Considerations for high availability with FIPS

When Trust Protection Platform provisions a private key to a FIPS-enabled NetScaler appliance, the private key is stored in a local hardware security module (HSM). Although NetScaler synchronizes most of its settings when operating in a high availability configuration, it does not synchronize the FIPS key material stored in an HSM. Therefore, NetScaler contains references to the private keys but does not have access to the actual key material.

In order to copy FIPS keys between high availability nodes, you must configure Secure Information Management (SIM).

The only required configuration on Trust Protection Platform is that when you are configuring the Venafi NetScaler driver, you need to set Use FIPS to Yes. For more information, see Use FIPS in the topic Creating a Citrix NetScaler application object.

Setting up SIM on a FIPS-enabled NetScaler device

IMPORTANT Because FIPS is not supported for ACMEv2, you cannot have FIPS enabled on any server that is used for ACMEv2.

To set up SIM on your FIPS-enabled NetScaler device, you must initialize and enable the SIM. If you do not complete SIM configuration, then provisioning will fail because the secondary node will contain a reference to a key that doesn't yet exist in the HSM.

To set up SIM, refer to your Citrix documentation: https://support.citrix.com/article/CTX118684.

DID YOU KNOW? To better understand what the Venafi NetScaler driver needs to do to function in this scenario, refer to the following Citrix documentation, which outlines the tasks required to create and transfer FIPS keys: https://docs.citrix.com/en-us/netscaler/10-1/ns-tmg-wrapper-10-con/ns-ssl-wrapper-con-10/ns-tmg-fips-wrapper-con-10/ns-tmg-fips-create-transfer-fipskeys-con.html