Cisco Cisco Email Security Appliance X1070 Betriebsanweisung

Cisco recommends you clone the master keys immediately after the HSM card is 
initialized.

To clone the master key among a source and target HSM card, you need to have 
access to the following:

SSH session to the source HSM card machine and another SSH session to the 
target HSM card machine. Each SSH session needs to remain open during the 
process. You can run the SSH sessions from the same local machine or 
different local machines.

FTP session to the source and target HSM card machines. You must run the 
FTP sessions from the same local machine so you can copy files between the 
source and target machines.

To clone the master key between HSM cards:

Open an SSH session to the source Email Security appliance and run the 

fipsconfig > clonesource

 CLI command. This command creates the Token 

Wrapping Certificate (TWC) file (twc.file). The CLI command prompts you to 
enter the name of the part1.file file. Do not enter anything yet. Keep the CLI 
session open.

Use FTP to copy the TWC file from the source appliance in step 

 to the target 

appliance. The TWC file is located in the FTP root directory.

Open an SSH session to the target Email Security appliance and run the 

fipsconfig > clonetarget 

CLI command. Enter the name of the TWC file 

(twc.file by default) and press Enter. This command generates the key.file and 
part1.file using the twc.file copied from the source appliance in step 

command prompts you to enter the name of the part2.file file. Do not enter 
anything yet. Keep the CLI session open.

Use FTP to copy part1.file from the target appliance to the source appliance.

Return to the CLI session for the source appliance and that has the open CLI 
command. Enter the name of the part1.file file you copied from the target 
appliance and press Enter. This generates the part2.file file.

Use FTP to copy the part2.file file from the source appliance to the target 
appliance.