Configure the HSM for an instance on an SDX 14030/14060/14080 FIPS appliance

October 22, 2021

Contributed by:

First check the state of your FIPS card to verify that the driver loaded correctly, and then initialize the card.

At the command prompt, type:

show fips FIPS Card is not configured Done

If the driver is not loaded correctly, the message “ERROR: Operation not permitted - no FIPS card present in the system” appears.

Initialize the FIPS card

Important:

Verify that the/nsconfig/fipsdirectory has successfully been created on the appliance.

Do not save the configuration before you restart the appliance for the third time.

Perform the following steps to initialize the FIPS card:

Reset the FIPS card (reset fips).
重新启动设备(reboot).
Set the security officer password for partitions 0 and 1, and the user password for partition (set fips -initHSM Level-2 -hsmLabel NSFIPS).
Note: The set or reset command takes more than 60 seconds to run.
Save the configuration (saveconfig).
Verify that the password encrypted key for the main partition (master_pek.key) has been created in the /nsconfig/fips/ directory.
重新启动设备(reboot).
Verify that the FIPS card is UP (show fips).

Initialize the FIPS card by using the CLI

At the command prompt, type the following commands:

reset fips reboot set fips -initHSM Level-2    -hsmLabel

Note: The following message appears when you run theset fipscommand:

             This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command. [Note: On MPX/SDX 14xxx FIPS platform, the FIPS security is at Level-3 by default, and the -initHSM Level-2 option is internally converted to Level-3] Do you want to continue?(Y/N)y saveconfig reboot show fips 
            

Example:

             reset fips Done reboot set fips -initHSM Level-2 so12345 so12345 user123 -hsmLabel NSFIPS This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command. [Note: On MPX/SDX 14xxx FIPS platform, the FIPS security is at Level-3 by default, and the -initHSM Level-2 option is internally converted to Level-3] Do you want to continue?(Y/N)y Done saveconfig Done reboot show fips FIPS HSM Info: HSM Label : NSFIPS Initialization : FIPS-140-2 Level-2 HSM Serial Number : 3.0G1532-ICM000228 HSM State : 2 HSM Model : NITROX-III CNN35XX-NFBE Hardware Version : 0.0-G Firmware Version : 1.0 Firmware Build : NFBE-FW-1.0-48 Max FIPS Key Memory : 1000 Free FIPS Key Memory : 1000 Total SRAM Memory : 557396 Free SRAM Memory : 238088 Total Crypto Cores : 4 Enabled Crypto Cores : 4 Done 
            

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configure the HSM for an instance on an SDX 14030/14060/14080 FIPS appliance

October 22, 2021

Contributed by:

October 22, 2021

Contributed by:

Configure the HSM for an instance on an SDX 14030/14060/14080 FIPS appliance

Initialize the FIPS card

Initialize the FIPS card by using the CLI

In this article