Cisco Cisco Email Security Appliance X1070 User Guide
1-17
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Chapter 1 FIPS Management
AsyncOS restricts the following CLI commands when the Email Security
appliance is in FIPS compliance mode:
appliance is in FIPS compliance mode:
•
certconfig
. The
certificate
subcommand only prints the certificates
assigned to services. The
certauthority
subcommand has no restrictions.
•
domainkeysconfig
. The
key
subcommand is restricted to the
publickey
,
print
, and
list
operations. The
profiles
subcommand does not allow the
generation of keys interactively.
•
sslconfig
. This command only prints the configured settings.
•
loadconfig
. AsyncOS ignores any certificate and key pairs or signing keys
found in an uploaded XML file.
Working with Multiple Email Security Appliances
with HSM Cards
with HSM Cards
When you initialize an HSM card, the card generates a new master key. If you
want to transfer certificates or signing keys from one Email Security appliance to
another, you must first clone the master key from one HSM card (the source
appliance) to another HSM card (the target appliance). Certificates and keys
generated on one Email Security appliance will not work on another appliance if
the HSM cards have different master keys. Cloning the master key allows
appliances to share certificates and keys.
want to transfer certificates or signing keys from one Email Security appliance to
another, you must first clone the master key from one HSM card (the source
appliance) to another HSM card (the target appliance). Certificates and keys
generated on one Email Security appliance will not work on another appliance if
the HSM cards have different master keys. Cloning the master key allows
appliances to share certificates and keys.
If you are clustering appliances, you might want to clone the master key between
HSM cards if you want the clustered appliances to use the same certificates for
TLS and HTTPS connections.
HSM cards if you want the clustered appliances to use the same certificates for
TLS and HTTPS connections.
restore
Restores certificates and keys from an XML file to the
HSM card.
HSM card.
For more information, see
.
passwd
Changes the FIPS Officer password.
Table 1-1
fipsconfig Subcommands (Continued)
fipsconfig
Subcommand
Subcommand
Description