Cisco Cisco Web Security Appliance S170 사용자 가이드
U N D E R S T A N D I N G H O W F I P S M A N A G E M E N T W O R K S
C H A P T E R 5 : F I P S M A N A G E M E N T
69
U N D E R S T A N D I N G H O W F I P S M A N A G E M E N T WO R K S
FIPS-compliant versions of AsyncOS for Web only run on hardware models that include an
HSM card. The HSM card works by performing all cryptographic operations and storing and
protecting all cryptographic keys. The HSM card only stores keys, not the corresponding
certificates. Certificates are stored on the Web Security appliance hard drive.
HSM card. The HSM card works by performing all cryptographic operations and storing and
protecting all cryptographic keys. The HSM card only stores keys, not the corresponding
certificates. Certificates are stored on the Web Security appliance hard drive.
The HSM card stores keys for the following components:
• SSH. This applies to SSH sessions to the Web Security appliance management interface
for administering the appliance using the CLI. The certificate and key pair is automatically
generated when you initialize the HSM card.
generated when you initialize the HSM card.
• Web interface. This applies to HTTPS sessions to the Web Security appliance
management interface for administering the appliance using the web interface. You can
upload a certificate and key pair using the
upload a certificate and key pair using the
fipsconfig > certconfig
CLI command.
Note — To connect to the web interface for managing the appliance, you must use
HTTPS. HTTP access to the web interface is not supported.
HTTPS. HTTP access to the web interface is not supported.
• HTTPS Proxy. This applies to HTTPS transactions clients make to HTTPS web servers
when the HTTPS Proxy decrypts the transaction to act as the “man in the middle.” You can
upload or generate a certificate and key pair in the web interface. If you have multiple
FIPS-compliant Web Security appliances that will decrypt HTTPS transactions, you might
want to clone the master key on the HSM card of each appliance. For more information,
see “Working with Multiple HSM Cards” on page 83.
upload or generate a certificate and key pair in the web interface. If you have multiple
FIPS-compliant Web Security appliances that will decrypt HTTPS transactions, you might
want to clone the master key on the HSM card of each appliance. For more information,
see “Working with Multiple HSM Cards” on page 83.
• Secure authentication. This applies to HTTPS transactions between the Web Proxy and
clients used for transmitting client authentication credentials. For example, this occurs
when you enable credential encryption. You can upload a certificate and key pair in the
web interface.
when you enable credential encryption. You can upload a certificate and key pair in the
web interface.
Note — The only SSL version that AsyncOS for Web 6.5 supports is TLS version 1.
Someone within your organization should be designated as the FIPS Officer. The FIPS Officer
is responsible for managing the certificate and keys on the HSM card. For more information,
see “Working with the FIPS Officer Password” on page 72.
is responsible for managing the certificate and keys on the HSM card. For more information,
see “Working with the FIPS Officer Password” on page 72.
AsyncOS for Web provides a FIPS management console where the FIPS Officer manages all
certificates and keys on the HSM card. Access the FIPS management console from the FIPS
Mode > FIPS Management page. For more information, see “Logging into the FIPS
Management Console” on page 71.
certificates and keys on the HSM card. Access the FIPS management console from the FIPS
Mode > FIPS Management page. For more information, see “Logging into the FIPS
Management Console” on page 71.
Because all certificate and key pairs are managed in the FIPS management console, you
cannot upload or generate certificate and key pairs elsewhere in the web interface. For
example, to enable the HTTPS Proxy, you must first upload or generate a certificate and key
pair in the FIPS management console and then go to the Security Services > HTTPS Proxy
page to enable the HTTPS Proxy. You cannot upload or generate a certificate and key pair on
the Security Services > HTTPS Proxy page.
cannot upload or generate certificate and key pairs elsewhere in the web interface. For
example, to enable the HTTPS Proxy, you must first upload or generate a certificate and key
pair in the FIPS management console and then go to the Security Services > HTTPS Proxy
page to enable the HTTPS Proxy. You cannot upload or generate a certificate and key pair on
the Security Services > HTTPS Proxy page.