Cisco Cisco Web Security Appliance S170 Guía Del Usuario
5-2
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 5 FIPS Management
Understanding How FIPS Management Works
•
Web interface. This applies to HTTPS sessions to the Web Security appliance management
interface for administering the appliance using the web interface. You can upload a certificate and
key pair using the
interface for administering the appliance using the web interface. You can upload a certificate and
key pair using the
fipsconfig > certconfig
CLI command.
Note
To connect to the web interface for managing the appliance, you must use HTTPS. HTTP access
to the web interface is not supported.
to the web interface is not supported.
•
HTTPS Proxy. This applies to HTTPS transactions clients make to HTTPS web servers when the
HTTPS Proxy decrypts the transaction to act as the “man in the middle.” You can upload or generate
a certificate and key pair in the web interface. If you have multiple FIPS-compliant Web Security
appliances that will decrypt HTTPS transactions, you might want to clone the master key on the
HSM card of each appliance. For more information, see
HTTPS Proxy decrypts the transaction to act as the “man in the middle.” You can upload or generate
a certificate and key pair in the web interface. If you have multiple FIPS-compliant Web Security
appliances that will decrypt HTTPS transactions, you might want to clone the master key on the
HSM card of each appliance. For more information, see
.
•
Secure authentication. This applies to HTTPS transactions between the Web Proxy and clients
used for transmitting client authentication credentials. For example, this occurs when you enable
credential encryption. You can upload a certificate and key pair in the web interface.
used for transmitting client authentication credentials. For example, this occurs when you enable
credential encryption. You can upload a certificate and key pair in the web interface.
Note
The only SSL version that AsyncOS for Web supports is TLS version 1.
Someone within your organization should be designated as the FIPS Officer. The FIPS Officer is
responsible for managing the certificate and keys on the HSM card. For more information, see
responsible for managing the certificate and keys on the HSM card. For more information, see
AsyncOS for Web provides a FIPS management console where the FIPS Officer manages all certificates
and keys on the HSM card. Access the FIPS management console from the FIPS Mode > FIPS
Management page. For more information, see
and keys on the HSM card. Access the FIPS management console from the FIPS Mode > FIPS
Management page. For more information, see
Because all certificate and key pairs are managed in the FIPS management console, you cannot upload
or generate certificate and key pairs elsewhere in the web interface. For example, to enable the HTTPS
Proxy, you must first upload or generate a certificate and key pair in the FIPS management console and
then go to the Security Services > HTTPS Proxy page to enable the HTTPS Proxy. You cannot upload
or generate a certificate and key pair on the Security Services > HTTPS Proxy page.
or generate certificate and key pairs elsewhere in the web interface. For example, to enable the HTTPS
Proxy, you must first upload or generate a certificate and key pair in the FIPS management console and
then go to the Security Services > HTTPS Proxy page to enable the HTTPS Proxy. You cannot upload
or generate a certificate and key pair on the Security Services > HTTPS Proxy page.
Note
Enabling FIPS mode limits the cipher suites the Web Security appliance uses when connecting to
destination web servers. This may prevent connectivity to web servers which do not implement ciphers
required by FIPS.
destination web servers. This may prevent connectivity to web servers which do not implement ciphers
required by FIPS.
Initializing the HSM Card
If you need to erase the keys stored on the HSM card, you can initialize the HSM card. Initializing the
HSM card performs the following functions:
HSM card performs the following functions:
•
Resets the FIPS Officer password to the default value.
•
Erases all existing keys stored on the HSM card and erases all corresponding certificates stored on
the appliance hard drive.
the appliance hard drive.
•
Disables the HTTPS Proxy and credential encryption.
•
Sends an email alert to the Web Security appliance administrator users to report the initialization.