Cisco Cisco Web Security Appliance S160 User Guide
21-21
AsyncOS 8.5 for Cisco Web Security Appliances User Guide
Chapter 21 Perform System Administration Tasks
FIPS Compliance
FIPS Certificate Requirements
FIPS mode requires that all enabled encryption services on the Web Security appliance use a
FIPS-compliant certificate. This applies to the following encryption services:
FIPS-compliant certificate. This applies to the following encryption services:
•
HTTPS Proxy
•
Authentication
•
Identity Provider for SaaS
•
Appliance Management HTTPS Service
Note
The Appliance Management HTTPS Service must be enabled before FIPS mode can be enabled. The
other encryption services need not be enabled.
other encryption services need not be enabled.
A FIPS-compliant certificate must meet these requirements:
Enabling or Disabling FIPS Mode
Before You Begin
•
Ensure the certificates to be used in FIPS mode use FIPS 140-2 approved public key algorithms (see
).
Note
Changing the FIPS mode initiates a reboot of the appliance.
Step 1
Choose System Administration > FIPS Mode.
Step 2
Click Edit Settings.
Step 3
Check or uncheck the Enable FIPS Level 1 Compliance check box.
Step 4
Click Submit.
Step 5
Click Continue to allow the appliance to reboot.
Certificate
Algorithm
Bit Key Size
Signature Algorithm
Notes
X509
RSA
1024, 2048,
3072, or
4096
3072, or
4096
sha1WithRSAEncryption
Cisco recommends a bit key
size of 1024 for best
decryption performance and
sufficient security. A larger
bit size will increase security,
but impact decryption
performance.
size of 1024 for best
decryption performance and
sufficient security. A larger
bit size will increase security,
but impact decryption
performance.
DSA
1024
dsaWithSHA1