All modules
CMVP Validated Module · FIPS 140-3 Security Policy

NetScaler Virtual Appliance

Certificate#5111StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorCloud Software Group
High review priority  ·  no TCB surface named  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date12/15/2030
CaveatWhen installed, initialized and configured as specified in Section 11.1.4 of the Security Policy.
VendorCloud Software Group

Approved Algorithms (37)

AlgorithmACVP Cert
AES-CBCA3942
AES-CFB128A3942
AES-CTRA3942
AES-GCMA3942
Counter DRBGA3942
ECDSA KeyGen (FIPS186-4)A3942
ECDSA KeyVer (FIPS186-4)A3942
ECDSA SigGen (FIPS186-4)A3942
ECDSA SigVer (FIPS186-4)A3942
HMAC-SHA-1A3942
HMAC-SHA2-256A3942
HMAC-SHA2-384A3942
HMAC-SHA2-512A3942
KAS-ECC-SSC Sp800-56Ar3A3942
KAS-FFC-SSC Sp800-56Ar3A3942
KDF IKEv1 (CVL)A3942
KDF IKEv2 (CVL)A3942
KDF SNMP (CVL)A3942
KDF SSH (CVL)A3942
KDF TLS (CVL)A3942
KTS-IFCA3942
PBKDFA3942
RSA KeyGen (FIPS186-4)A3942
RSA SigGen (FIPS186-4)A3942
RSA SigVer (FIPS186-4)A3942
SHA-1A3942
SHA2-256A3942
SHA2-384A3942
SHA2-512A3942
TLS v1.2 KDF RFC7627 (CVL)A3942
Hash DRBGA3943
HMAC-SHA2-224A3943
KDF SP800-108A3943
RSA SigVer (FIPS186-2)A3943
SHA2-224A3943
TLS v1.3 KDF (CVL)A3943
SHA3-256A3513

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for NetScaler Virtual Appliance
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Exchange routing information<br/>Software load</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>AES for Disk Encryption<br/>AES for AES Key<br/>AES for TLS Ticket</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for NetScaler Virtual Appliance
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Exchange routing information<br/>Software load</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>AES for Disk Encryption<br/>AES for AES Key<br/>AES for TLS Ticket</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Cloud Software Group NetScaler Virtual Appliance Software Version: 13.1.FIPS FIPS Security Level: 1 Document Version: 0.5 Prepared for: Prepared by: Cloud Software Group

851 Cypress Creek Road

Fort Lauderdale, FL 33309 United States of America Corsec Security, Inc.

12600 Fair Lakes Circle, Suite 210

Fairfax, VA 22033 United States of America Phone: +1 954 267 3000 www.cloud.com Phone: +1 703 267 6050 www.corsec.com

Page 2

November 25, 2025 Abstract This is a non-proprietary Cryptographic Module Security Policy for the NetScaler Virtual Appliance (version: 13.1.FIPS) from Cloud Software Group (Cloud Software Group). This Security Policy describes how the NetScaler Virtual Appliance meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp. This document also describes how to run the module in a secure FIPS-Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. The NetScaler Virtual Appliance is referred to in this document as NetScaler VA or the module. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:

Page 3

November 25, 2025 Table of Contents 1. 1.1 1.2 2. 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 3. 3.1 4. 4.1 4.2 4.3 4.4 4.5 5. 5.1 5.2 6. 6.1 6.2 7. 8. 9. 9.1 9.2 9.3 9.4 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 4

10.3 10.4 November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 5

November 25, 2025 List of Tables List of Figures NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 6

1. General 1.1 Overview November 25, 2025 NetScaler Virtual Appliance is a virtual application delivery controller (ADC) that accelerates application performance, enhances application availability with advanced L4-L7 1 load balancing, provides an integrated application firewall, and lowers server expenses by offloading computationally intensive tasks. All these capabilities are combined into a single, integrated virtual appliance. NetScaler Virtual Appliance is provides the web-based GUI2, REST3ful Nitro API4, and CLI5 interfaces for configuring and managing the appliance. The GUI includes a configuration utility for configuring the appliance as well as a statistical utility called Dashboard. NetScaler appliances are installed in a data center on-premises or in a public cloud (such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)) between the clients and the servers, so that client requests and server responses pass through it. In a typical installation, virtual servers configured on the appliance provide connection points that clients use to access the applications behind the appliance. In this case, the appliance owns public IP6 addresses that are associated with its virtual servers, while the real servers are isolated in a private network. Administrators enable appliance features and apply configured policies to incoming and outgoing traffic. The NetScaler Virtual Appliance is feature set can be broadly categorized as consisting of switching features, security and protection features, and server-farm optimization features:

1 L4-L7 – Layer 4 through Layer 7
2 GUI – Graphical User Interface
3 REST – Representational State Transfer

API

5 CLI – Command Line Interface
6 IP – Internet Protocol
7 HTTP – Hypertext Transfer Protocol
8 TCP – Transmission Control Protocol

URL

10 SQL – Structured Query Language

NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 7
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication3
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Overall LevelOverall Level1

November 25, 2025 more. In addition, the firewall provides identity theft protection by securing confidential corporate information and sensitive customer data.

11 SSL – Secure Sockets Layer

NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 8

November 25, 2025 2. Cryptographic Module Specification 2.1 Description

2.1.1 Purpose and Use

NetScaler Virtual Appliance is a virtual application delivery controller (ADC) that accelerates application performance, enhances application availability with advanced L4-L7 12 load balancing, provides an integrated application firewall, and lowers server expenses by offloading computationally intensive tasks. All these capabilities are combined into a single, integrated virtual appliance. NetScaler Virtual Appliance is provides the web-based GUI 13 , REST 14 ful Nitro API 15 , and CLI 16 interfaces for configuring and managing the appliance. The GUI includes a configuration utility for configuring the appliance as well as a statistical utility called Dashboard.

2.1.2 Module Type

The NetScaler Virtual Appliance 13.1.FIPS is a Software module.

2.1.3 Module Embodiment

The NetScaler Virtual Appliance has a MultiChipStand embodiment.

2.1.4 Module Characteristics

The module does not have any additional characteristics.

2.1.5 Cryptographic Boundary

The logical cryptographic boundary of the module (shown by the red dotted line in Figure 1) consists of the VPX virtual appliance software and FreeBSD operating system acting as the guest OS.

12 L4-L7 – Layer 4 through Layer 7
13 GUI – Graphical User Interface
14 REST – Representational State Transfer

API

16 CLI – Command Line Interface

NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 9

KEY: November 25, 2025 Virtual Machine Virtual Machine Virtual Machine VA Software Other Application Other Application FreeBSD Guest OS Guest OS Logical Cryptographic Boundary Physical Cryptographic Boundary Data Input Data Output Control Output Control Input Status Output System Calls Hypervisor Platform Figure 1. NetScaler Virtual Appliance Cryptographic Boundary

2.1.6 Tested Operational Environment’s Physical Perimeter

(TOEPP) As a virtual appliance, the software module has no physical characteristics; however, the module makes use of the physical interfaces of the server hosting the virtual environment upon which the module is installed. The hypervisor controls and directs all interactions between the module and the operator and is responsible for mapping the module’s virtual interfaces to the host server’s physical interfaces. The physical boundary of the cryptographic module is defined by the hard enclosure around the host server on which it runs. For this validation, the module will be tested on the platforms listed in Section 2.2, and each platform consists of a motherboard, a multi-core Intel Xeon CPU, random access memory (RAM), a hardware case, a power supply, and interface ports. Figure 2 displays the hardware components of the server used for testing (the dashed line surrounding the hardware components represents the module’s physical cryptographic boundary, which is the outer case of the server), and identifies the hardware with which the processors interface. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 10

Hardware Management November 25, 2025 DVD Network Interface RAM HDD Clock Generator SCSI/SATA Controller LEDs/LCD Serial CPU I/O Hub Audio Cache Power Interface PCI/PCIe Slots USB BIOS Graphics Controller PCI/PCIe Slots External Power Supply KEY: Plaintext Data Encrypted Data Control Input Status Output Physical Perimeter BIOS

2.2.1 Tested Module Identification – Hardware

This section does not apply to this module. N/A for this module.

2.2.2 Tested Module Identification – Software, Firmware, Hybrid

(Executable Code Sets) The table below lists the executable code sets of the module. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 11
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
ns-13.1-37.241.gz13.1.FIPSContains FreeBSD OS and Netscaler Virtual Appliance software in an image.ns-13.1-37.241.gz2048-bit RSA with SHA2-512
FreeBSD 11.4FreeBSD 11.4Dell PowerEdge R63013.1.FIPSIntel Xeon E5-2680YesVMWare ESXi 7.0U3
FreeBSD 11.4FreeBSD 11.4Dell PowerEdge R63013.1.FIPSIntel Xeon E5-2680NoVMWare ESXi 7.0U3
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
ns-13.1-37.241.gz13.1.FIPSContains FreeBSD OS and Netscaler Virtual Appliance software in an image.ns-13.1-37.241.gz2048-bit RSA with SHA2-512
FreeBSD 11.4FreeBSD 11.4Dell PowerEdge R63013.1.FIPSIntel Xeon E5-2680YesVMWare ESXi 7.0U3
FreeBSD 11.4FreeBSD 11.4Dell PowerEdge R63013.1.FIPSIntel Xeon E5-2680NoVMWare ESXi 7.0U3

November 25, 2025 Table 2: Tested Module Identification

2.2.3 Tested Module Identification – Hybrid Disjoint Hardware

The module does not have any hybrid disjoint hardware. N/A for this module.

2.2.4 Tested Operational Environments – Software, Firmware,

Hybrid The module was tested and found to be compliant with FIPS 140-3 requirements on the environments listed in the table below. Table 3: Tested Operational Environments - Software, Firmware, Hybrid

2.2.5 Vendor-Affirmed Operational Environments – Software,

Firmware, Hybrid There are no vendor-affirmed operational environments claimed. N/A for this module. 2.3 Excluded Components The module does not exclude any components from the requirements. 2.4 Modes of Operation

2.4.1 Modes List and Description

When installed, configured, and operated according to this Security Policy, the module supports the Approved mode of operation only; non-Approved operations are not supported. ©2025 Cloud Software Group

Page 12
Approved algorithm
NameCAVP CertReference
AES-CBCA3942SP 800-38A
AES-CFB128A3942SP 800-38A
AES-CTRA3942SP 800-38A
AES-GCMA3942SP 800-38D
Counter DRBGA3942SP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A3942FIPS 186-4
ECDSA KeyVer (FIPS186-4)A3942FIPS 186-4
ECDSA SigGen (FIPS186-4)A3942FIPS 186-4
ECDSA SigVer (FIPS186-4)A3942FIPS 186-4
HMAC-SHA-1A3942FIPS 198-1
HMAC-SHA2-256A3942FIPS 198-1
HMAC-SHA2-384A3942FIPS 198-1
HMAC-SHA2-512A3942FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A3942SP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A3942SP 800-56A Rev. 3
KDF IKEv1 (CVL)A3942SP 800-135 Rev. 1
KDF IKEv2 (CVL)A3942SP 800-135 Rev. 1
KDF SNMP (CVL)A3942SP 800-135 Rev. 1
KDF SSH (CVL)A3942SP 800-135 Rev. 1
KDF TLS (CVL)A3942SP 800-135 Rev. 1
KTS-IFCA3942SP 800-56B Rev. 2
PBKDFA3942SP 800-132
RSA KeyGen (FIPS186-4)A3942FIPS 186-4
RSA SigGen (FIPS186-4)A3942FIPS 186-4
RSA SigVer (FIPS186-4)A3942FIPS 186-4
Safe Primes Key GenerationA3942SP 800-56A Rev. 3
Safe Primes Key VerificationA3942SP 800-56A Rev. 3
SHA-1A3942FIPS 180-4
SHA2-256A3942FIPS 180-4
SHA2-384A3942FIPS 180-4
SHA2-512A3942FIPS 180-4
TLS v1.2 KDF RFC7627 (CVL)A3942SP 800-135 Rev. 1
AES-CBCA3943SP 800-38A
AES-GCMA3943SP 800-38D
ECDSA KeyGen (FIPS186-4)A3943FIPS 186-4
ECDSA KeyVer (FIPS186-4)A3943FIPS 186-4
ECDSA SigGen (FIPS186-4)A3943FIPS 186-4
ECDSA SigVer (FIPS186-4)A3943FIPS 186-4
Hash DRBGA3943SP 800-90A Rev. 1
HMAC-SHA-1A3943FIPS 198-1
HMAC-SHA2-224A3943FIPS 198-1
HMAC-SHA2-256A3943FIPS 198-1
HMAC-SHA2-384A3943FIPS 198-1
HMAC-SHA2-512A3943FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A3943SP 800-56A Rev. 3
KDF SP800-108A3943SP 800-108 Rev. 1
KDF TLS (CVL)A3943SP 800-135 Rev. 1
KTS-IFCA3943SP 800-56B Rev. 2
RSA SigGen (FIPS186-4)A3943FIPS 186-4
RSA SigVer (FIPS186-2)A3943FIPS 186-4
RSA SigVer (FIPS186-4)A3943FIPS 186-4
SHA-1A3943FIPS 180-4
SHA2-224A3943FIPS 180-4
SHA2-256A3943FIPS 180-4
SHA2-384A3943FIPS 180-4
SHA2-512A3943FIPS 180-4
TLS v1.2 KDF RFC7627 (CVL)A3943SP 800-135 Rev. 1
TLS v1.3 KDF (CVL)A3943SP 800-135 Rev. 1
SHA3-256A3513FIPS 202

November 25, 2025 Table 4: Modes List and Description 2.5 Algorithms

2.5.1 Approved Algorithms

The module includes the following cryptographic libraries that provide basic cryptographic functionalities and support secure networking protocols:

Page 13
Service
NameProperties
CKG (Control Plane - VA)CKG:SymmetricNetScaler Control Plane Cryptographic LibraryNIST SP 800-133rev2, Section 4
CKG (Data Plane - VA)CKG:SymmetricNetScaler Data Plane Cryptographic LibraryNIST SP 800-133rev2, Section 4
CKG (KEK - VA)CKG:Combining keys and other dataNetScaler Control Plane Cryptographic LibraryNIST SP 800-133rev2, Section 6.3

November 25, 2025 Table 6: Approved Algorithms - Data Plane CPU Jitter Entropy Source Table 7: Approved Algorithms - CPU Jitter Entropy Source

2.5.2 Vendor Affirmed Algorithms

The vendor affirms the following cryptographic security methods: 6.3 Table 8: Vendor-Affirmed Algorithms

2.5.3 Non-Approved, Allowed Algorithms

The module does not implement any non-approved algorithms allowed in the Approved mode of operation. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 14
Service
NameDescriptionApproved FunctionsTypeProperties
MD5Message digest in TLS 1.0/1.1N/A
AES for Disk EncryptionAES for KEK, which is used for encrypting/decrypting passwords and passphrasesAES-CBC: (A3942) Key Length: 256 Counter DRBG: (A3942)BC-UnAuthPublication:NIST SP 800- 38A
AES for AES KeyAES for the AES Key, which is used for encryption/decryptionAES-CBC: (A3943) Hash DRBG: (A3943) SHA2-256: (A3943)BC-UnAuthPublication:NIST SP 800- 38A
Key Derivation for TLS Extended Master SecretKey derivation for the TLS Extended Master Secret, which are used to derive the ticket encryption key and the ticket authentication keyKDF TLS: (A3942, A3943) TLS v1.2 KDF RFC7627: (A3942, A3943) TLS v1.3 KDF: (A3943) SHA2-256: (A3942, A3943) SHA2-384: (A3942, A3943)KAS-135KDFPublication:NIST SP 800- 135rev1
AES for TLS TicketAES for the TLS Ticket Encryption Key, which is used for the encryption/decryption of TLS session ticketsAES-CBC: (A3943) Key Length: 128 Hash DRBG: (A3943)BC-UnAuthPublication:NIST SP 800- 38A
HMAC for TLS TicketHMAC for the TLS Ticket Authentication Key, which is used for the authentication of TLS session ticketsHMAC-SHA2-256: (A3942, A3943) SHA2-256: (A3942, A3943)MACPublication:FIPS 198-1
Service
NameDescriptionApproved FunctionsTypeProperties
MD5Message digest in TLS 1.0/1.1N/A
AES for Disk EncryptionAES for KEK, which is used for encrypting/decrypting passwords and passphrasesAES-CBC: (A3942) Key Length: 256 Counter DRBG: (A3942)BC-UnAuthPublication:NIST SP 800- 38A
AES for AES KeyAES for the AES Key, which is used for encryption/decryptionAES-CBC: (A3943) Hash DRBG: (A3943) SHA2-256: (A3943)BC-UnAuthPublication:NIST SP 800- 38A
Key Derivation for TLS Extended Master SecretKey derivation for the TLS Extended Master Secret, which are used to derive the ticket encryption key and the ticket authentication keyKDF TLS: (A3942, A3943) TLS v1.2 KDF RFC7627: (A3942, A3943) TLS v1.3 KDF: (A3943) SHA2-256: (A3942, A3943) SHA2-384: (A3942, A3943)KAS-135KDFPublication:NIST SP 800- 135rev1
AES for TLS TicketAES for the TLS Ticket Encryption Key, which is used for the encryption/decryption of TLS session ticketsAES-CBC: (A3943) Key Length: 128 Hash DRBG: (A3943)BC-UnAuthPublication:NIST SP 800- 38A
HMAC for TLS TicketHMAC for the TLS Ticket Authentication Key, which is used for the authentication of TLS session ticketsHMAC-SHA2-256: (A3942, A3943) SHA2-256: (A3942, A3943)MACPublication:FIPS 198-1
Key Generation for SSHAsymmetric key generation (RSA or ECDSA) for the SSH private and public keysECDSA KeyGen (FIPS186-4): (A3942) RSA KeyGen (FIPS186- 4): (A3942) Counter DRBG: (A3942) CKG (Control Plane - VA): () CKG: SymmetricAsymKeyPair-KeyGenPublication:FIPS 186-4, FIPS 186-5
Key Agreement for SSH (DH)Key agreement for SSH using DHKDF SSH: (A3942) KAS-FFC-SSC Sp800- 56Ar3: (A3942) Domain parameter generation methods: MODP-2048, MODP- 4096, ffdhe2048, ffdhe4096 Counter DRBG: (A3942) Safe Primes Key Generation: (A3942) Safe prime groups: MODP-2048, MODP- 4096, ffdhe2048, ffdhe4096 Safe Primes Key Verification: (A3942) Safe prime groups: MODP-2048, MODP- 4096, ffdhe2048, ffdhe4096 SHA-1: (A3942) SHA2-256: (A3942) SHA2-384: (A3942) SHA2-512: (A3942) ECDSA SigGen (FIPS186- 4): (A3942) ECDSA SigVer (FIPS186- 4): (A3942) RSA SigGen (FIPS186-4): (A3942) RSA SigVer (FIPS186-4): (A3942)KAS-135KDFPublication:NIST SP 800- 135rev1, NIST SP 800- 56Arev3 Key Strength:Key establishment methodology provides between 112 and 176 bits of encryption strength Caveat:No part of the SSH protocol, other than the KDF, has been tested by the CAVP and CMVP
Key Agreement for SSH (ECDH)Key agreement for SSH utilizing ECDHKDF SSH: (A3942) KAS-ECC-SSC Sp800- 56Ar3: (A3942, A3943) Counter DRBG: (A3942) ECDSA KeyGen (FIPS186-4): (A3942) ECDSA KeyVer (FIPS186- 4): (A3942) SHA-1: (A3942) SHA2-256: (A3942) SHA2-384: (A3942) SHA2-512: (A3942) RSA SigGen (FIPS186-4): (A3942) RSA SigVer (FIPS186-4): (A3942) ECDSA SigGen (FIPS186- 4): (A3943) ECDSA SigVer (FIPS186- 4): (A3942) AES-CBC: (A3942) AES-CTR: (A3942)KAS-135KDFPublication:NIST SP 800- 135rev1, NIST SP 800- 56Arev3 Key Strength:Key establishment methodology provides between 112 and 256 bits of encryption strength Caveat:No part of the SSH protocol, other than the KDF, has been tested by the CAVP and CMVP
AES for SSHAES (CTR or CBC modes) for the SSH Session Key, which is used for the encryption/decryption of SSH session packetsAES-CBC: (A3942) AES-CTR: (A3942) Counter DRBG: (A3942)BC-UnAuthPublication:NIST SP 800- 38A
HMAC for SSHHMAC for the SSH Authentication Key, which is used for the authentication of SSH session packetsHMAC-SHA-1: (A3942) SHA-1: (A3942) HMAC-SHA2-256: (A3942) SHA2-256: (A3942) HMAC-SHA2-384: (A3942) SHA2-384: (A3942) HMAC-SHA2-512: (A3942) SHA2-512: (A3942)MACPublication:FIPS 198-1 Caveat:The module supports the truncation of HMAC SHA-1 to 96 bits according to NIST SP 800-107 Rev.1
Key Agreement for IKE/IPsec (DH)Key Agreement for IKE/IPsec using DHKDF IKEv1: (A3942) KDF IKEv2: (A3942) KAS-FFC-SSC Sp800- 56Ar3: (A3942) Domain parameter generation methods: MODP-2048, MODP- 3072, MODP-6144 Counter DRBG: (A3942) Safe Primes Key Generation: (A3942) Safe prime groups: MODP-2048, MODP- 3072, MODP-6144 Safe Primes Key Verification: (A3942) Safe prime groups: MODP-2048, MODP- 3072, MODP-6144 SHA-1: (A3942) SHA2-256: (A3942) SHA2-384: (A3942) SHA2-512: (A3942)KAS-135KDFPublication:NIST SP 800- 135rev1, NIST SP 800- 56Arev3 Key Strength:Key establishment methodology provides between 112 and 176 bits of encryption strength Caveat:No part of the IKE protocol, other than the KDF, has been tested by the CAVP and CMVP
AES for IKE/IPsecAES for the IKE/IPsecSession Key, which is used for the encryption/decryption of IKE/IPsec packetsAES-CBC: (A3942)BC-UnAuthPublication:NIST SP 800- 38A
HMAC for IKE/IPsecHMAC for the IKE/IPsec Authentication Key, which is used for the authentication of IKE/IPsec session packetsHMAC-SHA-1: (A3943) SHA-1: (A3943) HMAC-SHA2-224: (A3943) SHA2-224: (A3943) HMAC-SHA2-256: (A3943) SHA2-256: (A3943) HMAC-SHA2-384: (A3943) SHA2-384: (A3943) HMAC-SHA2-512: (A3943) SHA2-512: (A3943)MACPublication:FIPS 198-1 Caveat:The module supports the truncation of HMAC SHA-1 to 96 bits according to NIST SP 800-107 Rev1
HMAC for HMAC keyHMAC for HMAC key used in message authenticationHMAC-SHA-1: (A3943) SHA-1: (A3943) HMAC-SHA2-224: (A3943) SHA2-224: (A3943) HMAC-SHA2-256: (A3943) SHA2-256: (A3943) HMAC-SHA2-384: (A3943) SHA2-384: (A3943) HMAC-SHA2-512: (A3943) SHA2-512: (A3943)MACPublication:FIPS 198-1 Caveat:The module supports the truncation of HMAC SHA-1 to 96 bits according to NIST SP 800-107 Rev1
Key Agreement for TLS (DH)Key Agreement for TLS using DHKDF TLS: (A3942) TLS v1.2 KDF RFC7627: (A3942) KAS-FFC-SSC Sp800- 56Ar3: (A3942) Domain parameter generation methods: fdhe2048, ffdhe3072, ffdhe4096, ffdhe6144 Counter DRBG: (A3942) Safe Primes Key Generation: (A3942) Safe prime groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144 Safe Primes Key Verification: (A3942) Safe prime groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144 SHA2-256: (A3942) SHA2-384: (A3942) ECDSA SigGen (FIPS186- 4): (A3943) ECDSA SigVer (FIPS186- 4): (A3943) RSA SigGen (FIPS186-4): (A3942) RSA SigVer (FIPS186-4): (A3942)KAS-135KDFPublication:RFC 7627, NIST SP 800-135rev1, NIST SP 800-56Arev3 Key Strength:Key establishment methodology provides between 112 and 176 bits of encryption strength Caveats:No part of the TLS protocol, other than the KDF, has been tested by the CAVP and CMVP
Key agreement for TLS (ECDH)Key agreement for TLS using ECDHKDF TLS: (A3942, A3943) TLS v1.2 KDF RFC7627: (A3942, A3943) KAS-ECC-SSC Sp800- 56Ar3: (A3942, A3943) Counter DRBG: (A3942) ECDSA KeyGen (FIPS186-4): (A3942, A3943) ECDSA KeyVer (FIPS186- 4): (A3942, A3943) SHA2-256: (A3942, A3943) SHA2-384: (A3942, A3943) ECDSA SigGen (FIPS186- 4): (A3942, A3943) ECDSA SigVer (FIPS186- 4): (A3942, A3943) RSA SigGen (FIPS186-4): (A3942, A3943) RSA SigVer (FIPS186-4): (A3942) RSA SigVer (FIPS186-2): (A3943) Hash DRBG: (A3943)KAS-135KDFPublication:RFC 7627, NIST SP 800-135rev1, NIST SP 800-56Arev3 Key strength:Key establishment methodology provides between 112 and 256 bits of encryption strength Caveat:No part of the TLS protocol, other than the KDF, has been tested by the CAVP and CMVP
Key Transport for TLSRSA key transport for TLSKTS-IFC: (A3942, A3943) Counter DRBG: (A3942) Hash DRBG: (A3943) SHA-1: (A3942, A3943) RSA KeyGen (FIPS186- 4): (A3942) Modulus: 2048 RSA SigVer (FIPS186-4): (A3942) RSA SigVer (FIPS186-2): (A3943)KTS-EncapPublication:FIPS 186-4, FIPS 186-5, NIST SP 800- 56Brev2 Key Strength:Key establishment methodology provides 112 bits of encryption strength
Key Generation for TLSKey pair generation for TLSRSA KeyGen (FIPS186- 4): (A3942) ECDSA KeyGen (FIPS186-4): (A3942, A3943) Counter DRBG: (A3942) Hash DRBG: (A3943)AsymKeyPair-KeyGenPublication:FIPS 186-4, FIPS 186-5
AES for TLS sessionAES for the TLS Session Key, which is used for the encryption/decryption of TLS session packetsAES-CBC: (A3942, A3943) Key Length: 128, 256 Counter DRBG: (A3942) Hash DRBG: (A3943)BC-UnAuthPublication:NIST SP 800- 38A
HMAC for TLS SessionHMAC for the TLS Authentication Key, which is used for the authentication of TLS session packetsHMAC-SHA-1: (A3942, A3943) SHA-1: (A3942, A3943) HMAC-SHA2-256: (A3942, A3943) SHA2-256: (A3942, A3943) HMAC-SHA2-384: (A3942, A3943) SHA2-384: (A3942, A3943) HMAC-SHA2-224: (A3943) SHA2-224: (A3943)MACPublication:FIPS 198-1 Caveat:The module supports the truncation of HMAC SHA-1 to 96 bits according to NIST SP 800-107 Rev1
AES GCM for TLS SessionAES GCM for the TLS session key, which is used for the encryption/decryption of TLS session packetsAES-GCM: (A3942, A3943) Key Length: 128, 256 Counter DRBG: (A3942) Hash DRBG: (A3943)BC-AuthPublication:NIST SP 800- 38D IG:C.H
RSA SigGen for DNSsecRSA digital signature generation for DNSsecRSA SigGen (FIPS186-4): (A3942) Counter DRBG: (A3942) SHA-1: (A3942)DigSig-SigGenPublication:FIPS 186-4, FIPS 186-5
RSA SigVer for DNSsecRSA digital signature verification for DNSSecRSA SigVer (FIPS186-4): (A3942) Counter DRBG: (A3942)DigSig-SigVerPublication:FIPS 186-4, FIPS 186-5
AES (PEM Key) for Encrypting TLS Private KeyAES for the PEM Key, which is used to encrypt the TLS Private KeyAES-CBC: (A3942) Key Length: 256 HMAC-SHA-1: (A3942) SHA-1: (A3942)BC-UnAuthPublication:NIST SP 800- 38A
PBKDFPassword-based key derivation for PEM Key used for the encryption and decryption of asymmetric private keysPBKDF: (A3942) SHA-1: (A3942)PBKDFPublication:NIST SP 800- 132
AES for RDP SessionAES-GCM for the RDP Session Key, which is used for the encryption /decryption of RDP user and target informationAES-GCM: (A3942) Key Length: 256 Counter DRBG: (A3942) KDF SP800-108: (A3943) HMAC-SHA2-224: (A3943) SHA2-256: (A3943)BC-AuthPublication:NIST SP 800- 38D
KBKDF for DFA Shared SecretKey-based key derivation for DFA Shared SecretKDF SP800-108: (A3943) HMAC-SHA2-256: (A3943) SHA2-256: (A3943)KBKDFPubication:NIST SP 800- 108rev1
AES for DFA Session KeyAES for the DFA Session Key, which is used for DFA authentication to the moduleAES-CBC: (A3943) Key Length: 256 KDF SP800-108: (A3943) HMAC-SHA2-256: (A3943) SHA2-256: (A3943)BC-UnAuthPublication:NIST SP 800- 38A
AES for SNMPv3AES (SNMPv3 Privacy Key) for the encryption and decryption of SNMPv3 packetsAES-CFB128: (A3942) Key Length: 128 KDF SNMP: (A3942) Counter DRBG: (A3942)BC-UnAuthPublication:NIST SP 800- 38A
HMAC for SNMPv3HMAC (SNMPv3 Authentication Key) for the authentication of SNMPv3 packetsHMAC-SHA-1: (A3942) KDF SNMP: (A3942) SHA-1: (A3942)MACPublication:FIPS 198-1 Caveat:The module supports the truncation of HMAC SHA-1 to 96 bits according to NIST SP 800-107 Rev1
RSA SigVer for Software Load IntegrityRSA SigVer used to verify the new software loadRSA SigVer (FIPS186-2): (A3943) Signature Type: pkcs1v1.5 Modulus: 2048 SHA2-512: (A3943)DigSig-SigVerPublication:FIPS 186-4, FIPS 186-5
RSA SigVer for Web GUIRSA SigVer for authentication via the Web GUIRSA SigVer (FIPS186-4): (A3943) SHA2-256: (A3943) SHA2-384: (A3943) SHA2-512: (A3943)DigSig-SigVerPublication:FIPS 186-4, FIPS 186-5
Entropy SourceCPU Jitter Entropy Source with SHA3 conditioning componentSHA3-256: (A3513)ENT-CondPublication:NIST SP 800- 90B

November 25, 2025 N/A for this module.

2.5.4 Non-Approved, Allowed Algorithms with No Security Claimed

The table below lists the non-Approved algorithms implemented by the module that are allowed for use in the Approved mode of operation with no security claimed. N/A Table 9: Non-Approved, Allowed Algorithms with No Security Claimed

2.5.5 Non-Approved, Not Allowed Algorithms

The module does not include any non-Approved algorithms not allowed in the Approved mode of operation. N/A for this module. 2.6 Security Function Implementations The table below lists the security function implementations for this module. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 15

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 16

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 17

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 18

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 19

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 20

November 25, 2025 Table 10: Security Function Implementations 2.7 Algorithm Specific Information

Page 21
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
NetScaler CPU Jitter Entropy SourceNon- Physical256 bitsFreeBSD 11.4 on VMware ESXi 7 on Intel® Xeon® E5 v4 (Broadwell) Family without PAAFull entropySHA3-256 (A3513)
CertVendor Name
Number
E52Cloud Software Group
Page 22

2.9 November 25, 2025 Key Generation When generating symmetric keys, the module uses the direct output of its approved DRBG to generate random numbers and seeding material, per the guidance in NIST SP 800-133 Rev. 2, Section 4. When generating the Key Encryption Key (KEK), the module follows the method “Symmetric Keys Produced by Combining (Multiple) Keys and Other Data” described in NIST SP 800-133 Rev. 2, Section 6.3. 2.10 Key Establishment

2.10.1 Key Agreement Information

The module implements the following approved key agreement methods: KAS-ECC-SSC

2.10.2 Key Transport Information

The module implements the following key transport method: KTS-IFC

Page 23
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputData to be encrypted, decrypted, signed, verified, or hashed; Keys to be used in cryptographic services; Random seed material for the module's DRBG; Keying material to be used as input to key establishment services
N/AN/AData OutputData that has been encrypted, decrypted, or verified; Digital signatures; Hashes; Random values generated by the module's DRBG; Keys established using module's key establishment methods
N/AN/AControl InputAPI commands invoking cryptographic services; Modes, key sizes, etc. used with cryptographic services
N/AN/AControl OutputControl information is sent to remote machines supporting LDAP and RADIUS in order for the module to communicate with these machines.
N/AN/AStatus OutputIncludes status information regarding the module and status information regarding the invoked service/operation.

November 25, 2025 3. 3.1 Ports and Interfaces The module supports the following logical interfaces:

Page 24
Sensitive security parameter
NameDescriptionStrengthSecurity Mechanism
PasswordPassword complexity policies must be configured by the Crypto Officer to include the following: a minimum of eight total characters, at least one lowercase letter, at least one uppercase letter, at least one digit, at least one special character (~, `, !, @, #, $, %, ^, &, *, -, _, =, +, {, }, [, ], |, \, :, <, >, /, ., ,, " ").1/11451713827320Username / Password1/4591650
CertificateThe module supports RSA digital certificate authentication of users during Web GUI/HTTPS (TLS) access.1 per 2^122, 1 per 5.19 * 10^33Placeholder for SFI entry1/77 * 10^26

November 25, 2025 4. Roles, Services, and Authentication 4.1 Authentication Methods The module supports identity-based authentication; operators explicitly assume their role based on the authentication credentials used. Each role determines the functionality available to the operator within the Operators authenticate to the module using either:

Page 25
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCOIdentityPassword Certificate
UserUserIdentityPassword Certificate
Show statusShow the system statusCrypto OfficerNoneN/ACommandStatus output
Perform self-tests on demandPerform pre-operational self-testsCrypto OfficerNoneLog fileCommandStatus output
Perform initial network configurationSet up initial network configuration and licensesCrypto Officer - KEK Fragment 1: R - KEK Fragment 2: RCKG (KEK)Success from CLICommand and parametersCommand response/status output
Show versioning informationShow module name and versionCrypto OfficerNoneConsole OutputCommandModule name, version
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCOIdentityPassword Certificate
UserUserIdentityPassword Certificate
Show statusShow the system statusCrypto OfficerNoneN/ACommandStatus output
Perform self-tests on demandPerform pre-operational self-testsCrypto OfficerNoneLog fileCommandStatus output
Perform initial network configurationSet up initial network configuration and licensesCrypto Officer - KEK Fragment 1: R - KEK Fragment 2: RCKG (KEK)Success from CLICommand and parametersCommand response/status output
Show versioning informationShow module name and versionCrypto OfficerNoneConsole OutputCommandModule name, version
View system informationView system info and statistics; view/end system sessionsCrypto OfficerNoneConsole OutputCommandStatus output
Configure system settingsConfigure modes and features, system settings, and cloud parametersCrypto Officer - AES Key: W - KEK (AES Key): E - Hash DRBG Entropy: R,E - Hash DRBG Seed: R,W,E - Hash DRBG 'V' Value (Internal state value): R,W,E - Hash DRBG 'C' Value (Internal state value): R,W,EAES for Disk Encryption AES for AES KeyCommand Line InterfaceCommand and parametersCommand response/status output
Configure HAConfigure HA nodes, route monitors, failover interface setCrypto OfficerNoneCommand Line Interface and TrafficCommand and parametersStatus output/control output
Manage NTP serversAdd, edit, delete NTP servers; configure NTP parameters and synchronization stateCrypto OfficerNoneCommand Line InterfaceCommandStatus output / control output

4.2 November 25, 2025 Roles The module supports a Crypto Officer (CO) that authorized operators can assume. The CO role performs administrative services on the module, such as initialization, configuration, and monitoring of the module. The CO role includes the privileges listed under the read-only, operator, network, and sysadmin command policies. The module also supports the following role(s):

17 IPsec – Internet Protocol Security

NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 26

November 25, 2025 R,W,E R,W,E NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 27
ZeroizeProcedural Zeroization: Operator initiated reboot/power-cycle of Module/TOEPPN/ACommandStatus outputNoneCrypto Officer - PEM Passphrase (Alphanumeric string): Z - PEM Key (AES Key): Z - AES Key: Z - AES GCM Key: Z - AES GCM IV (96 and 128-bit IV): Z - DH Public Key: Z - DH Private Key: Z - ECDH Public Key : Z - ECDH Private Key : Z - HMAC Key: Z - RDP PSK (Shared secret): Z - RSA Public Key: Z - RSA Private Key : Z - SSH Shared Secret: Z - SSH Session Key: Z - SSH Authentication Key: Z - IKE/IPsec Shared Secret: Z - IKE/IPsec Session Key (AES key): Z - IKE/IPsec Authentication Key (HMAC key): Z - TLS Pre-Master Secret: Z - TLS Extended Master Secret: Z - TLS Session Key: Z - TLS Authentication Key (HMAC Key): Z - TLS Ticket Encryption Key (AES key): Z - TLS Ticket Authentication Key (HMAC key): Z - Hash DRBG Entropy: Z

N/A November 25, 2025 Z :Z Z :Z Z Z Z Z Z NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 28
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Configure TLS profilesAdd, edit, delete system profilesCrypto Officer - TLS Extended Master Secret: R,W,E - TLS Ticket Encryption Key (AES key): R,W - TLS Ticket Authentication Key (HMAC key): R,W - CTR DRBG Entropy: R,E - CTR DRBG Seed: R,W,E - CTR DRBG 'V' Value: R,W,E - CTR DRBG 'Key' Value (AES key): R,W,E - KEK (AES Key): EAES for Disk Encryption Key Derivation for TLS Extended Master Secret AES for TLS TicketCommand Line InterfaceCommand and parametersCommand response / status output
Manage usersAdd, edit delete users, groups, and command policies; view user/group partition bindingsCrypto OfficerNoneCommand Line InterfaceCommandStatus output
Configure system auditingAdd, edit, delete syslog/nslog auditing policies and servers; bind classic/advanced global policiesCrypto OfficerNoneCommand Line InterfaceCommand and parametersCommand response / status output / control output
View audit logsView authentication, system, and event logsCrypto OfficerNoneN/A (Audit Logs)CommandStatus output
Configure network settingsConfigure network routing protocolsCrypto Officer - ZebOS Router Password (Alphanumeric string): R,W - KEK (AES Key): EAES for Disk EncryptionCommand Line InterfaceCommand Line InterfaceCommand response / status output
Exchange routing informationExchange routing update information using ZebOS, authenticate source of packetsCrypto Officer - ZebOS Router Password (Alphanumeric string): E - KEK (AES Key): EAES for Disk EncryptionShow Command O/P and TrafficCommandStatus output
Configure SSHConfigure SSH authentication settings; generate SSH keysCrypto Officer - SSH Private Key: W,E - SSH Public Key: W - CTR DRBG Entropy: R,E - CTR DRBG Seed: R,W,E - CTR DRBG 'V' Value: R,W,E - CTR DRBG 'Key' Value (AES key): R,W,EKey Generation for SSHCommand Line InterfaceCommand and parametersCommand response / status output
Establish SSH sessionsEstablish an SSH sessionCrypto Officer - SSH Public Key: R,E - DH Private Key: W,E - DH Public Key: R,E - ECDH Private Key : W,E - ECDH Public Key : R,E - SSH Shared Secret: W,E - SSH Session Key: W,E - SSH Authentication Key: W,E - CTR DRBG Entropy: R,E - CTR DRBG Seed: R,W,E - CTR DRBG 'V' Value: R,W,E - CTR DRBG 'Key' Value (AES key): R,W,EKey Agreement for SSH (DH) Key Agreement for SSH (ECDH) AES for SSH HMAC for SSH Entropy Source CKG (Control Plane) CKG (Data Plane)TrafficCommandStatus output
Configure IPsecConfigure IPsec profile; configure CloudBridge Connector settings, network bridges, and IP tunnels; view IP tunnel detailsCrypto Officer - IKE/IPsec Pre- shared key (PSK): R,W - KEK (AES Key): EAES for Disk EncryptionCommand Line InterfaceCommand and parametersCommand response / status output
Configure clusteringConfigure an appliance to either be the cluster coordinator or a node in the clusterCrypto Officer - Cluster Password (Alphanumeric string): R,WNoneCommand Line InterfaceCommand and parametersCommand response / status output / control output
Establish IPsec sessionEstablish an IPsec SessionCrypto Officer - DH Private Key: W,E - DH Public Key: R,E - IKE/IPsec Shared Secret: W,E - IKE/IPsec Pre- shared key (PSK): E - KEK (AES Key): E - IKE/IPsec Session Key (AES key): W,E - IKE/IPsec Authentication Key (HMAC key): W,E - CTR DRBG Entropy: R,E - CTR DRBG Seed: R,W,E - CTR DRBG 'V' Value: R,W,E - CTR DRBG 'Key' Value (AES key): R,W,EAES for Disk Encryption Key Agreement for IKE/IPsec (DH) AES for IKE/IPsec HMAC for IKE/IPsec Entropy Source CKG (Control Plane) CKG (Data Plane)TrafficCommandStatus output
Backup and restoreBackup/import system configuration files; download and delete backup files; restoreCrypto OfficerNoneN/ACommandStatus output / control output
Manage data policy encryption keysAdd, edit, delete encryption keysCrypto Officer - AES Key: R,W - KEK (AES Key): E - Hash DRBG Entropy: R,E - Hash DRBG Seed: R,W,E - Hash DRBG 'V' Value (Internal state value): R,W,E - Hash DRBG 'C' Value (Internal state value): R,W,EAES for Disk Encryption AES for AES KeyCommand Line InterfaceCommandStatus output
Manage data policy HMAC keysAdd, edit, delete HMAC keysCrypto Officer - AES Key: R,W - KEK (AES Key): E - Hash DRBG Entropy: R,E - Hash DRBG Seed: R,W,E - Hash DRBG 'V' Value (Internal state value): R,W,E - Hash DRBG 'C' Value (Internal state value): R,W,EAES for Disk Encryption HMAC for HMAC keyCommand Line InterfaceCommandStatus output
Configure traffic managementConfigure TLS; Configure load balancing, priority load balancing, content switchingCrypto Officer - CA Public Key: R,W,E - TLS Private Key: R,W,E - TLS Public Key: R,W - Private DNS KSK (RSA private key): R,W,E - Public DNS KSK (RSA public key): R,W - Private DNS ZSK (RSA private key): R,W,E - Public DNS ZSK (RSA public key): R,W - SSH Private Key: R,W,E - SSH Public Key: R,W,E - PEM Passphrase (Alphanumeric string): R,W,E - PEM Key (AES Key): W,E - CTR DRBG Entropy: R,E - CTR DRBG Seed: R,W,E - CTR DRBG 'V' Value: R,W,E - CTR DRBG 'Key' Value (AES key): R,W,E - Hash DRBG Entropy: R,E - Hash DRBG Seed: R,W,E - Hash DRBG 'V' Value (Internal state value): R,W,E - Hash DRBG 'C' Value (Internal state value): R,W,E - KEK (AES Key): EKey Transport for TLS Key Generation for TLS RSA SigGen for DNSsec RSA SigVer for DNSsec AES (PEM Key) for Encrypting TLS Private Key PBKDFCommand Line InterfaceCommand and parametersCommand response / status output

November 25, 2025 Z Z R,W,E R,W R,W,E R,W,E NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 29

November 25, 2025 W,E W R,W,E R,W,E R,E W,E R,E : R,E W,E R,W,E R,W,E NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 30

November 25, 2025 N/A R,W W,E R,E W,E E W,E R,W,E R,W,E NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 31

November 25, 2025 R,W,E R,W,E R,W,E R,W,E NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 32

November 25, 2025 R,W,E R,W,E R,W R,W,E R,W R,W,E R,W R,W,E R,W,E R,W,E R,W,E R,W,E R,W,E NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 33
Establish TLS sessionEstablish a web session using TLS protocolTrafficCommandStatus outputKey Agreement for TLS (DH) Key agreement for TLS (ECDH) AES for TLS session HMAC for TLS Session AES GCM for TLS Session AES (PEM Key) for Encrypting TLS Private Key Entropy Source CKG (Control Plane) CKG (Data Plane)Crypto Officer - TLS Public Key: R,E - DH Private Key: W,E - DH Public Key: R,E - ECDH Private Key : W,E - ECDH Public Key : R,E - RSA Private Key : W,E - RSA Public Key: R,E - TLS Pre-Master Secret: R,W,E - TLS Extended Master Secret: W,E - TLS Session Key: W,E - TLS Authentication Key (HMAC Key): W,E - AES GCM IV (96 and 128-bit IV): W,E - AES GCM Key: W,E - PEM Passphrase (Alphanumeric string): R,E - PEM Key (AES Key): W,E - KEK (AES Key): E - CTR DRBG Entropy: R,E - CTR DRBG Seed: R,W,E - CTR DRBG 'V' Value: R,W,E - CTR DRBG 'Key' Value (AES key): R,W,E - Hash DRBG Entropy: R,E - Hash DRBG Seed: R,W,E - Hash DRBG 'V' Value (Internal state value): R,W,E - Hash DRBG 'C' Value (Internal state value): R,W,E

November 25, 2025 R,E W,E R,E : R,E : W,E R,E W,E W,E W,E W,E W,E R,W,E R,W,E R,W,E R,W,E NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 34
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Resume TLS sessionResume a web session using TLS protocolCrypto Officer - TLS Ticket Encryption Key (AES key): R,W,E - TLS Ticket Authentication Key (HMAC key): R,W,E - TLS Session Key: R,E - TLS Authentication Key (HMAC Key): R,E - AES GCM IV (96 and 128-bit IV): W,E - AES GCM Key: W,E - KEK (AES Key): E - Hash DRBG Entropy: R,E - Hash DRBG Seed: R,W,E - Hash DRBG 'V' Value (Internal state value): R,W,E - Hash DRBG 'C' Value (Internal state value): R,W,EAES for Disk Encryption AES for TLS Ticket HMAC for TLS Ticket AES for TLS session HMAC for TLS Session AES GCM for TLS SessionTrafficCommandStatus output
Apply data policiesApply data policies to user data in transit (according to configuration)Crypto Officer - AES Key: E - HMAC Key: E - KEK (AES Key): EAES for Disk Encryption AES for AES Key HMAC for HMAC keyTrafficCommandStatus output
Configure securityConfigure DNS security profiles, application firewall profiles and policies, reputation settings, protection features, and content inspection policiesCrypto OfficerNoneCommand Line InterfaceCommand and parametersCommand response / status output
Configure GatewayConfigure Gateway global settings, virtual servers, portal themes, AAA groups and users, policies, and resourcesCrypto Officer - RDP PSK (Shared secret): W - KEK (AES Key): EAES for Disk EncryptionCommand Line InterfaceCommand and parametersCommand response / status output
Establish Gateway connectionEstablish Gateway connection based on global settingsCrypto Officer - RDP PSK (Shared secret): R,E - RDP Session Key: R,E - KEK (AES Key): EAES for RDP SessionTrafficCommand and parametersCommand response / status output / control output
Configure external servers for system, AAA, and Gateway authenticationConfigure LDAP , Oauth, OpenID, DFA , and SAML servers to be used in system, AAA, or Gateway authenticationCrypto Officer - LDAP Admin Password (Alphanumeric string): R,W - Oauth Client Secret (Shared secret): R,W - DFA Shared Secret: R,W - KEK (AES Key): E - DFA Session Key: R,W,EKBKDF for DFA Shared Secret AES for DFA Session KeyCommand Line InterfaceCommand and parametersCommand response / status output

November 25, 2025 R,W,E R,E R,E W,E W,E R,W,E R,W,E NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 35

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 36
RADIUS Over TLSEstablish a TLS session with radius serverTrafficCommandStatus outputKey Agreement for TLS (DH) Key agreement for TLS (ECDH) AES for TLS session HMAC for TLS Session AES GCM for TLS Session AES (PEM Key) for Encrypting TLS Private Key Entropy Source CKG (Control Plane) CKG (Data Plane)Crypto Officer - TLS Public Key: R,E - DH Private Key: W,E - DH Public Key: R,E - ECDH Private Key : W,E - ECDH Public Key : R,E - RSA Private Key : W,E - RSA Public Key: R,E - TLS Pre-Master Secret: R,W,E - TLS Extended Master Secret: W,E - TLS Session Key: W,E - TLS Authentication Key (HMAC Key): W,E - AES GCM IV (96 and 128-bit IV): W,E - AES GCM Key: W,E - PEM Passphrase (Alphanumeric string): R,E - PEM Key (AES Key): W,E - KEK (AES Key): E - CTR DRBG Entropy: R,E - CTR DRBG Seed: R,W,E - CTR DRBG 'V' Value: R,W,E - CTR DRBG 'Key' Value (AES key): R,W,E - Hash DRBG Entropy: R,E - Hash DRBG Seed: R,W,E - Hash DRBG 'V' Value (Internal state value): R,W,E - Hash DRBG 'C' Value (Internal state value): R,W,E

November 25, 2025 R,E W,E R,E : R,E : W,E R,E W,E W,E W,E W,E W,E R,W,E R,W,E R,W,E R,W,E NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 37
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Configure SNMPv3Configure SNMP communities, traps, managers, views, groups, users, alarms, and engine ID ; view SNMP OIDsCrypto Officer - SNMPv3 Authentication Passphrase (Alphanumeric string): R,W - SNMPv3 Privacy Passphrase (Alphanumeric string): R,W - KEK (AES Key): EAES for Disk EncryptionCommand Line InterfaceCommand and parametersCommand response / status output
SNMPv3 trapsProvides system condition informationCrypto Officer - SNMPv3 Authentication Passphrase (Alphanumeric string): E - SNMPv3 Privacy Passphrase (Alphanumeric string): E - SNMPv3 Privacy Key (AES key): W,E - SNMPv3 Authentication Key (HMAC key): W,EAES for SNMPv3 HMAC for SNMPv3Log filesNoneStatus output / control output
Zeroize KEKZeroize KEKCrypto Officer - KEK (AES Key): WNoneAPI return valueCommandStatus output
Zeroize SSH private keysZeroize SSH private keysCrypto Officer - SSH Private Key: WNoneAPI return valueCommandStatus output
Authenticate operatorsUsed for operator logins to the moduleCrypto Officer - Operator Password (Alphanumeric string): E User - Operator Password (Alphanumeric string): ERSA SigVer for Web GUITrafficCommandStatus output
Software loadUpdate the module's software to a new versionCrypto Officer - Software Load Integrity Key (RSA public key): RRSA SigVer for Software Load IntegrityLog filesCommandStatus output

November 25, 2025 W,E W,E W W Table 16: Approved Services 4.4 Non-Approved Services The module does not provide any non-Approved services. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 38

November 25, 2025 N/A for this module. 4.5 External Software/Firmware Loaded The module does not support the loading of external software or firmware. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 39

5. Software/Firmware Security 5.1 Integrity Techniques November 25, 2025 All software within the cryptographic boundary is verified using an approved integrity technique implemented within the cryptographic module itself. The module implements a 2048-bit RSA digital signature verification with a SHA-512 hash to ensure the integrity of its software components. The module’s pre-operational integrity check is performed automatically at module power-up. 5.2 Initiate on Demand This integrity check can also be performed on demand by the module operator by performing a reboot. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 40

6. Operational Environment 6.1 Operational Environment Type and Requirements November 25, 2025 The NetScaler Virtual Appliance comprises a software cryptographic library that executes in a Modifiable operational environment. 6.2 Configuration Settings and Restrictions NetScaler Virtual Appliance runs on the FreeBSD v11.4 OS, which acts as the guest OS son top of the virtualization layer. The virtualization layer is provided by VMware’s ESXi hypervisor v7.0. The VMware hypervisor runs directly on the server’s hardware, with no need for an underlying operating system. Only the module’s signed image can be executed, and all software upgrades are digitally signed. All services provided by the module are provided by the module’s software and external interfaces. The module’s processor executes the software on the tested configurations specified in section 2.2.4 of this document. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 41

7. November 25, 2025 Physical Security The cryptographic module is a multi-chip standalone software module and does not include physical security mechanisms. Therefore, per section G.3 of the Implementation Guidance for FIPS PUB 140-3 and the CMVP, this section is not applicable. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 42

8. November 25, 2025 Non-Invasive Security This section is not applicable. There are currently no approved non-invasive mitigation techniques references in Annex F of ISO/IEC 19790. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 43
Sensitive security parameter
NameTypeDescription
On DiskStaticSSPs are stored on disk
Non-volatile MemoryStaticSSPs are stored in non-volatile memory
Volatile MemoryDynamicSSPs are stored in volatile memory
Service
NameApproved FunctionsTypeFromTo
Exported in encrypted form via part of config backup fileEncryptedOn DiskExternalAutomatedElectronic
Exported in plaintextPlaintextplaceholderplaceholderAutomatedElectronic
Imported in encrypted form via TLS or SSH sessionEncryptedExternalOn DiskAutomatedElectronic
Imported in plaintext via local consoleEncryptedExternalOn DiskAutomatedElectronic
Imported in encrypted form via RSA key transportKey Transport for TLSEncryptedExternalVolatile MemoryAutomatedElectronic
Zeroization MethodDescriptionRationaleOperator Initiation
CLI commandThe zeroization method is conducted via CLI commandThe CLI command overwrites the storage location keys with 0's, making them irretrievableCrypto Officer by command

November 25, 2025 9. Sensitive Security Parameters Management 9.1 Storage Areas The table below lists sensitive security parameters (SSPs) storage areas for this module. Section 9.4 below selects from the storage areas listed and specifies the appropriate storage area in the “Storage” column if applicable to a specific SSP. Table 17: Storage Areas 9.2 SSP Input-Output Methods The table below lists SSP input and output methods for this module. Section 9.4 below selects from the input and output methods listed and specifies the appropriate method in the “Inputs/Outputs” column if applicable to a specific SSP. Table 18: SSP Input-Output Methods 9.3 SSP Zeroization Methods The table below lists SSP zeroization methods for this module. Section 9.4 below selects from the zeroization methods listed and specifies the appropriate method in the “Zeroization” column if applicable to a specific SSP. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 44
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
KEK Fragment 1Keying material - NeitherHashed in combination with KEK Fragment 2 to derive KEKN/A - N/ACKG (Control Plane)AES for Disk Encryption
KEK Fragment 2Keying material - NeitherHashed in combination with KEK Fragment 1 to derive KEKN/A - N/ACKG (Control Plane)AES for Disk Encryption
KEK (AES Key)Symmetric Key - CSPEncryption and decryption of passwords and passphrases256 bits - 256 bitsCKG (KEK)AES for Disk Encryption
PEM Key (AES Key)Symmetric Key - CSPEncryption and decryption of asymmetric private keys256 bits - 256 bitsPBKDF
AES KeySymmetric Key - CSPEncryption and decryptionBetween 128 and 256 bits - Between 128 and 256 bitsCKG (Data Plane)AES for AES Key
AES GCM KeySymmetric Key - CSPEncryption and decryption256 bits - 256 bitsCKG (Data Plane)
HMAC KeyAuthentication - CSPMessage authentication with SHSBetween 160 and 512 bits - Between 128 and 256 bitsCKG (Data Plane)HMAC for HMAC key
Zeroization MethodDescriptionRationaleOperator Initiation
Completion of TLS Session Key and TLS Authentication Key derivationZeroization upon the completion of a TLS Session Key and TLS Authentication Key derivationKeys are automatically zeroized upon completion of TLS key derivation and are irretrievableCrypto Officer or User by TLS session termination
RebootZeroization when module is rebootedKeys are procedurally zeroized by rebooting the host platform, which is acceptable at Software level 1Crypto Officer by rebooting the host system
Remove powerZeroization when power is removed from the moduleKeys are procedurally zeroized by removing the power of the host platform, which is acceptable at Software level 1Crypto Officer by removing power
Session terminationZeroization when the session is terminatedKeys are automatically zeroized upon session termination and are irretrievableCrypto Officer or User by session termination
NetScaler VA DetectionSSPs are not zeroized. NetScaler VA detects any modification.NetScaler VA detects modification of Public Security Parameters for listed entry.N/A
Zeroisation of KEKThe KEK is zeroisedZeroization of the KEK renders SSP permanently unrecoverableCrypto Officer reboots or removes the power

November 25, 2025 N/A Table 19: SSP Zeroization Methods 9.4 The module supports the keys and other SSPs listed in the table below. Note that all SSP imports and exports are electronic and performed within the Tested OE’s Physical Parameter (TOEPP). N/A - N/A N/A - N/A NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 45
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
CA Public KeyPublic/Private - PSPTLS certificate authenticationRSA: Between 2048 and 3072 bits, ECDSA: Between 224 and 512 bits - RSA: Between 112 and 128 bits, ECDSA: Between 112 and 256 bits
DH Private KeyPublic/Private - CSPGeneration of SSH, TLS, and IKE shared secretsSSH: Between 2048 and 6144 bits, TLS: Between 2048 and 4096 bits, IKE: 2048 bits - SSH: Between 112 and 176 bits, TLS: Between 112 and 150 bits, IKE: 112 bitsCKG (Data Plane)Key Agreement for SSH (DH) Key Agreement for IKE/IPsec (DH) Key Agreement for TLS (DH)
DH Public KeyPublic/Private - PSPGeneration of SSH, TLS, and IKE shared secretsSSH: Between 2048 and 6144 bits, TLS: Between 2048 and 4096 bits, IKE: 2048 bits - SSH: Between 112 and 176 bits, TLS: Between 112 and 150 bits, IKE: 112 bitsCKG (Data Plane)Key Agreement for SSH (DH) Key Agreement for IKE/IPsec (DH) Key Agreement for TLS (DH)
ECDH Private KeyPublic/Private - CSPGeneration of SSH and TLS shared secretsBetween 224 and 512 bits - Between 112 and 256 bitsCKG (Control Plane) CKG (Data Plane)Key Agreement for SSH (ECDH) Key agreement for TLS (ECDH)
ECDH Public KeyPublic/Private - PSPGeneration of SSH and TLS shared secretsBetween 224 and 512 bits - Between 112 and 256 bitsCKG (Control Plane) CKG (Data Plane)Key Agreement for SSH (ECDH) Key agreement for TLS (ECDH)
RSA Private KeyPublic/Private - CSPGeneration of TLS shared secrets2048 or 3072 bits - 112 or 128 bitsCKG (Control Plane)Key Agreement for TLS (DH) Key agreement for TLS (ECDH)
RSA Public KeyPublic/Private - PSPGeneration of TLS shared secrets2048 or 3072 bits - 112 or 128 bitsCKG (Control Plane)Key Agreement for TLS (DH) Key agreement for TLS (ECDH)
SSH Private KeyPublic/Private - CSPAuthentication during SSH session negotiation; RBA Authentication for LDAP; GSLB configuration syncRSA: 2048 or 3072, ECDSA: Between 224 and 512 bits - RSA: 112 or 128 bits, ECDSA: Between 112 and 256 bitsCKG (Control Plane)
SSH Public KeyPublic/Private - PSPAuthentication during SSH session negotiation; RBA Authentication for LDAP; GSLB configuration syncRSA: 2048 or 3072, ECDSA: Between 224 and 512 bits - RSA: 112 or 128 bits, ECDSA: Between 112 and 256 bitsCKG (Control Plane)
SSH Session KeySymmetric Key - CSPEncryption and decryption of SSH session packetsBetween 128 and 256 bits - Between 128 and 256 bitsAES for SSH
SSH Authentication KeyAuthentication - PSPAuthentication of SSH session packetsBetween 160 and 512 bits - Between 128 and 256 bitsHMAC for SSH
IKE/IPsec Pre- shared key (PSK)Authentication - CSPAuthentication during IKE/IPsec session negotiation; Derivation of the IKE/IPsec Session Keys and IKE/IPsec Authentication Keys for IKEv1Key Agreement for IKE/IPsec (DH)
IKE/IPsec Session Key (AES key)Symmetric Key - CSPEncryption and decryption of IKE/IPsec session packetsBetween 128 and 256 bits - Between 128 and 256 bitsAES for IKE/IPsec
IKE/IPsec Authentication Key (HMAC key)Authentication - CSPAuthentication of IKE/IPsec session packetsBetween 160 and 512 bits - Between 128 and 256 bitsHMAC for IKE/IPsec
RDP Session KeySymmetric Key - NeitherEncryption and decryption of RDP user and target information256 bits - 256 bitsAES for RDP Session
DFA Session KeySymmetric Key - NeitherDFA authentication to the module256 bits - 256 bitsAES for DFA Session Key
TLS Private KeyPublic/Private - CSPTLS authentication; SAML authentication (RSA only); OpenID authentication (RSA only)RSA: Between 2048 and 4096 bits, ECDA: between 224 and 512 bits - RSA: Between 112 and 150 bits, ECDA: between 112 and 256 bitsCKG (Control Plane)Key Agreement for TLS (DH) Key agreement for TLS (ECDH)

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 46

November 25, 2025 --NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 47
Sensitive security parameter
NameTypeDescriptionStrengthUse
TLS Public KeyPublic/Private - PSPTLS authentication;RSA: Between 2048 and 4096 bits, ECDA: between 224 and 512 bits - RSA: Between 112 and 150 bits, ECDA: between 112 and 256 bitsKey Agreement for TLS (DH) Key agreement for TLS (ECDH)
TLS Session KeySymmetric Key - NeitherEncryption and decryption of TLS session packets128 or 256 bits - 128 or 256 bitsAES for TLS session AES GCM for TLS Session
TLS Authentication Key (HMAC Key)Authentication - CSPAuthentication of TLS session packetsBetween 160 and 384 bits - Between 128 and 256 bitsHMAC for TLS Session
TLS Ticket Encryption Key (AES key)Symmetric Key - CSPEncryption and decryption of TLS session tickets128 bits - 128 bitsAES for TLS sessionCKG (Data Plane)
TLS Ticket Authentication Key (HMAC key)Authentication - CSPComputes the digest of TLS session tickets256 bits - 256 bitsHMAC for TLS TicketCKG (Control Plane) CKG (Data Plane)
SNMPv3 Privacy Key (AES key)Symmetric Key - CSPEncryption and decryption of SNMPv3 packets128 bits - 128 bitsAES for SNMPv3
SNMPv3 Authentication Key (HMAC key)Authentication - CSPAuthentication of SNMPv3 packets160 bits - 128 bitsHMAC for SNMPv3
Public DNS KSK (RSA public key)Public/Private - PSPPublic DNS ZSK authenticationBetween 2048 and 4096 bits - Between 112 and 150 bits
Private DNS KSK (RSA private key)Public/Private - CSPPublic DNS ZSK authenticationBetween 2048 and 4096 bits - Between 112 and 150 bitsRSA SigGen for DNSsec
Public DNS ZSK (RSA public key)Public/Private - PSPDNS zone authenticationBetween 2048 and 4096 bits - Between 112 and 150 bitsRSA SigVer for DNSsec
Private DNS ZSK (RSA private key)Public/Private - CSPDNS zone signature generationBetween 2048 and 4096 bits - Between 112 and 150 bitsRSA SigGen for DNSsec
PEM Passphrase (Alphanumeric string)Alphanumeric String - CSPDerivation of PEM KeyAES (PEM Key) for Encrypting TLS Private Key
AES GCM IV (96 and 128-bit IV)Initialization Vector - CSPIV for AES GCM
SSH Shared SecretShared Secret - CSPDerivation of the SSH Session Key and SSH Authentication KeyKey Agreement for SSH (DH) Key Agreement for SSH (ECDH)
IKE/IPsec Shared SecretShared Secret - CSPDerivation of the IKE/IPsec Session Keys and IKE/IPsec Authentication KeysKey Agreement for IKE/IPsec (DH)
TLS Pre-Master SecretPre-Master Secret - CSPDerivation of the TLS Extended Master SecretKey Agreement for TLS (DH) Key agreement for TLS (ECDH)CKG (Control Plane) CKG (Data Plane)
TLS Extended Master SecretExtended Master Secret - CSPDerivation of the TLS Session Key and TLS Authentication KeyKey Agreement for TLS (DH) Key agreement for TLS (ECDH)
Hash DRBG EntropyEntropy - CSPEntropy input for Hash DRBG
Hash DRBG SeedDRBG Seed - CSPSeed material for Hash DRBG
Hash DRBG 'V' Value (Internal state value)Internal State Value - CSPInternal state value used with Hash DRBG
Hash DRBG 'C' Value (Internal state value)Internal State Value - CSPInternal state value used with Hash DRBG
CTR DRBG EntropyEntropy - CSPEntropy input for CTR DRBG
CTR DRBG SeedDRBG Seed - CSPSeed material for CTR DRBG
CTR DRBG 'V' ValueInternal State Value - CSPInternal state value used with CTR DRBG
CTR DRBG 'Key' Value (AES key)Internal State Value - CSPInternal state value used with CTR DRBG
SNMPv3 Privacy Passphrase (Alphanumeric string)Alphanumeric String - CSPDerivation of the SNMPv3 Privacy KeyAES for SNMPv3
SNMPv3 Authentication Passphrase (Alphanumeric string)Alphanumeric String - CSPDerivation of the SNMPv3 Authentication KeyHMAC for SNMPv3
LDAP Admin Password (Alphanumeric string)Alphanumeric String - CSPUsed to bind to the LDAP server
RDP PSK (Shared secret)Shared Secret - CSPUsed as input to derive RDP Session KeyAES for RDP Session
Oauth Client Secret (Shared secret)Shared Secret - CSPOauth and Oauth IDP authentication to the module
DFA Shared SecretShared Secret - CSPUsed as input to derive DFA Session KeyAES for DFA Session Key

November 25, 2025 ------NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 48

----------------------------------November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 49
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUse
ZebOS Router Password (Alphanumeric string)Alphanumeric String - CSPRouter authentication
Cluster Password (Alphanumeric string)Alphanumeric String - CSPUsed to connect nodes to the cluster coordinator
Operator Password (Alphanumeric string)Alphanumeric String - CSPAuthenticate the operator to the module via an external authentication service
Software Load Integrity Key (RSA public key)Public/Private - Neither(Not an SSP), Used to verify the new software load2048 bits - 112 bitsRSA SigVer for Software Load Integrity
KEK Fragment 1Non-volatile Memory:PlaintextCLI commandKEK Fragment 2:Used With
KEK Fragment 2Non-volatile Memory:PlaintextCLI commandKEK Fragment 1:Used With
KEK (AES Key)Volatile Memory:PlaintextReboot Remove powerKEK Fragment 1:Derived From KEK Fragment 2:Derived From
PEM Key (AES Key)On Disk:EncryptedCLI commandKEK (AES Key):Derived From
AES KeyOn Disk:EncryptedReboot Remove powerKEK (AES Key):EncryptsExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local console
AES GCM KeyVolatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
HMAC KeyOn Disk:EncryptedZeroisation of KEKKEK (AES Key):EncryptsExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local console
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUse
ZebOS Router Password (Alphanumeric string)Alphanumeric String - CSPRouter authentication
Cluster Password (Alphanumeric string)Alphanumeric String - CSPUsed to connect nodes to the cluster coordinator
Operator Password (Alphanumeric string)Alphanumeric String - CSPAuthenticate the operator to the module via an external authentication service
Software Load Integrity Key (RSA public key)Public/Private - Neither(Not an SSP), Used to verify the new software load2048 bits - 112 bitsRSA SigVer for Software Load Integrity
KEK Fragment 1Non-volatile Memory:PlaintextCLI commandKEK Fragment 2:Used With
KEK Fragment 2Non-volatile Memory:PlaintextCLI commandKEK Fragment 1:Used With
KEK (AES Key)Volatile Memory:PlaintextReboot Remove powerKEK Fragment 1:Derived From KEK Fragment 2:Derived From
PEM Key (AES Key)On Disk:EncryptedCLI commandKEK (AES Key):Derived From
AES KeyOn Disk:EncryptedReboot Remove powerKEK (AES Key):EncryptsExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local console
AES GCM KeyVolatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
HMAC KeyOn Disk:EncryptedZeroisation of KEKKEK (AES Key):EncryptsExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local console

November 25, 2025 ------Table 20: SSP Table 1 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 50
Sensitive security parameter
NameStorageZeroizationInput
CA Public KeyOn Disk:PlaintextNetScaler VA DetectionExported in plaintext Imported in encrypted form via TLS or SSH session Imported in plaintext via local console
DH Private KeyVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session terminationDH Public Key:Paired With
DH Public KeyVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session terminationDH Private Key:Paired With
ECDH Private KeyVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session terminationECDH Public Key :Paired With
ECDH Public KeyVolatile Memory:PlaintextReboot Remove power Session terminationExported in plaintext Imported in plaintext via local consoleUntil module reboot, power off, or session terminationECDH Private Key :Paired With
RSA Private KeyVolatile Memory:PlaintextZeroisation of KEKExported in plaintext Imported in plaintext via local consoleRSA Public Key:Paired With KEK (AES Key):Encrypts
RSA Public KeyVolatile Memory:PlaintextNetScaler VA DetectionExported in plaintext Imported in plaintext via local consoleRSA Private Key :Paired With
SSH Private KeyOn Disk:PlaintextCLI commandExported in encrypted form via part of config backup file
SSH Public KeyVolatile Memory:PlaintextNetScaler VA DetectionExported in encrypted form via part of config backup file
SSH Session KeyVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
SSH Authentication KeyVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
IKE/IPsec Pre-shared key (PSK)Volatile Memory:PlaintextReboot Remove power Session terminationExported in encrypted form via part of config backup file Imported in plaintext via local consoleUntil module reboot, power off, or session termination
IKE/IPsec Session Key (AES key)Volatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
IKE/IPsec Authentication Key (HMAC key)Volatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
RDP Session KeyVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
DFA Session KeyVolatile Memory:PlaintextReboot Remove power Session termination
TLS Private KeyOn Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleTLS Public Key:Paired With
TLS Public KeyVolatile Memory:PlaintextNetScaler VA DetectionTLS Private Key:Paired With
TLS Session KeyVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
TLS Authentication Key (HMAC Key)Volatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
TLS Ticket Encryption Key (AES key)Volatile Memory:PlaintextReboot Remove power Session terminationImported in encrypted form via TLS or SSH sessionUntil module reboot, power off, or session termination
TLS Ticket Authentication Key (HMAC key)Volatile Memory:PlaintextReboot Remove power Session terminationImported in encrypted form via TLS or SSH sessionUntil module reboot, power off, or session termination
SNMPv3 Privacy Key (AES key)Volatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
SNMPv3 Authentication Key (HMAC key)Volatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
Public DNS KSK (RSA public key)On Disk:PlaintextZeroisation of KEKExported in plaintext Imported in encrypted form via TLS or SSH sessionPrivate DNS KSK (RSA private key):Paired With
Private DNS KSK (RSA private key)On Disk:EncryptedNetScaler VA DetectionExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH sessionPEM Key (AES Key):Encrypts Public DNS KSK (RSA public key):Paired With
Public DNS ZSK (RSA public key)On Disk:PlaintextNetScaler VA DetectionExported in plaintext Imported in encrypted form via TLS or SSH sessionPrivate DNS ZSK (RSA private key):Paired With
Private DNS ZSK (RSA private key)On Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH sessionPublic DNS ZSK (RSA public key):Paired With
PEM Passphrase (Alphanumeric string)Non-volatile Memory:Plaintext On Disk:EncryptedReboot Remove powerExported in encrypted form via part of config backup file Imported in plaintext via local consoleUntil module reboot or power offKEK (AES Key):Encrypts
AES GCM IV (96 and 128-bit IV)Volatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
SSH Shared SecretVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
IKE/IPsec Shared SecretVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session termination
TLS Pre-Master SecretVolatile Memory:PlaintextReboot Remove power Session terminationImported in encrypted form via RSA key transportUntil module reboot, power off, or session termination
TLS Extended Master SecretVolatile Memory:PlaintextReboot Remove power Session terminationUntil module reboot, power off, or session terminationTLS Pre-Master Secret:Derived From
Hash DRBG EntropyVolatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
Hash DRBG SeedVolatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
Hash DRBG 'V' Value (Internal state value)Volatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
Hash DRBG 'C' Value (Internal state value)Volatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
CTR DRBG EntropyVolatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
CTR DRBG SeedVolatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
CTR DRBG 'V' ValueVolatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
CTR DRBG 'Key' Value (AES key)Volatile Memory:PlaintextReboot Remove powerUntil module reboot or power off
SNMPv3 Privacy Passphrase (Alphanumeric string)On Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleKEK (AES Key):Encrypts
SNMPv3 Authentication Passphrase (Alphanumeric string)On Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleKEK (AES Key):Encrypts

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 51

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 52

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 53

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 54
Sensitive security parameter
NameStorageZeroizationInput
LDAP Admin Password (Alphanumeric string)On Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleKEK (AES Key):Encrypts
RDP PSK (Shared secret)On Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleKEK (AES Key):Encrypts
Oauth Client Secret (Shared secret)On Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleKEK (AES Key):Encrypts
DFA Shared SecretOn Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleKEK (AES Key):Encrypts
ZebOS Router Password (Alphanumeric string)On Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleKEK (AES Key):Encrypts

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 55
Sensitive security parameter
NameStorageZeroizationInput
Cluster Password (Alphanumeric string)On Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleKEK (AES Key):Encrypts
Operator Password (Alphanumeric string)On Disk:EncryptedZeroisation of KEKExported in encrypted form via part of config backup file Imported in encrypted form via TLS or SSH session Imported in plaintext via local consoleKEK (AES Key):Encrypts
Software Load Integrity Key (RSA public key)Non-volatile Memory:PlaintextReboot Remove powerImported in plaintext via local consoleUntil module reboot or power off

November 25, 2025 Table 21: SSP Table 2 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 56
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorConditions
RSA SigVer (FIPS186-4) (A3943)RSA SigVer (FIPS186-4) (A3943)Software IntegritySW/FW IntegrityRSA 2048 digital signature verification with SHA-5122048-bit, using SHA2-512"FIPS Post Failed" message in /var/log/ns.log
AES-CBC (A3942)AES-CBC (A3942)KATCASTEncrypt, Decrypt128-bit"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test
AES-GCM (A3942)AES-GCM (A3942)KATCASTEncrypt, Decrypt256-bit"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
Counter DRBG (A3942)Counter DRBG (A3942)KATCASTInstantiate/Generate/Reseed"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KAS-FFC-SSC Sp800-56Ar3 (A3942)KAS-FFC-SSC Sp800-56Ar3 (A3942)KATCASTPrimitive "Z" computation test"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KAS-ECC-SSC Sp800-56Ar3 (A3942)KAS-ECC-SSC Sp800-56Ar3 (A3942)KATCASTPrimitive "Z" computation test"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
ECDSA SigGen (FIPS186-4) (A3942)ECDSA SigGen (FIPS186-4) (A3942)KATCASTSignP-256"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsTest PropertiesIndicatorConditions
RSA SigVer (FIPS186-4) (A3943)RSA SigVer (FIPS186-4) (A3943)Software IntegritySW/FW IntegrityRSA 2048 digital signature verification with SHA-5122048-bit, using SHA2-512"FIPS Post Failed" message in /var/log/ns.log
AES-CBC (A3942)AES-CBC (A3942)KATCASTEncrypt, Decrypt128-bit"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test
AES-GCM (A3942)AES-GCM (A3942)KATCASTEncrypt, Decrypt256-bit"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
Counter DRBG (A3942)Counter DRBG (A3942)KATCASTInstantiate/Generate/Reseed"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KAS-FFC-SSC Sp800-56Ar3 (A3942)KAS-FFC-SSC Sp800-56Ar3 (A3942)KATCASTPrimitive "Z" computation test"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KAS-ECC-SSC Sp800-56Ar3 (A3942)KAS-ECC-SSC Sp800-56Ar3 (A3942)KATCASTPrimitive "Z" computation test"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
ECDSA SigGen (FIPS186-4) (A3942)ECDSA SigGen (FIPS186-4) (A3942)KATCASTSignP-256"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
ECDSA SigVer (FIPS186-4) (A3942)ECDSA SigVer (FIPS186-4) (A3942)KATCASTVerifyP-256"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
HMAC-SHA-1 (A3942)HMAC-SHA-1 (A3942)KATCASTN/ASHA-1"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
HMAC-SHA2- 256 (A3942)HMAC-SHA2- 256 (A3942)KATCASTN/ASHA2-256"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
HMAC-SHA2- 512 (A3942)HMAC-SHA2- 512 (A3942)KATCASTN/ASHA2-512"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
PBKDF (A3942)PBKDF (A3942)KATCASTN/ASHA-1"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
RSA SigGen (FIPS186-4) (A3942)RSA SigGen (FIPS186-4) (A3942)KATCASTSign2048-bit, SHA2- 256"POST FAILED" message in /var/log/FIPS- post.logBefore software integrity test
RSA SigVer (FIPS186-4) (A3942)RSA SigVer (FIPS186-4) (A3942)KATCASTVerify2048-bit, SHA2- 256"POST FAILED" message in /var/log/FIPS- post.logBefore software integrity test
SHA-1 (A3942)SHA-1 (A3942)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
SHA2-256 (A3942)SHA2-256 (A3942)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
SHA2-512 (A3942)SHA2-512 (A3942)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KDF IKEv1 (A3942)KDF IKEv1 (A3942)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KDF IKEv2 (A3942)KDF IKEv2 (A3942)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KDF SSH (A3942)KDF SSH (A3942)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KDF TLS (A3942)KDF TLS (A3942)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
TLS v1.2 KDF RFC7627 (A3942)TLS v1.2 KDF RFC7627 (A3942)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
AES-CBC (A3943)AES-CBC (A3943)KATCASTEncrypt, Decrypt128-bit"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
AES-GCM (A3943)AES-GCM (A3943)KATCASTEncrypt, Decrypt256-bit"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KAS-ECC-SSC Sp800-56Ar3 (A3943)KAS-ECC-SSC Sp800-56Ar3 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
ECDSA SigGen (FIPS186-4) (A3943)ECDSA SigGen (FIPS186-4) (A3943)KATCASTSignP-256"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
ECDSA SigVer (FIPS186-4) (A3943)ECDSA SigVer (FIPS186-4) (A3943)KATCASTVerifyP-256"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
Hash DRBG (A3943)Hash DRBG (A3943)KATCASTInstantiate/Generate/ReseedAES, 256-bit, with derivation function"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
HMAC-SHA-1 (A3943)HMAC-SHA-1 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
HMAC-SHA2- 256 (A3943)HMAC-SHA2- 256 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
HMAC-SHA2- 512 (A3943)HMAC-SHA2- 512 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KDF SP800-108 (A3943)KDF SP800-108 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
RSA SigGen (FIPS186-4) (A3943)RSA SigGen (FIPS186-4) (A3943)KATCASTN/A2048-bit, SHA2- 256"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
RSA SigVer (FIPS186-4) (A3943)RSA SigVer (FIPS186-4) (A3943)KATCASTN/A2048-bit, SHA2- 256"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
SHA-1 (A3943)SHA-1 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
SHA2-256 (A3943)SHA2-256 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
SHA2-512 (A3943)SHA2-512 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KDF TLS (A3943)KDF TLS (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
TLS v1.2 KDF RFC7627 (A3943)TLS v1.2 KDF RFC7627 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
TLS v1.3 KDF (A3943)TLS v1.3 KDF (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
RSA SigVer (FIPS186-4) (A3943)RSA SigVer (FIPS186-4) (A3943)Software IntegritySW/FW IntegrityOn DemandManually
AES-CBC (A3942)AES-CBC (A3942)KATCASTOn DemandManually
AES-GCM (A3942)AES-GCM (A3942)KATCASTOn DemandManually
Counter DRBG (A3942)Counter DRBG (A3942)KATCASTOn DemandManually
KAS-FFC-SSC Sp800- 56Ar3 (A3942)KAS-FFC-SSC Sp800- 56Ar3 (A3942)KATCASTOn DemandManually
KAS-ECC-SSC Sp800- 56Ar3 (A3942)KAS-ECC-SSC Sp800- 56Ar3 (A3942)KATCASTOn DemandManually
ECDSA SigGen (FIPS186- 4) (A3942)ECDSA SigGen (FIPS186- 4) (A3942)KATCASTOn DemandManually
ECDSA SigVer (FIPS186- 4) (A3942)ECDSA SigVer (FIPS186- 4) (A3942)KATCASTOn DemandManually
HMAC-SHA-1 (A3942)HMAC-SHA-1 (A3942)KATCASTOn DemandManually
HMAC-SHA2-256 (A3942)HMAC-SHA2-256 (A3942)KATCASTOn DemandManually
HMAC-SHA2-512 (A3942)HMAC-SHA2-512 (A3942)KATCASTOn DemandManually
PBKDF (A3942)PBKDF (A3942)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3942)RSA SigGen (FIPS186-4) (A3942)KATCASTOn DemandManually

November 25, 2025 10. Self-Tests The module performs pre-operational self-tests and conditional self-tests. Pre-operational tests are performed between the time the cryptographic module is instantiated and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions. 10.1 Pre-Operational Self-Tests The module performs the following pre-operational self-test(s): Table 22: Pre-Operational Self-Tests 10.2 Conditional Self-Tests The module performs the following conditional self-tests: NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 57

November 25, 2025 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 58

November 25, 2025 N/A N/A N/A N/A N/A N/A N/A N/A N/A NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 59
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
SHA2-256 (A3943)SHA2-256 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
SHA2-512 (A3943)SHA2-512 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
KDF TLS (A3943)KDF TLS (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
TLS v1.2 KDF RFC7627 (A3943)TLS v1.2 KDF RFC7627 (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
TLS v1.3 KDF (A3943)TLS v1.3 KDF (A3943)KATCASTN/A"POST FAILED" message in /var/log/FIPS- post.logAfter successful completion of software integrity test.
RSA SigVer (FIPS186-4) (A3943)RSA SigVer (FIPS186-4) (A3943)Software IntegritySW/FW IntegrityOn DemandManually
AES-CBC (A3942)AES-CBC (A3942)KATCASTOn DemandManually
AES-GCM (A3942)AES-GCM (A3942)KATCASTOn DemandManually
Counter DRBG (A3942)Counter DRBG (A3942)KATCASTOn DemandManually
KAS-FFC-SSC Sp800- 56Ar3 (A3942)KAS-FFC-SSC Sp800- 56Ar3 (A3942)KATCASTOn DemandManually
KAS-ECC-SSC Sp800- 56Ar3 (A3942)KAS-ECC-SSC Sp800- 56Ar3 (A3942)KATCASTOn DemandManually
ECDSA SigGen (FIPS186- 4) (A3942)ECDSA SigGen (FIPS186- 4) (A3942)KATCASTOn DemandManually
ECDSA SigVer (FIPS186- 4) (A3942)ECDSA SigVer (FIPS186- 4) (A3942)KATCASTOn DemandManually
HMAC-SHA-1 (A3942)HMAC-SHA-1 (A3942)KATCASTOn DemandManually
HMAC-SHA2-256 (A3942)HMAC-SHA2-256 (A3942)KATCASTOn DemandManually
HMAC-SHA2-512 (A3942)HMAC-SHA2-512 (A3942)KATCASTOn DemandManually
PBKDF (A3942)PBKDF (A3942)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3942)RSA SigGen (FIPS186-4) (A3942)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3942)RSA SigVer (FIPS186-4) (A3942)KATCASTOn DemandManually
SHA-1 (A3942)SHA-1 (A3942)KATCASTOn DemandManually
SHA2-256 (A3942)SHA2-256 (A3942)KATCASTOn DemandManually
SHA2-512 (A3942)SHA2-512 (A3942)KATCASTOn DemandManually
KDF IKEv1 (A3942)KDF IKEv1 (A3942)KATCASTOn DemandManually
KDF IKEv2 (A3942)KDF IKEv2 (A3942)KATCASTOn DemandManually
KDF SSH (A3942)KDF SSH (A3942)KATCASTOn DemandManually
KDF TLS (A3942)KDF TLS (A3942)KATCASTOn DemandManually
TLS v1.2 KDF RFC7627 (A3942)TLS v1.2 KDF RFC7627 (A3942)KATCASTOn DemandManually
AES-CBC (A3943)AES-CBC (A3943)KATCASTOn DemandManually
AES-GCM (A3943)AES-GCM (A3943)KATCASTOn DemandManually
KAS-ECC-SSC Sp800- 56Ar3 (A3943)KAS-ECC-SSC Sp800- 56Ar3 (A3943)KATCASTOn DemandManually
ECDSA SigGen (FIPS186- 4) (A3943)ECDSA SigGen (FIPS186- 4) (A3943)KATCASTOn DemandManually
ECDSA SigVer (FIPS186- 4) (A3943)ECDSA SigVer (FIPS186- 4) (A3943)KATCASTOn DemandManually
Hash DRBG (A3943)Hash DRBG (A3943)KATCASTOn DemandManually
HMAC-SHA-1 (A3943)HMAC-SHA-1 (A3943)KATCASTOn DemandManually
HMAC-SHA2-256 (A3943)HMAC-SHA2-256 (A3943)KATCASTOn DemandManually
HMAC-SHA2-512 (A3943)HMAC-SHA2-512 (A3943)KATCASTOn DemandManually
KDF SP800-108 (A3943)KDF SP800-108 (A3943)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3943)RSA SigGen (FIPS186-4) (A3943)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3943)RSA SigVer (FIPS186-4) (A3943)KATCASTOn DemandManually
SHA-1 (A3943)SHA-1 (A3943)KATCASTOn DemandManually
SHA2-256 (A3943)SHA2-256 (A3943)KATCASTOn DemandManually
SHA2-512 (A3943)SHA2-512 (A3943)KATCASTOn DemandManually
KDF TLS (A3943)KDF TLS (A3943)KATCASTOn DemandManually
TLS v1.2 KDF RFC7627 (A3943)TLS v1.2 KDF RFC7627 (A3943)KATCASTOn DemandManually
TLS v1.3 KDF (A3943)TLS v1.3 KDF (A3943)KATCASTOn DemandManually

November 25, 2025 N/A N/A N/A N/A N/A Table 23: Conditional Self-Tests 10.3 Periodic Self-Test Information The module has conditions that may interrupt module operations during the time to repeat the periodic self-tests. The table below specifies the period and the policy for these conditions. Table 24: Pre-Operational Periodic Information NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 60

November 25, 2025 Table 25: Conditional Periodic Information 10.4 Error States If the module enters the critical error state due to a failure of the pre-operational integrity test, the module enters a critical error state and logs an error message. In this state, the boot sequence and entire system is halted. The only action available from this state is to reboot the module to trigger the re-execution of the integrity test. The error condition is considered to have been cleared if the module successfully passes the pre-operational integrity test. If the module continues to return to a halted state, the module is considered to be malfunctioning or compromised, and Cloud Software Group Customer Support must be contacted. If the module enters the critical error state due to a failure of any of the conditional CASTs, cryptographic operations are halted, and the module inhibits all data output from the module. The module logs an error message and automatically reboots to clear the error state. The CO must contact Cloud Software Group if this error occurs. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 61
Service
NameDescriptionRole AccessIndicator
Critical Error (pre- operational self tests)The booth sequence and entire system is halted. The only action available from this state is to reboot the module to trigger the re-execution of the integrity test.Module fails pre- operational integrity test.Logs "POST Failed" error message in /var/log/FIPS- post.log for Netscaler Control Plane Cryptographic Library. Logs "FIPS Post Failed" in /var/log/ns.log for Netscaler Data Plane Cryptographic Library.The module successfully passes the pre-operational integrity test. If the module continues to return to a halted state, the module is considered to be malfunctioning or compromised, and Cloud Software Group Customer Support must be contacted.
Critical Error (Conditional CASTs)Cryptographic operations are halted, and the module inhibits all data output from the module.Module fails any conditional CASTs.Logs "POST Failed" error message in /var/log/FIPS- post.log for Netscaler Control Plane Cryptographic Library. Logs "FIPS Post Failed" in /var/log/ns.log for Netscaler Data Plane Cryptographic Library.The module automatically reboots after logging an error message to clear the error state. The CO must contact Cloud Software Group Support if this error occurs.
Soft ErrorError that may occur when invoking service that calls the conditional self-test.Module fails any of the remaining conditional self-tests.The following message is displayed: "Internal failure in SSL cert/key generation tool".The module returns to an operational state once the message is displayed, and the error is logged. The user may retry the service or move to other operations.

November 25, 2025 checking the log files.

Page 62

November 25, 2025 11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:

11.1.1 Installation

For detailed guidance regarding the installation of NetScaler VA, please see the Deploy a Citrix ADC VPX instance webpage on Citrix’s online product documentation portal and refer to the following document entries:

Page 63
11.1.2 Initialization

After the appliance has been setup, the CO is responsible for the general configuration of the module. The Web GUI or CLI can be used for the general configuration of the module. All general configuration must be complete before performing configuration necessary to place the module in a FIPS-Approved mode of operation. The general configuration requirements and instructions are described in the “Quick Start Installation and Configuration” section of the Citrix ADC Deployment Guide found on Citrix’s online product documentation portal.

11.1.3 General Configuration

After the NetScaler Virtual Appliance has been installed on a VMware ESXi 7.0 hypervisor, the CO is responsible for the general configuration of the module. The Web GUI (configuration utility) or CLI can be used for the general configuration of the module. All general configuration steps must be complete before performing configuration necessary to place the module in a FIPS-Approved mode of operation. The general configuration requirements and instructions are described in the “Quick Start Installation and Configuration” section of the Citrix NetScaler Deployment Guide found on Cloud Software Group’s online product documentation portal.

11.1.4 FIPS-Approved Mode Configuration and Status

The CO is responsible for the security-relevant configuration of the module. To initialize the module for the approved mode of operation, the CO must: • • • • • Configure the passphrase requirements Replace the default TLS certificate Disable HTTP access to the Web GUI Enable external authentication Disable local authentication To accomplish these tasks, the CO must follow the procedures detailed in the sections below (for more information, please see the “Configuration Guidelines” section of the document entry Citrix ADC Deployment Guide. Once the CO has completed all configuration steps, the CO shall review all saved settings to ensure they match the required settings as documented in the configuration guidance below. If properly set, the module is considered to be operating in the FIPS-Approved mode. 11.1.4.1 Configure the Passphrase Requirements Passphrases are used to derive keys using PBKDF. The CO must configure strong passphrase requirements. This is accomplished with the following steps from the Web GUI:

  1. In the Configuration navigation pane, go to System and click the Settings node.
  2. In the Settings section, click the Change Global System Settings link.
  3. In the Strong Password field, select Enable All. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group
Page 64

November 25, 2025

  1. In the Min Password Length field, type “8”.
  2. Click OK. 11.1.4.2 Replace the Default TLS Certificate By default, the module includes a factory-provisioned RSA certificate for TLS connections (ns-server.cert and ns-server.key). This certificate is not intended for use in production deployments and must be replaced. The CO must replace the default certificate with a newly-generated certificate after the initial installation. To replace the default TLS certificate, the CO must follow these steps:
  3. Run the following CLI command to set the hostname of the module: set ns hostName [hostname]
  4. From the Web GUI, complete the following procedure to create a Certificate Signing Request (CSR): a. In the Configuration navigation pane, go to Traffic Management and click the SSL node. b. In the SSL Certificates section, click the Create Certificate Request link. c. Make sure to provide values for all the required fields marked with an “*” and then click Create. Note that the Common Name field will contain the value of hostname created in step 1 above.
  5. Submit the CSR file to a trusted CA. The CSR file is available in the /nsconfig/ssl directory.
  6. After receiving the certificate from the trusted CA, copy the file to the /nsconfig/ssl directory.
  7. From the Web GUI, navigate to Traffic Management > SSL and choose ns-server-certificate.
  8. Click Update.
  9. In the Certificate File Name field, choose the certificate file that was received from the CA. Use the Browse option to choose the file that you have received from CA after signing. Choose the Browse > Local option if the file is saved on your workstation/local drive.
  10. In the Private Key File Name field, specify the default private key file name (ns-server.key).
  11. Select the No Domain Check option.
  12. Click OK. For more information, please refer to the Citrix Support Knowledge Center article CTX122521) on Citrix’s online product documentation portal. 11.1.4.3 Disable HTTP Access to the Web GUI The CO protects traffic to the administrative interface and Web GUI, by configuring the module to use HTTPS18. Once the module has been configured to use new TLS and SSH certificates, disable HTTP access to the GUI management interface with the following CLI command: set ns ip <NSIP> -gui SECUREONLY 11.1.4.4 Enable External Authentication Once the module is configured in FIPS-Approved mode and the nsroot account is disabled, then external authentication must be configured. Follow the instructions on the Citrix ADC 13.1 – Configuring external user authentication webpage found on the Cloud Software Group online product documentation portal to configure external system authentication. The CO must ensure the following before enabling external authentication: • • A secure connection is established with the external authentication service. Shell access is disabled for all profiles on the external authentication service.
18 HTTPS – Hypertext Transfer Protocol Secure

NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 65

11.1.4.5 November 25, 2025 Disable Local Authentication The nsroot account is a default account with root CLI access (superuser) privileges that is required for initial configuration. During initial configuration, the CO shall disable local system authentication to block access to all local accounts (including the nsroot account), and the CO must ensure that superuser privileges are not assigned to any user account. To disable local system authentication and enable external system authentication, the CO must run the following CLI command: set system parameter -localauth disabled

11.1.5 Startup

No additional startup steps are required to be performed by end-users. 11.2 Administrator Guidance Once installed and configured, the Crypto Officer is responsible for maintaining and monitoring the status of the module to ensure that it is running in its FIPS-Approved mode. Please refer to this section for guidance that the Crypto Officer must follow to ensure that the module is operating in a FIPS-Approved manner.

11.2.1 On-Demand Self-Tests

Although pre-operational self-tests are performed automatically during module power up, they can also be manually launched on demand. Self-tests can be executed by:

11.2.2 Zeroization

There are many CSPs within the module’s cryptographic boundary including symmetric keys, private keys, public keys, and passphrases. CSPs reside in multiple storage media including the RAM and system memory of the host platform. All ephemeral keys are zeroized on module reboot, power removal, or session termination. KEK fragments 1 and 2 are stored as plaintext in non-volatile memory. Zeroizing the KEK fragments render all passphrases and passwords stored in the non-volatile memory unrecoverable, effectively zeroizing them. The KEK fragments are zeroized via the following CLI command: rm system csps -type KEK SSH private keys are stored as plaintext in non-volatile memory. SSH private keys are zeroized via the following CLI command: NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 66

November 25, 2025 rm system csps -type SSH_HOST_KEYS The output (indicator) of both zeroization commands above is successful return from the command line without any error showing on the console. If the commands fails, an error will show on the console before returning control to the user. After the module’s integrity test is complete the software clears out all values when the signature verification operation is complete (zeroizes temporary values used in the integrity test).

11.2.3 Status and Versioning Information

The CO shall be responsible for regularly monitoring the module’s status for the FIPS-Approved mode of operation. When configured according to the CO’s guidance, the module only operates in the FIPS-Approved mode. Thus, the current status of the module when operational is always in the FIPS-Approved mode. An operator can obtain the module’s operational status by reviewing the configuration settings. If set per the guidance documented in section 11.1.4 above, this indicates that the module is operating in the FIPS-Approved mode. An operator can view the versioning information by:

19 ID – Identifier

NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 67
11.2.4 Additional Administrator Policies and Guidance

This section notes additional policies below that must be followed by COs:

Page 68

11.3 November 25, 2025 Non-Administrator Guidance Operators with the User role do not have the ability to configure sensitive information on the module. They must be diligent to select strong passwords and must not reveal their password to anyone. Additionally, they must be careful to protect any secret or private keys in their possession. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 69

November 25, 2025 12. Mitigation of Other Attacks The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. Therefore, per ISO/IEC 19790:2012 section 7.12, requirements for this section are not applicable. NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 70
Acronyms
NameTermDefinition
AESAESAdvanced Encryption Standard
APIAPIApplication Programming Interface
CBCCBCCipher Block Chaining
CCCSCCCSCanadian Centre for Cyber Security
CMVPCMVPCryptographic Module Validation Program
COCOCryptographic Officer
CPUCPUCentral Processing Unit
CTRCTRCounter
CVLCVLComponent Validation List
DEPDEPDefault Entry Point
DESDESData Encryption Standard
DHDHDiffie-Hellman
DRBGDRBGDeterministic Random Bit Generator
ECBECBElectronic Code Book
ECC CDHECC CDHElliptic Curve Cryptography Cofactor Diffie-Hellman
ECDHECDHElliptic Curve Diffie-Hellman
ECDSAECDSAElliptic Curve Digital Signature Algorithm
EMI/EMCEMI/EMCElectromagnetic Interference /Electromagnetic Compatibility
FIPSFIPSFederal Information Processing Standard
GCMGCMGalois/Counter Mode
GMACGMACGalois Message Authentication Code
GPCGPCGeneral-Purpose Computer
HMACHMAC(keyed-) Hash Message Authentication Code
KASKASKey Agreement Scheme
KATKATKnown Answer Test
KTSKTSKey Transport Scheme
KWKWKey Wrap
KWPKWPKey Wrap with Padding
NISTNISTNational Institute of Standards and Technology
OSOSOperating System
PCTPCTPairwise Consistency Test
PKCSPKCSPublic Key Cryptography Standard
PSSPSSProbabilistic Signature Scheme
RNGRNGRandom Number Generator
RSARSARivest, Shamir, and Adleman
SHASHASecure Hash Algorithm
SHSSHSSecure Hash Standard
SPSPSpecial Publication
TDESTDESTriple Data Encryption Standard

November 25, 2025 Appendix A. Acronyms and Abbreviations Table 27 provides definitions for the acronyms and abbreviations used in this document. Table 27. Acronyms and Abbreviations NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 71

November 25, 2025 NetScaler Virtual Appliance 13.1.FIPS ©2025 Cloud Software Group

Page 72

Prepared by: Corsec Security, Inc.

12600 Fair Lakes Circle, Suite 210

Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com Web: www.corsec.com

Referenced URLs