Cisco Cisco Email Security Appliance C160 Betriebsanweisung
Chapter 1 FIPS Management
1-4
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Initializing the HSM Card
If you need to erase the keys stored on the HSM card, you can initialize the HSM
card. Initializing the HSM card performs the following functions:
card. Initializing the HSM card performs the following functions:
•
Resets the FIPS Officer password.
•
Erases all existing keys stored on the HSM card and erases all corresponding
certificates stored on the appliance hard drive.
certificates stored on the appliance hard drive.
•
Disables TLS in HAT policies for all listeners, including listener defaults.
•
Disables DomainKeys and DKIM signing and verification in HAT policies.
•
Disables TLS for destination controls.
•
Disables HTTPS for web interface administration, IronPort Spam
Quarantine, and other interfaces.
Quarantine, and other interfaces.
•
Does not disable TLS for LDAP profiles.
•
Sends an email alert to the Email Security appliance administrator users to
report the initialization.
report the initialization.
•
Regenerates the SSH host key for the Email Security appliance. If you are
using a Security Management appliance that does not have a FIPS-compliant
HSM card for centralized services, or if the Email Security appliance is in a
cluster, you will not be able to reconnect the Email Security appliance to the
Security Management appliance or cluster without first deleting the old host
key.
using a Security Management appliance that does not have a FIPS-compliant
HSM card for centralized services, or if the Email Security appliance is in a
cluster, you will not be able to reconnect the Email Security appliance to the
Security Management appliance or cluster without first deleting the old host
key.
•
Generates a new IronPort Appliance FIPS Demo Certificate and the
corresponding private key for accessing the appliance using SSH. The
certificate is stored on the appliance hard drive and the key is stored on the
HSM card.
corresponding private key for accessing the appliance using SSH. The
certificate is stored on the appliance hard drive and the key is stored on the
HSM card.
To initialize the HSM card, you can you can run the
fipsconfig > init
CLI
command.
The HSM card will be reset if you enter the incorrect FIPS Officer password three
times. The FIPS Officer password will be changed to the default
times. The FIPS Officer password will be changed to the default
sopin123
value.
When you first receive the Email Security appliance, the HSM card is in an
initialized state. This means the HSM card contains SSH keys to allow SSH
transactions to the appliance. It also contains the “IronPort Appliance FIPS Demo
Certificate” and corresponding private key that allows access to the web interface
using HTTPS. All corresponding keys are stored on the HSM card.
initialized state. This means the HSM card contains SSH keys to allow SSH
transactions to the appliance. It also contains the “IronPort Appliance FIPS Demo
Certificate” and corresponding private key that allows access to the web interface
using HTTPS. All corresponding keys are stored on the HSM card.