Using Fortanix Data Security Manager with F5 BIG-IP Virtual Edition

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with F5 Networks Big IP Virtual Edition (VE) version 15.1.2.1 or later.

It also contains the information that a user requires to:

• Set inbound traffic rules if using Azure Marketplace platform.

• Set admin password for BIG-IP VE.

2.0 Prerequisites

Ensure the following:

• The minimum supported BIG-IP version is 15.1.2.1.

• The BIG-IP system is licensed for 'External Interface and Network HSM.

2.1 F5 BIG-IP Local Traffic Manager (LTM) 15.1.2.1 or Later

Virtual Edition (VE) is utilized for this article. Both hardware and virtual edition platforms support network Hardware Security Module (HSM) integration. Additionally, you will need to provide a license covering the network HSM module.

2.2 Creating Inbound Traffic Rules if Using Azure Marketplace Platform

To access the BIG-IP Configuration utility, you must open port 8443. To connect to BIG-IP VE using SSH, use the open port 22. To connect to your application through BIG-IP VE, use the open port 443 (in this example).

1. In the Azure portal, click All Services → Network security groups.

2. Filter the list to find your group and click it.

3. In the left menu, under Settings, click Inbound security rules.

4. Click Add.

   Name	Value
   Source Port Ranges	An IP range on your network.
   Destination Port Ranges	22
   Protocol	TCP
   Name	A description, such as SSH access.

5. Click Add again.

6. Repeat Steps 4 and 5, using 8443 as the Destination port range. This allows management traffic for the port 8443 to reach BIG-IP VE.

7. Repeat Steps 4 and 5, using 443 as the Destination port range. This allows traffic for your application (in this example).

2.3 Setting Admin Password for BIG-IP VE

Give BIG-IP VE six to ten minutes to finish deploying before you attempt to connect.

The first time you boot BIG-IP VE, you must connect to the instance and create a strong admin password. You will use the admin account and password to access the BIG-IP Configuration utility.

This management interface may be accessible to the Internet, so ensure the password is secure.

1. Connect to BIG-IP VE.

2. Run the following command to change to the tmsh prompt, type:

   tmsh

3. Run the following command to modify the admin password.

   modify auth password admin

   The terminal screen displays the message:

   changing password for admin
   new password:

4. Type the new password and press Enter.
   The terminal screen displays the message:

   confirm password

5. Re-type the new password, and then press Enter.

6. Ensure that the system retains the password change and press Enter.

7. Run the following command to save the system configuration.

   save sys config

   Traffic goes through BIG-IP VE to a pool. Your application servers should be members of this pool.

8. Now, open a web browser and go to the BIG-IP Configuration utility. For example, https://<external-ip-address>:8443.

3.0 Generate an SSL Certificate and Private Key

Perform the following steps:

1. Run the following Openssl command on Big-IP to generate a certificate and private key:

   openssl req -newkey rsa:2048 -nodes -keyout dsm.key -x509 -days 365 -out dsm.crt

2. Import the generated dsm.key into Fortanix DSM using the Import Key workflow as explained in Section 4.6: Creating a Security Object.

3. Upload the certificate dsm.crt to Big-IP and reference the imported Fortanix DSM key dsm.key as a key pointer, as described in Section 7.1: Importing SSL Certificate and DSM Key Pointer in Big-IP.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click ADD GROUP to create a new group.

   

2. On the Adding new group page,

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click ADD APP to create a new app.

   

2. On the Adding new app page,

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it later.

4.6 Creating a Security Object

Perform the following steps to import the RSA key generated in Section 3.0: Generate an SSL Certificate and Private Key in Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click ADD SECURITY OBJECT to create a new security object.

   

2. On the Add new Security Object page,

   1. Security Object Name: Enter a name for your security object. 

   2. Group: Select the group as created in Section 4.3: Creating a Group.

   3. Select the IMPORT radio button.

   4. In the Choose a type section, select an RSA key type.

   5. In the Place value here or import from file section, select the value format type as Base64 and click UPLOAD A FILE to upload the RSA private key generated in Section 3.0: Generate an SSL Certificate and Private Key.

   6. If the key file is already encrypted (wrapped) using a Fortanix DSM key, select the The key has been encrypted check box. For more information, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.

   7. Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

3. Click IMPORT to create the new security object.

NOTE

Alternatively, you can also generate an RSA key directly in Fortanix DSM using the Generate Key workflow. Use the PKCS#10 plugin to issue a certificate for the generated key, and then upload the certificate to Big-IP, as described in Step 3 of Section 7.1: Importing SSL Certificate and Add DSM Key Pointer in Big-IP.

5.0 Install the Fortanix PKCS#11 Library

This section describes how to install the Fortanix PKCS#11 library on the BIG-IP system. The PKCS#11 library enables BIG-IP to communicate with Fortanix DSM for cryptographic operations.

Use an SSH client to log in to the BIG-IP system as root and run the following commands to download and install the Fortanix PKCS#11 library.

The Fortanix PKCS#11 library RPM package can be downloaded from here.

cd /shared/
mkdir fortanix
cd fortanix

curl -O https://download.fortanix.com/clients/3.11.1281/fortanix-pkcs11-3.11.1281-0.x86_64.rpm
rpm -ivh ./fortanix-pkcs11-3.11.1281-0.x86_64.rpm

6.0 Configure BIG-IP HSM Integration

Perform the followings steps:

1. Run the following command to add the Fortanix HSM library to the BIG-IP:

   tmsh create sys crypto fips external-hsm vendor auto pkcs11-lib-path /opt/fortanix/pkcs11/fortanix_pkcs11.so

2. Run the following command to create the /config/fortanix.cfg file:

   vi /config/fortanix.cfg

   Add the following lines and save the file:

   ### sample fortanix config file
   api_endpoint="https://<FORTANIX_DSM_URL>"
   api_key="<DSM_API_KEY>"
   # specify if endpoint uses self-signed certificate 
   ca_certs_file = "<CA_CERT_FILE_PATH>"
   [log]
   file = "/var/log/fortanix.log"
   

   Where,

   • api_endpoint refers to the URL of the Fortanix DSM instance that the BIG-IP connects to.

   • api_key refers to the Fortanix DSM app API key copied in Section 4.5: Copying an API Key used for authentication.

   • ca_certs_file  refers to path to the CA certificate file if the Fortanix DSM endpoint uses a self-signed certificate. Leave it empty if not required. For more information, refer to Fortanix PKCS#11 Library.

   • file refers to the location where the Fortanix PKCS#11 library writes logs.

3. Run the following command to configure the netHSM partition:

   tmsh create sys crypto fips nethsm-partition auto password "file:///config/fortanix.cfg"

4. Run the following command to restart the pkcs11d service:

   bigstart restart pkcs11d tmm

5. Test the connectivity - use the BIG-IP management UI to test the connectivity between the BIG-IP and Fortanix DSM. After logging into the BIG-IP UI navigate to System → Certificate Management → HSM Management → External HSM. Under the 'Partitions' section select the check box in the Partition List and click Test. Following is an example output of a successful connectivity test.

   

7.0 Configure BIG-IP with Fortanix DSM

7.1 Importing SSL Certificate and Adding DSM Key Pointer in Big-IP

With Fortanix DSM now hosting the private key, import the corresponding certificate into the BIG-IP. Additionally, create a key resource pointing to the Fortanix DSM-hosted key.

1. Log in to the BIG-IP management UI and navigate to System → Certificate Management → SSL Certificate List → Import.

2. Select Certificate as Import Type and enter a name.

3. Browse and upload the certificate, click Import.

4. Run the following command to restart the pkcs11d service:

   bigstart restart pkcs11d tmm

5. Navigate to System → Certificate Management → SSL Certificate List → Import.

6. Select Key as Import Type and enter a name. The name must match the security object name created in Section 4.6: Creating a Security Object.

7. Select Key Source as From NetHSM, and click Import.

   

7.2 Creating an SSL Profile and Attaching it to a Virtual Server

Finally, create a client SSL profile and associate it with the virtual server.

1. Log in to the BIG-IP management UI and navigate to Local Traffic → Profiles → SSL → CLIENT → +.

2. Enter a name and select the Custom check box.

3. In the Certificate Key Chain section, click Add.

4. Select the previously imported certificate and key from the drop-down menus

5. Click Finished to create the profile.

6. Navigate to Local Traffic → Virtual Servers and select the appropriate virtual server.

7. Under the SSLProfile (Client) section, select the previously create SSL profile.

8. Click Update to save the modified virtual server.

The application is now secured with the BIG-IP offloading the crypto workload to Fortanix DSM.

8.0 Update the PKCS#11 Version

Perform the following steps on F5 CLI (in bash mode) to update the PKCS#11 version:

1. Run the following command to check the current version installed of PKCS#11 library:

   rpm -qa | grep fortanix-pkcs11

2. Run the following command to delete the installed version of PKCS#11 library:

   rpm -e fortanix-pkcs11-<version>

3. Run the following command to install a different version of PKCS#11 library:

   rpm -ivh fortanix-pkcs11-<version>