Cisco Cisco Web Security Appliance S170 사용자 가이드
5-15
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 5 FIPS Management
Working with Multiple HSM Cards
describes the
fipsconfig
subcommands.
Working with Multiple HSM Cards
When client HTTPS traffic might be processed by any of several Web Security appliances, the client
applications need to be able to recognize the signing certificate used on each Web Security appliance
when it mimics HTTPS servers for decrypting traffic. Optionally, you can ensure that each appliance
uses the same signing certificate for decrypting HTTPS traffic by uploading the same certificate and key
to each appliance.
applications need to be able to recognize the signing certificate used on each Web Security appliance
when it mimics HTTPS servers for decrypting traffic. Optionally, you can ensure that each appliance
uses the same signing certificate for decrypting HTTPS traffic by uploading the same certificate and key
to each appliance.
You can also choose to generate a certificate and key on the FIPS-compliant appliance to use for HTTPS
decryption. However, if you want to use that same certificate and key pair on a different FIPS-compliant
appliance, you must first clone the master key from one HSM card (the source appliance) to another
HSM card (the target appliance). You might want to clone the master key between HSM cards if you
want the client applications on the network to recognize only one certificate used for decrypting HTTPS
traffic when the certificate and key are generated on a FIPS-compliant appliance.
decryption. However, if you want to use that same certificate and key pair on a different FIPS-compliant
appliance, you must first clone the master key from one HSM card (the source appliance) to another
HSM card (the target appliance). You might want to clone the master key between HSM cards if you
want the client applications on the network to recognize only one certificate used for decrypting HTTPS
traffic when the certificate and key are generated on a FIPS-compliant appliance.
Note
Cisco recommends you clone the master keys immediately after the HSM card is initialized.
Table 5-1
fipsconfig Subcommands
fipsconfig
Subcommand
Subcommand
Description
init
Initializes the card and reboots the Web Security appliance.
For more information, see
Note
Some SSH clients automatically lose the SSH connection when the HSM
initializes or when the wrong password is entered 3 times. In this case, the
administrator must manually reboot the appliance by powering off and on.
initializes or when the wrong password is entered 3 times. In this case, the
administrator must manually reboot the appliance by powering off and on.
getinfo
Displays the HSM card status.
certconfig
Allows you to configure the security certificate and key to access the Web Security
appliance web interface using HTTPS.
appliance web interface using HTTPS.
This command works similarly to the
certconfig
CLI command. For more
information on using
certconfig
, see
. For more information about the requirements involved with
uploading a certificate for web interface access, see
Note
The key length must be 1024 or 2048 bits. Only RSA keys are supported.
Also, the certificate and private key files must be in PEM format. DER
format is not supported. The certificate must be a server certificate, not a
root certificate.
Also, the certificate and private key files must be in PEM format. DER
format is not supported. The certificate must be a server certificate, not a
root certificate.
clonetarget
Clones the HSM card as a target when copying the master key among multiple HSM
cards.
cards.
For more information, see
clonesource
Clones the HSM card as a source when copying the master key among multiple
HSM cards.
HSM cards.
For more information, see