Cisco Cisco Web Security Appliance S170 사용자 가이드
5-3
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 5 FIPS Management
Understanding How FIPS Management Works
•
Generates a new certificate and key pair for accessing the appliance using SSH and HTTPS. The
certificate is stored on the appliance hard drive and the key is stored on the HSM card.
certificate is stored on the appliance hard drive and the key is stored on the HSM card.
To initialize the HSM card, run the
fipsconfig > init
CLI command. Three failed login attempts in a
row also initializes the HSM card.
When you first receive a FIPS-compliant Web Security appliance, the HSM card is in an initialized state.
This means the HSM card contains a certificate and key pair to allow SSH transactions to the appliance.
It also contains the “Cisco IronPort Web Security Appliance Demo Certificate” and corresponding
private key that allows access to the web interface using HTTPS and securely transmitting authentication
credentials with clients using credential encryption. It does not contain a certificate and key pair to allow
HTTPS decryption. All corresponding keys are stored on the HSM card. However, client applications
are not programmed to recognize these certificates, so you can upload a digital certificate to the
appliance that your applications recognize automatically.
This means the HSM card contains a certificate and key pair to allow SSH transactions to the appliance.
It also contains the “Cisco IronPort Web Security Appliance Demo Certificate” and corresponding
private key that allows access to the web interface using HTTPS and securely transmitting authentication
credentials with clients using credential encryption. It does not contain a certificate and key pair to allow
HTTPS decryption. All corresponding keys are stored on the HSM card. However, client applications
are not programmed to recognize these certificates, so you can upload a digital certificate to the
appliance that your applications recognize automatically.
When the HSM card is initialized and depending on the organization’s needs, the FIPS Officer may
upload different certificates and keys by performing any of the following steps:
upload different certificates and keys by performing any of the following steps:
•
Log into the appliance using the CLI and upload a different certificate and key pair to allow HTTPS
access to the web interface. Do this using the
access to the web interface. Do this using the
fipsconfig > certconfig
CLI command. For more
information, see
.
•
Log into the web interface using HTTPS and upload or generate certificate and key pairs for HTTPS
Proxy and secure authentication. Do this on the FIPS Mode > FIPS Management page. For more
information, see
Proxy and secure authentication. Do this on the FIPS Mode > FIPS Management page. For more
information, see
.
Note
Some SSH clients and web browsers automatically lose the SSH or HTTPS connection when the HSM
initializes or when the wrong password is entered three times. In this case, the administrator must
manually reboot the appliance by powering it off and on.
initializes or when the wrong password is entered three times. In this case, the administrator must
manually reboot the appliance by powering it off and on.
Logging into the FIPS Management Console
After you log into the Web Security appliance as an administrator user, you can log into the FIPS
management console to manage the HSM card. You can log into and out of the FIPS management
console separately while remaining logged into the rest of the appliance web interface.
management console to manage the HSM card. You can log into and out of the FIPS management
console separately while remaining logged into the rest of the appliance web interface.
Access the FIPS management console from the FIPS Mode menu in the upper right corner of the web
interface.
interface.
shows the FIPS Mode menu.
Figure 5-1
FIPS Mode Menu
Logging out of the FIPS management console does not affect the session logged into the appliance as
the administrator user. However, if you log out of the web interface without manually logging out of the
FIPS management console, AsyncOS for Web automatically logs you out of the FIPS management
console.
the administrator user. However, if you log out of the web interface without manually logging out of the
FIPS management console, AsyncOS for Web automatically logs you out of the FIPS management
console.
The default FIPS Officer password is
sopin123
.