Cisco Cisco Email Security Appliance C650 Guía Del Usuario
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
24-3
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Chapter 24 FIPS Management
•
LDAPS. TLS transactions between the Email Security appliance and LDAP
servers, including using an LDAP server for external authentication, use TLS
version 1 and FIPS cipher suites. If the LDAP server uses MD5 hashes to
store passwords, the SMTP authentication query will fail because MD5 is not
FIPS-compliant.
servers, including using an LDAP server for external authentication, use TLS
version 1 and FIPS cipher suites. If the LDAP server uses MD5 hashes to
store passwords, the SMTP authentication query will fail because MD5 is not
FIPS-compliant.
•
Logs. SSH2 is the only allowed protocol for pushing logs via SCP. For error
messages related to FIPS management, read the FIPS Logs at the INFO level.
messages related to FIPS management, read the FIPS Logs at the INFO level.
•
Console serial port. If you are accessing an Email Security appliance via a
serial connection, the session times out 30 minutes after the connection to the
Serial Console port is terminated.
serial connection, the session times out 30 minutes after the connection to the
Serial Console port is terminated.
•
Centralized Management. For clustered appliances, FIPS mode can only be
turned on at the cluster level.
turned on at the cluster level.
Switching the Appliance to FIPS Mode
AsyncOS for Email includes the
fipsconfig
CLI command to switch the
appliance over to FIPS mode. You also use the
fipsconfig
CLI command to
switch the appliance back to non-FIPS mode. Only administrators can use this
command.
command.
The appliance displays a warning if there are any non-FIPS compliant certificates
or DKIM keys in use. You cannot switch the appliance to FIPS mode until you
remove these keys and certificates.
or DKIM keys in use. You cannot switch the appliance to FIPS mode until you
remove these keys and certificates.
A reboot is required after switching the appliance from non-FIPS mode to FIPS
mode or from FIPS mode to non-FIPS mode.
mode or from FIPS mode to non-FIPS mode.
AsyncOS restricts the sslconfig command to only printing tis configured settings
when the appliance is in FIPS mode.
when the appliance is in FIPS mode.
Managing Certificates and Keys
AsyncOS allows you to encrypt communications between the appliance and
external machines by using a certificate and private key pair. You can upload an
existing certificate and key pair, generate a self-signed certificate, or generate a
external machines by using a certificate and private key pair. You can upload an
existing certificate and key pair, generate a self-signed certificate, or generate a