Cisco Cisco Email Security Appliance X1070 Guía Del Usuario
29-3
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 29 FIPS Management
Encrypting Sensitive Data in FIPS Mode
Before You Begin
Make sure that the appliance do not have any objects that are not FIPS compliant, for example, a DKIM
verification profile with a key size of 512 bits. To enable FIPS mode, you must modify all the
non-FIPS-compliant objects to meet FIPS requirements. See
verification profile with a key size of 512 bits. To enable FIPS mode, you must modify all the
non-FIPS-compliant objects to meet FIPS requirements. See
. For instructions to check if your appliance contains non-FIPS-compliant objects, see
Procedure
mail.example.com> fipsconfig
FIPS mode is currently disabled.
Choose the operation you want to perform:
- SETUP - Configure FIPS mode.
- FIPSCHECK - Check for FIPS mode compliance.
[]> setup
To finalize FIPS mode, the appliance will reboot immediately. No commit will be required.
Are you sure you want to enable FIPS mode and reboot now ? [N]> y
Do you want to enable encryption of sensitive data in configuration file when FIPS mode is
enabled? Changing the value will result in system reboot [N]> n
Enter the number of seconds to wait before forcibly closing connections.
[30]>
System rebooting. Please wait while the queue is being closed...
Closing CLI connection.
Rebooting the system...
Note
When you disable FIPS mode on your appliance, by default, the SSL configuration is set to TLS v1.0
and SSL v3. If you want to use a higher version of TLS, you must manually configure it using the System
Administration > SSL Configuration page or the
and SSL v3. If you want to use a higher version of TLS, you must manually configure it using the System
Administration > SSL Configuration page or the
sslconfig
command in CLI.
Encrypting Sensitive Data in FIPS Mode
Use the
fipsconfig
command to encrypt sensitive data such as passwords and keys, in your appliance.
If you enable this option,
•
The following critical security parameters in your appliance are encrypted and stored:
–
Certificate private keys
–
RADIUS passwords
–
LDAP bind passwords
–
Local users' password hashes
–
SNMP password
–
DK/DKIM signing keys
–
Outgoing SMTP authentication passwords
–
PostX encryption keys
–
PostX encryption proxy password