Professional Documents
Culture Documents
The following flowchart depicts the tasks that you need to perform to use Thales HSM with
a NetScaler ADC:
As shown in the above flowchart, you perform the following tasks:
You must specify the IP address of the RFS on the Thales HSM so that it accepts the
configuration that the RFS pushes to it. Use the nShield Connect front panel on the Thales
HSM to perform the following procedure.
1. Navigate to System Configuration > Config file options > Allow auto push.
2. Select ON, and specify the IP address of the computer (RFS) from which to accept
the configuration.
Configure the ADC to use the Thales HSM
NSIP address=10.217.2.43
RFS IP address=10.217.2.6
Alternately, use the RFS to add the ADC as a client to the HSM. To do this, you must add the
NSIP address in the HSM configuration on the RFS, and then push the configuration to the
HSM. Before you can do this, you must know the electronic serial number (ESN) of the HSM.
To get the ESN of your HSM, run the following command on the RFS:
Example
root@ns# /opt/nfast/bin/anonkneti 10.217.2.112
BD17-C807-58D9 5e30a698f7bab3b2068ca90a9488dc4e6c78d822
After you have the ESN number, use an editor, such as vi, to edit the HSM configuration file
on the RFS.
vi /opt/nfast/kmdata/hsm-BD17-C807-58D9/config/config
To push the configuration to the HSM, run the following command on the RFS:
Example
/opt/nfast/bin/cfg-pushnethsm --address=10.217.2.112 --force
/opt/nfast/kmdata/hsm-BD17-C807-
58D9/config/config
Configure Access Permission for the ADC on the RFS
To configure access permission for the ADC on the RFS, run the following command on the
RFS:
Example
[root@localhost bin]# /opt/nfast/bin/rfs-setup --force -g --
write-noauth 10.217.2.43
Adding read-only remote_file_system entries
Ensuring the directory /opt/nfast/kmdata/local exists
Adding new writable remote_file_system entries
Ensuring the directory /opt/nfast/kmdata/local/sync-store exists
Saving the new config file and configuring the hardserver
Done
Verify that the ADC can reach both the RFS and Thales HSM by using port 9004.
./hardserver &
To add HSM details into the ADC configuration, run the following command on the ADC:
Example
root@ns# ./nethsmenroll --force 10.217.2.112 $(anonkneti
10.217.2.112)
OK configuring hardserver's nethsm imports
This step adds the following entries after the line # ntoken_esn=ESN in
the nethsm_importssection of the /var/opt/nfast/kmdata/config/config file.
…
local_module=0
remote_ip=10.217.2.112
remote_port=9004
remote_esn=BD17-C807-58D9
keyhash=5e30a698f7bab3b2068ca90a9488dc4e6c78d822
timelimit=86400
datalimit=8388608
privileged=0
privileged_use_high_port=0
ntoken_esn=
Change directory to /var/opt/nfast/bin and run the following command on the ADC:
touch "thales_hsm_is_enrolled"
Note: To remove an HSM that is enrolled on the ADC, type: ./nethsmenroll –-remove
<NETHSM-IP>
Add RFS details on the ADC
To add RFS details, change directory to /var/opt/nfast/bin/ and then run the following
command:
Example
./rfs-sync --no-authenticate --setup 10.217.2.6
No current RFS synchronization configuration.
Configuration successfully written; new config details:
Using RFS at 10.217.2.6:9004: not authenticating.
This step adds the following entries after the # local_esn=ESN line in
the rfs_sync_clientsection of the /var/opt/nfast/kmdata/config/config file.
……
remote_ip=10.217.2.6
remote_port=9004
use_kneti=no
local_esn=
Note: To remove an RFS that is enrolled on the ADC, type: ./rfs_sync –remove
Example
./rfs-sync --no-authenticate --setup 10.217.2.6
No current RFS synchronization configuration.
Configuration successfully written; new config details:
Using RFS at 10.217.2.6:9004: not authenticating.
This step adds the following entries after the # local_esn=ESN line in
the rfs_sync_clientsection of the /var/opt/nfast/kmdata/config/config file.
……
remote_ip=10.217.2.6
remote_port=9004
use_kneti=no
local_esn=
Synchronize the ADC to the RFS
To synchronize all the files, change directory to /var/opt/nfast/bin and then run the
following command on the ADC:
./rfs-sync –-update
This command fetches all the World files, module files, and key files from the
/opt/nfast/kmdata/local directory on the RFS and puts them into the
/var/opt/nfast/kmdata/local directory on the ADC. Citrix recommends that you manually
copy the World files, the module_XXXX_XXXX_XXXX files, where XXXX_XXXX_XXXX is the
ESN of the enrolled HSM, and only the required RSA key and certificate files.
reboot
Updated: 2014-12-08
Create an RSA key, a self-signed certificate, and a Certificate Signing Request (CSR). Send
the CSR to a certificate authority to get a server certificate.
The following example uses Level-2 Security World. In the example, the commands are in
boldface type.
Example
[root@localhost bin]# ./generatekey embed
size: Key size? (bits, minimum 1024) [1024] > 2048
OPTIONAL: pubexp: Public exponent for RSA key (hex)? []
>
embedsavefile: Filename to write key to? []
> example
plainname: Key name? [] > example
x509country: Country code? [] > US
x509province: State or province? [] > CA
x509locality: City or locality? [] > Santa Clara
x509org: Organisation? [] > Citrix
x509orgunit: Organisation unit? [] > NS
x509dnscommon: Domain name? [] > www.citrix.com
x509email: Email address? [] > example@citrix.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256,
sha384, sha512)
[default sha1] > sha512
key generation parameters:
operation Operation to perform generate
application Application embed
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
embedsavefile Filename to write key to example
plainname Key name example
x509country Country code US
x509province State or province CA
x509locality City or locality Santa Clara
x509org Organisation Citrix
x509orgunit Organisation unit NS
x509dnscommon Domain name
www.citrix.com
x509email Email address
example@citrix.com
nvram Blob in NVRAM (needs ACS) no
digest Digest to sign cert req with sha512
Key successfully generated.
Path to key:
/opt/nfast/kmdata/local/key_embed_2ed5428aaeae1e159bdbd63f25292c
7113ec2c78
You have new mail in /var/spool/mail/root
Result
Because the ADC supports keys in simple format only, you must convert the embed key to a
simple key.
To convert the embed key to a simple key, run the following command on the RFS:
[root@localhost bin]# ./generatekey -r simple
from-application: Source application? (embed, simple) [embed] >
embed
from-ident: Source key identifier?
(c6410ca00af7e394157518cb53b2db46ff18ce29,
2ed5428aaeae1e159bdbd63f25292c7113ec2c78)
[default c6410ca00af7e394157518cb53b2db46ff18ce29]
> 2ed5428aaeae1e159bdbd63f25292c7113ec2c78
ident: Key identifier? [] > examplersa2048key
plainname: Key name? [] > examplersa2048key
key generation parameters:
operation Operation to perform retarget
application Application simple
verify Verify security of key yes
from-application Source application embed
from-ident Source key identifier
2ed5428aaeae1e159bdbd63f25292c7113ec2c78
ident Key identifier examplersa2048key
plainname Key name examplersa2048key
Key successfully retargetted.
Path to key:
/opt/nfast/kmdata/local/key_simple_examplersa2048key
Important! When prompted for the source key identifier, enter
2ed5428aaeae1e159bdbd63f25292c7113ec2c78 as the embed key.
Result
Updated: 2014-12-08
Before the ADC can process traffic, you must do the following:
1. Enable features.
2. Add a subnet IP (SNIP) address.
3. Add the HSM key to the ADC.
4. Add a certificate-key pair by using the HSM key.
5. Add a virtual server.
6. Add a server object.
7. Add a service.
8. Bind the service to the virtual server.
9. Bind the certificate-key pair to the virtual server.
10. Verify the configuration.
Enable features on the ADC
Licenses must be present on the ADC before you can enable a feature.
Navigate to System > Settings and, in the Modes and Features group, select Configure basic
features, and then select SSL Offloading.
To add a SNIP address and verify the configuration by using the command line
To add a SNIP address and verify the configuration by using the configuration utility
Navigate to System > Network > IPs, add an IP address, and select the IP Type as Subnet IP.
Example
> add ssl hsmKey examplersa2048key –key
key_simple_examplersa2048key
Done
Navigate to Traffic Management > SSL > HSM, and add an HSM key.
Example
> add ssl certKey key22 -cert example_selfcert -hsmKey
examplersa2048key
Done
Example
> add lb vserver v1 SSL 192.168.17.252 443
Navigate to Traffic Management > Load Balancing > Virtual Servers, create a virtual server,
and specify the protocol as SSL.
Example
%python –m SimpleHTTPServer 80
Example
> add server s1 192.168.17.246
Navigate to Traffic Management > Load Balancing > Servers, and add a server.
Add a service
For more information, see Configuring Services.
Example
> add service sr1 s1 HTTP 80
Navigate to Traffic Management > Load Balancing > Services, and create a service.
Example
> bind lb vserver v1 sr1
Example
> bind ssl vserver v1 -certkeyName key22
Warning: Current certificate replaces the previous binding
Navigate to Traffic Management > Load Balancing > Virtual Servers, and double-click an
SSL virtual server to open it and view the configuration.