Cisco Cisco Web Security Appliance S170 사용자 가이드
W O R K I N G W I T H M U L T I P L E H S M C A R D S
C H A P T E R 5 : F I P S M A N A G E M E N T
83
WO R K I N G W I T H M U L T I P L E H S M C A R D S
When client HTTPS traffic might be processed by any of several Web Security appliances, the
client applications need to be able to recognize the signing certificate used on each Web
Security appliance when it mimics HTTPS servers for decrypting traffic. Optionally, you can
ensure that each appliance uses the same signing certificate for decrypting HTTPS traffic by
uploading the same certificate and key to each appliance.
client applications need to be able to recognize the signing certificate used on each Web
Security appliance when it mimics HTTPS servers for decrypting traffic. Optionally, you can
ensure that each appliance uses the same signing certificate for decrypting HTTPS traffic by
uploading the same certificate and key to each appliance.
You can also choose to generate a certificate and key on the FIPS-compliant appliance to use
for HTTPS decryption. However, if you want to use that same certificate and key pair on a
different FIPS-compliant appliance, you must first clone the master key from one HSM card
(the source appliance) to another HSM card (the target appliance). You might want to clone
the master key between HSM cards if you want the client applications on the network to
recognize only one certificate used for decrypting HTTPS traffic when the certificate and key
are generated on a FIPS-compliant appliance.
for HTTPS decryption. However, if you want to use that same certificate and key pair on a
different FIPS-compliant appliance, you must first clone the master key from one HSM card
(the source appliance) to another HSM card (the target appliance). You might want to clone
the master key between HSM cards if you want the client applications on the network to
recognize only one certificate used for decrypting HTTPS traffic when the certificate and key
are generated on a FIPS-compliant appliance.
Note — Cisco recommends you clone the master keys immediately after the HSM card is
initialized.
initialized.
To clone the master key among a source and target HSM card, you need to have access to the
following:
following:
• SSH session to the source HSM card machine and another SSH session to the target HSM
card machine. Each SSH session needs to remain open during the process. You can run
the SSH sessions from the same local machine or different local machines.
the SSH sessions from the same local machine or different local machines.
• FTP session to the source and target HSM card machines. You must run the FTP sessions
from the same local machine so you can copy files between the source and target
machines.
machines.
To clone the master key between HSM cards:
1. Open an SSH session to the source Web Security appliance and run the
fipsconfig >
clonesource
CLI command. This command creates the Token Wrapping Certificate
(TWC) file (twc.file). The CLI command prompts you to enter the name of the part1.file
file. Do not enter anything yet. Keep the CLI session open.
file. Do not enter anything yet. Keep the CLI session open.
2. Use FTP to copy the TWC file from the source appliance in step 1 to the target appliance.
The TWC file is located in the FTP root directory.
3. Open an SSH session to the target Web Security appliance and run the
fipsconfig >
clonetarget
CLI command. Enter the name of the TWC file (twc.file by default) and
press Enter. This command generates the key.file and part1.file using the twc.file copied
from the source appliance in step 2. The CLI command prompts you to enter the name of
the part2.file file. Do not enter anything yet. Keep the CLI session open.
from the source appliance in step 2. The CLI command prompts you to enter the name of
the part2.file file. Do not enter anything yet. Keep the CLI session open.
4. Use FTP to copy part1.file from the target appliance to the source appliance.