Initializing the TPM on SNS firewalls

This section explains how to initialize the TPM on an SNS firewall or TPMs in an SNS firewall high availability cluster.

From the web administration interface

The initialization process varies according to the version installed on the SNS firewall.

Go to Configuration > Objects > Certificates and PKI.
Click on Init. TPM.
If Secure Boot has not been enabled, a warning will appear. You are advised to enable Secure Boot before initializing the TPM, but this can be done later. For more information on enabling Secure Boot, refer to the technical note Managing Secure Boot in SNS firewalls' UEFI.

IMPORTANT
The TPM protection is incomplete as long as the Secure Boot feature is not enabled.
In the Set password window, set the administration password of the TPM, by following the recommendations in the section TPM administration password, then click on Continue.
Select the features for which the private keys of the certificates used will be protected. Features that do not use certificates in their configuration cannot be selected. You can also leave all checkboxes unchecked and protect private keys in SNS firewall certificates later.
Click on Finish.

The TPM is initialized and the mechanism that derives the symmetric key is used to generate the symmetric key, regardless of whether the SNS firewall is a member of a high availability cluster. If the SNS firewall is part of a high availability cluster, the TPM on the passive firewall will be automatically initialized.

Go to Configuration > Objects > Certificates and PKI.
In the window to initialize the TPM, set the administration password of the TPM, by following the recommendations in the section TPM administration password. If the window does not automatically appear, check whether the TPM has already been initialized, or initialize it from the CLI console.
Click on Apply.

The TPM is initialized. If the SNS firewall is part of a high availability cluster, the TPM on the passive firewall will be initialized, and the mechanism that derives the symmetric key will be used to generate the symmetric key.

You then need to protect the private keys of certificates on the SNS firewall. To do so, go to the section Protecting private keys in SNS firewall certificates.

Run this command:

SYSTEM TPM INIT tpmpassword=<password> derivekey=<on|off>
- Replace <password> with the desired administration password of the TPM, by following the recommendations in the section TPM administration password,
- If the SNS firewall is a member of a high availability cluster, enter derivekey=on to use the symmetric key derivation mechanism.
If the SNS firewall is part of a high availability cluster, run this command to initialize the TPM on the passive firewall:

HA TPMSYNC tpmpassword=<password>

You then need to protect the private keys of certificates on the SNS firewall. To do so, go to the section Protecting private keys in SNS firewall certificates.

Configure the cluster (create the cluster and integrate the second SNS firewall).
Refer to the procedures above on initializing the TPM on SNS firewalls.

Configure the cluster (create the cluster and integrate the second SNS firewall).
Log out of the SNS firewall's web administration interface and log back in.
A window will automatically appear, asking you to initialize the TPM on the passive firewall. Enter the TPM password in the relevant field.
Click on OK.

Run this command to renew the symmetric key on the active firewall, and to ensure that you use the symmetric key derivation mechanism:

SYSTEM TPM RENEW tpmpassword=<password> derivekey=on
- Replace <password> with the TPM password,
- As the firewall is part of a high availability cluster, enter derivekey=on.
All TPM-protected private keys of certificates will be decrypted, then encrypted again with the new symmetric key derived from the TPM password.
Run this command to initialize the TPM on the passive firewall:

HA TPMSYNC tpmpassword=<password>