Cisco Cisco Email Security Appliance C160 Guía Del Usuario
Chapter 1 FIPS Management
1-18
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Note
Cisco recommends you clone the master keys immediately after the HSM card is
initialized.
initialized.
To clone the master key among a source and target HSM card, you need to have
access to the following:
access to the following:
•
SSH session to the source HSM card machine and another SSH session to the
target HSM card machine. Each SSH session needs to remain open during the
process. You can run the SSH sessions from the same local machine or
different local machines.
target HSM card machine. Each SSH session needs to remain open during the
process. You can run the SSH sessions from the same local machine or
different local machines.
•
FTP session to the source and target HSM card machines. You must run the
FTP sessions from the same local machine so you can copy files between the
source and target machines.
FTP sessions from the same local machine so you can copy files between the
source and target machines.
To clone the master key between HSM cards:
Step 1
Open an SSH session to the source Email Security appliance and run the
fipsconfig > clonesource
CLI command. This command creates the Token
Wrapping Certificate (TWC) file (twc.file). The CLI command prompts you to
enter the name of the part1.file file. Do not enter anything yet. Keep the CLI
session open.
enter the name of the part1.file file. Do not enter anything yet. Keep the CLI
session open.
Step 2
Use FTP to copy the TWC file from the source appliance in step
to the target
appliance. The TWC file is located in the FTP root directory.
Step 3
Open an SSH session to the target Email Security appliance and run the
fipsconfig > clonetarget
CLI command. Enter the name of the TWC file
(twc.file by default) and press Enter. This command generates the key.file and
part1.file using the twc.file copied from the source appliance in step
part1.file using the twc.file copied from the source appliance in step
command prompts you to enter the name of the part2.file file. Do not enter
anything yet. Keep the CLI session open.
anything yet. Keep the CLI session open.
Step 4
Use FTP to copy part1.file from the target appliance to the source appliance.
Step 5
Return to the CLI session for the source appliance and that has the open CLI
command. Enter the name of the part1.file file you copied from the target
appliance and press Enter. This generates the part2.file file.
command. Enter the name of the part1.file file you copied from the target
appliance and press Enter. This generates the part2.file file.
Step 6
Use FTP to copy the part2.file file from the source appliance to the target
appliance.
appliance.