - use the BIG-IP management GUI to test the connectivity between the BIG-IP and Fortanix DSM. After logging into the BIG-IP GUI navigate to System → Certificate Management → HSM Management → External HSM. Under the 'Partitions' section select the checkbox in the Partition List and click Test. Following is an example output of a successful connectivity test.
Figure 4: Test the connectivity
6.0 Configuring BIG-IP and Fortanix DSM
6.1 Import Private Key into Fortanix DSM
Now that we have our external HSM, (Fortanix), https://fortanix.aserracorp.com, integrated with our BIG-IP let us put it to use.
Perform the following steps to import an RSA key in the Fortanix DSM:
Click the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects page to add a security object.
Figure 5: Add Security Object
On the Add New Security Object page, enter the following details:
Security Object name: Enter the name of your security object.
NOTE
Note this name as it will be used later in the NGINX configuration file.
Group: Select the group as created in Section 3.3: Creating a Group.
Select the IMPORT radio button.
Choose a type: Select the RSA key type.
Key Size: Indicates the size of the key in bits.
In the Place value here or import from file section, select the value format type as Base64 and click the UPLOAD A FILE button to upload the key file.
Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.
Click the IMPORT button to create the new security object.
The new security object is added to the Fortanix DSM successfully.
6.2 Import SSL Certificate and netHSM Key Pointer into BIG-IP
With Fortanix DSM now hosting the private key, import the corresponding certificate into the BIG-IP. Additionally, create a key resource pointing to the Fortanix DSM-hosted key.
Log in to the BIG-IP management GUI and navigate to System → Certificate Management → SSL Certificate List → Import.
Select Certificate as Import Type and enter a name.
Browse and upload the certificate, click Import.
Restart the pkcs11d service.
bigstart restart pkcs11d tmmNext, navigate to System → Certificate Management → SSL Certificate List → Import.
Select Key as Import Type and enter a name. The name must match the security object name of the Fortanix DSM-stored key.
Select Key Source as From NetHSM, and click Import.
Figure 6: Import SSL certificate
6.2 Create SSL Profile and Attach to Virtual Server
Finally, create a Client SSL profile and associate it with the virtual server.
Log in to the BIG-IP management GUI and navigate to Local Traffic → Profiles → SSL → CLIENT → +.
Enter a name and select the Custom checkbox.
In the Certificate Key Chain section, click Add.
Select the previously imported certificate and key from the drop-down menus
Click Finished to create the profile.
Navigate to Local Traffic → Virtual Servers and select the appropriate virtual server.
Under the SSLProfile (Client) section, select the previously create SSL profile.
Click Update to save the modified virtual server.
Figure 7: Create SSL profile
The application is now secured with the BIG-IP offloading the crypto workload to Fortanix DSM.
7.0 Update the PKCS#11 Version
To upgrade the F5 Big-IP VE release, perform the following steps to update the PKCS#11 version.
Perform the following steps on F5 CLI (in bash mode):
Run the following command to check the current version installed of PKCS#11 library:
rpm -qa | grep fortanix-pkcs11Run the following command to delete the installed version of PKCS#11 library:
rpm -e fortanix-pkcs11-<version>Run the following command to install a different version of PKCS#11 library:
rpm -ivh fortanix-pkcs11-<version>