NITROX XL FIPS acceleration board

Installing and configuring

If a new NITROX XL FIPS Acceleration Board has been added to your NAM Probe (inserted into a free PCI slot), you need to install the appropriate software. See Upgrading the NAM Probe software for information about upgrading the NAM Probe.

In addition to ensuring that the driver software is installed on the NAM Probe, the accelerator card has to be initialized by creating superuser and user accounts, each with a password, as explained below.

The configuration is performed using the nitrox-setup command line utility.

Note
  • NITROX XL FIPS Acceleration Board is referred to as “Cavium NITROX XL CN1120-NFB Hardware Security Module” or just “HSM”, in the configuration utility user interface, as described below. All of these names refer to the same entity.
  • FIPS mode 140-2 Level 3 is referred to as “FIPS mode: on” in the configuration utility user interface.
  • FIPS mode 140-2 Level 2 is referred to as “FIPS mode: off” in the configuration utility user interface.

Supported security levels

The NITROX XL FIPS Acceleration Board, model CN1120-350-NFB-1.1-G, can be configured to operate in the following security modes:

  • FIPS 140-2 Level 3 high security mode
    where it requires to be connected to a Pin Entry Device (PED).
  • FIPS 140-2 Level 2 mode, also referred to as the non-FIPS mode
    where connection to a PED device is not required and all operations on the card are performed solely through the hosting computer, that is through your NAM Probe.

You can use either of these modes for NITROX XL FIPS Acceleration Boards installed in the NAM Probe. Decide which mode to use based on your specific security needs. For further information about security levels, refer to the Cavium Networks NITROX documentation.

Initializing the acceleration board

Before the card can be used, it has to be initialized. This includes defining the security level, specifying SO and USER passwords, or configuring and initializing the PED keys. It also involves deleting all of the keys currently stored on the card.

The actual operation of writing initialization information to the acceleration board or deletion of RSA key information is performed in the last step of the initialization dialog. It is therefore possible to abort the initialization process at any point before the final confirmation.

Initializing the hardware security module card will result in the deletion of all currently stored key information. To abort initialization before the final confirmation, type [Ctrl-C] to exit the hardware security module management utility. To initialize the NITROX XL FIPS accelerator:

Select the initialization option from the menu.

To initialize the card, select the Initialize HSM option from the nitrox-setup menu.

Select the security level.

You are prompted whether the hardware security module is to be initialized in the FIPS high security mode (mode 140-2 Level 3) requiring the use of a PED device. The selection depends on your particular security requirements. Answer “y” for Yes or “n” for No, as appropriate. If you select the FIPS high security mode, you are prompted to initialize the PED keys. Refer to Cavium Network PED documentation for information about how to use PED and PED keys. If you select the non-FIPS mode, FIPS mode 140-2 Level 2, you are prompted to type the new SO and USER passwords.

Provide a new acceleration board label.

You are prompted for a new acceleration board label. This is an identification string written to the acceleration board.

Log in as the security officer (user SO).

To proceed with further initialization steps, nitrox-setup attempts to log you onto the card as the security officer (user SO). So, depending on the current security level (not the level you have just selected, but the currently active one) you will either supply the current SO password or the SO (blue) PED key with a PIN.

The factory default setting is non-FIPS, FIPS mode 140-2 Level 2. The default password can be found in the card manufacturer's documentation or in the /opt/nitrox_fips/doc/Utils_README.txt file, in the section entitled Initializing the board.

If the FIPS high security (140-2 Level 3) mode is used, all PED operations, including SO identification, are deferred until you confirm initialization (see the last step of this procedure).

Caution:

Three consecutive unsuccessful entries of the SO password cause a hardware security module reset.

Provide new SO and USER passwords.

As part of initialization, you are prompted to supply a new security identification for user SO and user USER . If you are using the non-FIPS mode (FIPS mode 140-2 Level 2), enter the new passwords for each of these users. In the FIPS high security mode 140-2 Level 3, use a PED device and the appropriate keys.

Confirm initialization.

Finally, you are prompted to confirm all of the above settings. Confirming initialization at this stage causes the hardware security module to be initialized as specified. If there were any PED operations pending, such as SO authorization or initialization of PED keys, they are performed now. Refer to the PED manufacturer's documentation for information about initializing and using PED keys.

Note that the security officer (SO) will be logged out automatically as part of the initialization step.

Caution:

The initialization process must not be aborted after the above (final) confirmation, or the hardware security module may be left in an undefined state, particularly if PED keys are being used.

To remedy this situation, the manufacturer of the card has provided the Cfm1Util utility. Once the card falls in the indeterminate state, this tool can be used to reinitialize the card. The Cfm1Util utility is provided with the card software and usage syntax is described in the card's documentation.

Figure 1. Initializing Hardware Security Module in non-FIPS mode (FIPS mode 140-2 Level 2)

Agentless Monitoring
    Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM)
    HSM label: testLabel1, HSM FIPS mode: off, USER logged in: no

        1 - Display HSM status
        2 - Initialize HSM
        3 - Login as USER
        4 - Logout USER
        5 - Add RSA private key
        6 - Remove RSA private key
        7 - List RSA private keys
        X - Exit
Select option and press [ENTER]: 2
Initializing HSM...
This step defines a new HSM label, security level and passwords and removes all RSA key information.
        Continue? (y or n): y
        Initialize HSM in FIPS mode (use of PIN Entry Device required)? (y or n): n
        Enter a new HSM label: testLabel1

*****************************************************************************
*** You need to enter the current HSM Security Officer (SO) password.     ***
*** WARNING: three consecutive unsuccessful entries will cause HSM reset! ***
*****************************************************************************
        Enter current HSM SO password:

        Enter a new HSM SO password (8 to 12 characters):
        Retype HSM SO password:

        Enter a new HSM USER password (8 to 12 characters, must be different from SO password):
        Retype HSM USER password:

*** WARNING: all key information will be deleted from HSM. ***
        Continue? (y or n): y

Starting HSM initialization...
Login successful.
Initialization successful.

Press [ENTER] to continue...

Logging into and out of the acceleration board

The user USER must remain logged in order for NAM Probe traffic monitoring software to be able to use the HSM card. Therefore, logging in is usually the first operation performed after the NAM Probe is re-started.

Use the HSM management utility, nitrox-setup to log in and out of the HSM card as USER .

HSM management operations, such as listing keys or adding or removing keys can only be performed if USER is logged in.

Note that USER remains logged in after the nitrox-setup management utility exits, so you can exit the menu without causing USER to be logged out.

To log in or out of the card, select Login as USER or Logout USER from the nitrox-setup menu.

Caution:

For security reasons, ten consecutive unsuccessful login attempts disables the USER account.

RSA key management on NITROX XL FIPS

RSA key operations, including adding, deleting and listing stored keys, are performed using the nitrox-setup utility.

Import the keys from unencrypted PEM files. Note that the NAM Probe with the hardware security module supports 1024-bit or 2048-bit RSA keys, even though 4096-bit keys can be stored on the hardware security module. For this reason, it is good practice, before loading they keys, to check the size of the keys, using the command:

openssl rsa-in keyfile.pem -text

Once keys are stored on the hardware security module, they are identified by hexadecimal numbers.

Importing a key to the acceleration board

To import a new RSA key, select the Add RSA private key option from the nitrox-setup menu. Provide the appropriate PEM file name when prompted. If the specified file exists and contains a valid key, the key is imported with the default label PRV_KEY_IMPORT and a new key identifier is generated and displayed.

Figure 1. Importing an RSA Private Key

Agentless Monitoring
    Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM)
    HSM label: testLabel1, HSM FIPS mode: off, USER logged in: yes

        1 - Display HSM status
        2 - Initialize HSM
        3 - Login as USER
        4 - Logout USER
        5 - Add RSA private key
        6 - Remove RSA private key
        7 - List RSA private keys
        X - Exit
Select option and press [ENTER]: 5
        Enter the name of the file containing the RSA private key in PEM format: /usr/testuser/ssl/key1.pem
Importing RSA private key from /user/testuser/ssl/key1.pem (key size 1024 bits)...
RSA key imported successfully, key ID = 0x8

Press [ENTER] to continue...

Listing keys currently stored on the board

To list the keys currently stored on the card, choose the List RSA private keys option from the menu. All currently stored private keys are listed. Each key is denoted by one line showing key identifier, label and size in bits.

Note that when quoting the identifiers in the NAM Probe configuration, you can use the identifier number with or without the leading 0x .

Figure 2. Listing All RSA Keys

Agentless Monitoring
    Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM)
    HSM label: testLabel1, HSM FIPS mode: off, USER logged in: yes

        1 - Display HSM status
        2 - Initialize HSM
        3 - Login as USER
        4 - Logout USER
        5 - Add RSA private key
        6 - Remove RSA private key
        7 - List RSA private keys
        X - Exit
Select option and press [ENTER]: 7
Installed keys:
        key: 0x8, label: PRV_KEY_IMPORT, size: 1024
Command completed successfully

Press [ENTER] to continue...

Deleting a key from the acceleration board

To delete an RSA key from the hardware security module, select the Remove RSA private key option from menu.

Figure 3. Deleting an RSA Private Key

Agentless Monitoring
    Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM)
    HSM label: testLabel1, HSM FIPS mode: off, USER logged in: yes

        1 - Display HSM status
        2 - Initialize HSM
        3 - Login as USER
        4 - Logout USER
        5 - Add RSA private key
        6 - Remove RSA private key
        7 - List RSA private keys
        X - Exit
Select option and press [ENTER]: 6
        Enter hexadecimal ID (with optional 0x prefix) of the key to remove: 8
Removing key 0x8.
Command completed successfully

Press [ENTER] to continue...

Invoking acceleration board management utility

The nitrox-setup utility, located in /opt/nitrox_fips/bin, is used to perform configuration and management operations on the hardware security module as well as to facilitate actual card operation.

In addition to this software management utility, a Pin Entry Device (PED) might also be required to configure and operate the hardware security module, depending on the selected security level.

To invoke the hardware security module management utility, log in to the NAM Probe and execute the command:

/opt/nitrox_fips/bin/nitrox-setup

On startup, the utility displays a menu and information about the current hardware security module label and security level.

Figure 1. NITROX Setup Menu and Configuration Information

 Agentless Monitoring
    Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM)
    HSM label: testLabel1, HSM FIPS mode: off, USER logged in: no

        1 - Display HSM status
        2 - Initialize HSM
        3 - Login as USER
        4 - Logout USER
        5 - Add RSA private key
        6 - Remove RSA private key
        7 - List RSA private keys
        X - Exit
Select option and press [ENTER]:

The exact function of the menu items is as follows:

Display HSM Status

Displays current status information, including serial number, firmware version, memory size, capabilities, and policies.

Initialize HSM

Initializes the card.

This includes defining the security level, specifying SO and USER passwords or configuring and initializing PED keys. It also involves deleting all of the RSA keys currently stored on the card.

Login as USER

Logs into the card as USER.

Logout USER

Logs USER out of the card.

Add RSA private key

Imports an RSA private key to the hardware security module.

Remove RSA private key

Deletes an RSA private key from the hardware security module.

List RSA private keys

Lists RSA private keys stored on the hardware security module.

Exit

Exits the hardware security module management utility.

RoHS directive compliance

The RoHS Directive stands for “the restriction of the use of certain hazardous substances in electrical and electronic equipment”. The NITROX XL CN1120-350-NFB-1.1-G cards comply with the requirements of this directive, as opposed to the previous version of NITROX XL cards, marked with the symbol CN1120-NFB.