Using Fortanix Data Security Manager with F5 BIG-IP Virtual Edition

Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with F5 Networks Big IP Virtual Edition (VE) version 15.1.2.1 or later.

Prerequisites

F5 BIG-IP Local Traffic Manager (LTM) 15.1.2.1 or Later

Virtual Edition (VE) is utilized for this article. Both hardware and virtual edition platforms support network Hardware Security Module (HSM) integration. Additionally, you will need to provide a license covering the network HSM module.

Creating Inbound  Traffic Rules if Using Azure Marketplace Platform

To access the BIG-IP Configuration utility, you must open port 8443. To connect to BIG-IP VE using SSH, use the open port 22. To connect to your application through BIG-IP VE, use the open port 443 (in this example).

  1. In the Azure portal, click All Services -> Network security groups.
  2. Filter the list to find your group and click it.
  3. In the left menu, under Settings, click Inbound security rules.
  4. Click Add.
    Name Value
    Source Port Ranges An IP range on your network.
    Destination Port Ranges 22
    Protocol TCP
    Name A description, like SSH access.
     
  5. Click Add again.
  6. Repeat Steps 4 and 5, using 8443 as the Destination port range. This allows management traffic for the port 8443 to reach BIG-IP VE.
  7. Repeat Steps 4 and 5, using 443 as the Destination port range. This allows traffic for your application (in this example).

Setting Admin Password for BIG-IP VE

Give BIG-IP VE six to ten minutes to finish deploying before you attempt to connect.

The first time you boot BIG-IP VE, you must connect to the instance and create a strong admin password. You will use the admin account and password to access the BIG-IP Configuration utility.

This management interface may be accessible to the Internet, so ensure the password is secure.

  1. Connect to BIG-IP VE.
  2. To change to the tmsh prompt, type:
    tmsh
  3. Modify the admin password.
    modify auth password admin
    The terminal screen displays the message:
    changing password for admin
    new password:
  4. Type the new password and press Enter.
    The terminal screen displays the message:
    confirm password
  5. Re-type the new password, and then press Enter.
  6. Ensure that the system retains the password change and press Enter.
  7. Save the system configuration.
    save sys config
      Traffic goes through BIG-IP VE to a pool. Your application servers should be members of this pool.
  8. Now, open a web browser and go to the BIG-IP Configuration utility, for example: https://<external-ip-address>:8443 

Integration with F5 BIG-IP VE

Creating Fortanix DSM Application

Create an application in Fortanix DSM. For more details refer to the Fortanix DSM Getting Started Guide. The application can access certificates, keys, and secrets that will be used by your application (delivered using the BIG-IP).

  1. Log in to the Fortanix DSM UI. Select the Apps icon from the left panel and then click the ‘+’ icon to open a new application form.
  2. Enter the name of the application and select API Key as the authentication method.
  3. Create a group and assign the application to the group. The group represents a collection of security objects, (applications, keys, certificates, and so on.) that are available to the members of the group.
  4. Click Save to create the application.
      BigIP_1.png
                                                                           Figure 1: Create an app

    With the application created, click COPY API KEY from the detailed view of the application or from the application table to capture the API key and store it for later use. The key will be used by the BIG-IP to authenticate calls to Fortanix DSM. BigIP_2.png
                                                                           Figure 2: Copy API Key

    BigIP_3.png
                                               Figure 3: Copy API Key

Installing Fortanix Plugin

In this step, use the ssh client to log in to the BIG-IP as root. From there use the following commands to download and install the Fortanix plugin onto the BIG-IP. The plugin, (RPM) is available for download from here.

cd /shared/
mkdir nethsm
cd nethsm

curl -O https://download.fortanix.com/clients/3.11.1281/fortanix-pkcs11-3.11.1281-0.x86_64.rpm
rpm -ivh ./fortanix-pkcs11-3.11.1281-0.x86_64.rpm

Configuring BIG-IP netHSMIntegration

  1. Add the Fortanix HSM library to the BIG-IP.
    tmsh create sys crypto fips external-hsm vendor auto pkcs11-lib-path /opt/fortanix/pkcs11/fortanix_pkcs11.so
  2. Create the /config/fortanix.cfg file.
    vi /config/fortanix.cfg
    Add the following lines and save the file:
    ### sample fortanix config file
    # cat /config/fortanix.cfg
    api_endpoint="https://<fortanix_dsm_url>"
    api_key=""
    # specify if endpoint uses self-signed certificate
    ca_certs_file = ""
    [log]
    file = "/var/log/fortanix.log"
  3. Configure the netHSM partition.
    tmsh create sys crypto fips nethsm-partition auto password "file:///config/fortanix.cfg"
  4. Restart the pkcs11d service.
    bigstart restart pkcs11d tmm
  5. Test the connectivity - use the BIG-IP management GUI to test the connectivity between the BIG-IP and Fortanix DSM. After logging into the BIG-IP GUI navigate to System --> Certificate Management --> HSM Management --> External HSM. Under the 'Partitions' section select the checkbox in the Partition List and click Test. Following is an example output of a successful connectivity test. BigIP_4.png
                                                                        Figure 4: Test the connectivity

Importing SSL Certificate/Key to BIG-IP and Fortanix DSM

  1. Import Private key into Fortanix DSM: Now that we have our external HSM, (Fortanix), https://fortanix.aserracorp.com integrated with our BIG-IP let us put it to use. To start with, import a private key into Fortanix DSM.
    1. Log in to the Fortanix DSM UI and select the Security Objects icon from the left panel and then click the + button to create a new security object.
    2. Enter the name for the key and select the Import option to import a new key.
    3. Select RSA as the security object type.
    4. Select Base64 and upload the private key.
    5. Associate the key to a previously created group.
    6. Click Import to create the security object.
       
    BigIP_5.png
                                                                           Figure 5: Create security object

  2. Import SSL Certificate and netHSM Key Pointer into BIG-IP: With Fortanix DSM now hosting the private key, import the corresponding certificate into the BIG-IP. Additionally, create a key resource pointing to the Fortanix DSM-hosted key.
    1. Log in to the BIG-IP management GUI and navigate to System --> Certificate Management --> SSL Certificate List --> Import.
    2. Select Certificate as Import Type and enter a name.
    3. Browse and upload the certificate, click Import.
    4. Restart the pkcs11d service.
      bigstart restart pkcs11d tmm
    5. Next, navigate to System --> Certificate Management --> SSL Certificate List --> Import.
    6. Select Key as Import Type and enter a name. The name must match the security object name of the Fortanix DSM-stored key.
    7. Select Key Source as From NetHSM, and click Import.
       
    BigIP_6.png
                                                                       Figure 6: Import SSL certificate

  3. Create SSL Profile and Attach to Virtual Server: Finally, create a Client SSL profile and associate it with the virtual server.
      1. Log in to the BIG-IP management GUI and navigate to Local Traffic --> Profiles --> SSL --> CLIENT --> +.
      2. Enter a name and select the Custom
      3. In the Certificate Key Chain section click Add.
      4. Select the previously imported certificate and key from the drop-down menus
      5. Click Finished to create the profile.
      6. Navigate to Local Traffic --> Virtual Servers and select the appropriate virtual server.
      7. Under the SSLProfile (Client) section select the previously create SSL profile.
      8. Click Update to save the modified virtual server.
         
    BigIP_7.png
                                                                       Figure 7: Create SSL profile
  4. The application is now secured with the BIG-IP offloading the crypto workload to Fortanix DSM.

Updating PKCS#11 Version

To upgrade the F5 Big-IP VE release, perform the following steps to update the PKCS#11 version.

Perform the following steps on F5 CLI (in bash mode):

  1. Run the following command to check the current version installed of PKCS#11 library:
    rpm -qa | grep fortanix-pkcs11
  2. Run the following command to delete the installed version of PKCS#11 library:
    rpm -e fortanix-pkcs11-<version>
  3. Run the following command to install a different version of PKCS#11 library:
    rpm -ivh fortanix-pkcs11-<version>

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful