Cisco Cisco Email Security Appliance C680 User Guide
Chapter 1 FIPS Management
1-2
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
The HSM card is a type of secure cryptoprocessor targeted at managing digital
keys for server applications. It is responsible for the storage and protection of the
cryptographic keys. The Email Security appliance offloads cryptographic
operations to the HSM card in a FIPS-compliant manner.
keys for server applications. It is responsible for the storage and protection of the
cryptographic keys. The Email Security appliance offloads cryptographic
operations to the HSM card in a FIPS-compliant manner.
The Cisco IronPort Email Security appliance’s HSM card is the CAVIUM Nitrox
XL CN15xx-NFBE Cryptographic Module. According to FIPS certificate no.
1360, the module has been validated at FIPS 140-2 level 2 compliance.
XL CN15xx-NFBE Cryptographic Module. According to FIPS certificate no.
1360, the module has been validated at FIPS 140-2 level 2 compliance.
Note
While you can use a Security Management appliance that does not have a
FIPS-compliant HSM card to provide centralized services for the Email Security
appliance, this may bring the HSM card out of FIPS compliance.
FIPS-compliant HSM card to provide centralized services for the Email Security
appliance, this may bring the HSM card out of FIPS compliance.
Understanding How FIPS Management Works
The HSM card performs all cryptographic operations and stores and protects all
cryptographic keys. The HSM card only stores keys, not the corresponding
certificates. Certificates are stored on the Email Security appliance hard drive.
cryptographic keys. The HSM card only stores keys, not the corresponding
certificates. Certificates are stored on the Email Security appliance hard drive.
The HSM card stores keys for the following components:
•
SSH. This applies to SSH sessions to the Email Security appliance
management interface for administering the appliance using the CLI. The
SSH keys are automatically generated when you initialize the HSM.
management interface for administering the appliance using the CLI. The
SSH keys are automatically generated when you initialize the HSM.
•
Web interface. This applies to HTTPS sessions to the Email Security
appliance management interface for administering the appliance using the
web interface, as well as HTTPS sessions to the IronPort Spam Quarantine
and other IP interfaces. You can upload or generate a certificate and key pair
using the
appliance management interface for administering the appliance using the
web interface, as well as HTTPS sessions to the IronPort Spam Quarantine
and other IP interfaces. You can upload or generate a certificate and key pair
using the
fipsconfig > certconfig
CLI command or the FIPS Management
page in the web interface.
•
SMTP receiving and delivery. This applies to incoming and outgoing SMTP
conversations over TLS between a public listener on the Email Security
appliance and a remote host. You assign a certificate to a listener and enable
TLS in a listener’s HAT for inbound (receiving) or outbound (sending) email.
You can upload or generate a certificate and key pair using the FIPS
Management page in the web interface or the
conversations over TLS between a public listener on the Email Security
appliance and a remote host. You assign a certificate to a listener and enable
TLS in a listener’s HAT for inbound (receiving) or outbound (sending) email.
You can upload or generate a certificate and key pair using the FIPS
Management page in the web interface or the
fipsconfig > certconfig
CLI
command.