Cisco Cisco Email Security Appliance C160 Mode D'Emploi
26-2
Cisco AsyncOS 8.5.6 for Email User Guide
Chapter 26 FIPS Management
Switching the Appliance to FIPS Mode
•
Web interface. HTTPS sessions to the Email Security appliance’s web interface use TLS version 1
and FIPS cipher suites. This also includes HTTPS sessions to the IronPort Spam Quarantine and
other IP interfaces. You cannot change these values using
and FIPS cipher suites. This also includes HTTPS sessions to the IronPort Spam Quarantine and
other IP interfaces. You cannot change these values using
sslconfig
when in FIPS mode.
•
Certificates. FIPS mode restricts the kinds of certificates used by the appliances. Certificates must
use one of the following signature algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and
SHA-512. The appliance will not import certificates that do not use one of these algorithms. The
appliance cannot be switched to FIPS mode if it has any non-compliant certificates in use. It will
displays an error message instead. See
use one of the following signature algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and
SHA-512. The appliance will not import certificates that do not use one of these algorithms. The
appliance cannot be switched to FIPS mode if it has any non-compliant certificates in use. It will
displays an error message instead. See
information.
•
DKIM signing and verification. RSA keys used for DKIM signatures and verification must be
1024, 1536, or 2048 bits in length. The appliance cannot be switched to FIPS mode if it has any
non-compliant RSA keys in use. It will displays an error message instead. When verifying a DKIM
signature, the appliance returns a permanent failure if the signature does not use a FIPS-compliant
key. See
1024, 1536, or 2048 bits in length. The appliance cannot be switched to FIPS mode if it has any
non-compliant RSA keys in use. It will displays an error message instead. When verifying a DKIM
signature, the appliance returns a permanent failure if the signature does not use a FIPS-compliant
key. See
•
LDAPS. TLS transactions between the Email Security appliance and LDAP servers, including using
an LDAP server for external authentication, use TLS version 1 and FIPS cipher suites. If the LDAP
server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5
is not FIPS-compliant.
an LDAP server for external authentication, use TLS version 1 and FIPS cipher suites. If the LDAP
server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5
is not FIPS-compliant.
•
Logs. SSH2 is the only allowed protocol for pushing logs via SCP. For error messages related to
FIPS management, read the FIPS Logs at the INFO level.
FIPS management, read the FIPS Logs at the INFO level.
•
Console serial port. If you are accessing an Email Security appliance via a serial connection, the
session times out 30 minutes after the connection to the Serial Console port is terminated.
session times out 30 minutes after the connection to the Serial Console port is terminated.
•
Centralized Management. For clustered appliances, FIPS mode can only be turned on at the cluster
level.
level.
Switching the Appliance to FIPS Mode
AsyncOS for Email includes the
fipsconfig
CLI command to switch the appliance over to FIPS mode.
You also use the
fipsconfig
CLI command to switch the appliance back to non-FIPS mode. Only
administrators can use this command.
The appliance displays a warning if there are any non-FIPS compliant certificates or DKIM keys in use.
You cannot switch the appliance to FIPS mode until you remove these keys and certificates.
You cannot switch the appliance to FIPS mode until you remove these keys and certificates.
A reboot is required after switching the appliance from non-FIPS mode to FIPS mode or from FIPS mode
to non-FIPS mode.
to non-FIPS mode.
AsyncOS restricts the sslconfig command to only printing tis configured settings when the appliance is
in FIPS mode.
in FIPS mode.
Managing Certificates and Keys
AsyncOS allows you to encrypt communications between the appliance and external machines by using
a certificate and private key pair. You can upload an existing certificate and key pair, generate a
self-signed certificate, or generate a Certificate Signing Request (CSR) to submit to a certificate
authority to obtain a public certificate. The certificate authority will return a trusted public certificate
signed by a private key that you can then upload onto the appliance.
a certificate and private key pair. You can upload an existing certificate and key pair, generate a
self-signed certificate, or generate a Certificate Signing Request (CSR) to submit to a certificate
authority to obtain a public certificate. The certificate authority will return a trusted public certificate
signed by a private key that you can then upload onto the appliance.
When the appliance is in FIPS mode, you can continue to