Cisco Cisco Email Security Appliance C170 사용자 가이드
24-5
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 24 FIPS Management
Checking FIPS Mode Compliance
Checking FIPS Mode Compliance
Use the
fipsconfig
command to check if your appliance contains any non-FIPS-compliant objects.
Procedure
mail.example.com> fipsconfig
FIPS mode is currently disabled.
Choose the operation you want to perform:
- SETUP - Configure FIPS mode.
- FIPSCHECK - Check for FIPS mode compliance.
[]> fipscheck
All objects in the current configuration are FIPS compliant.
FIPS mode is currently disabled.
Managing Certificates and Keys
AsyncOS allows you to encrypt communications between the appliance and external machines by using
a certificate and private key pair. You can upload an existing certificate and key pair, generate a
self-signed certificate, or generate a Certificate Signing Request (CSR) to submit to a certificate
authority to obtain a public certificate. The certificate authority will return a trusted public certificate
signed by a private key that you can then upload onto the appliance.
a certificate and private key pair. You can upload an existing certificate and key pair, generate a
self-signed certificate, or generate a Certificate Signing Request (CSR) to submit to a certificate
authority to obtain a public certificate. The certificate authority will return a trusted public certificate
signed by a private key that you can then upload onto the appliance.
The appliance’s FIPS mode adds a number of restrictions to the certficates that the appliance uses in
order for the appliance to be FIPS compliant. Certificates must use one of the following signature
algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
order for the appliance to be FIPS compliant. Certificates must use one of the following signature
algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
The appliance will not import certificates that do not use one of these algorithms. It also cannot be
switched to FIPS mode if it has any non-compliant certificates in use on a listener. It will displays an
error message instead.
switched to FIPS mode if it has any non-compliant certificates in use on a listener. It will displays an
error message instead.
A
Non-FIPS
status for a certificate will be displayed in both the CLI and the GUI when the appliance is
in FIPS mode. When selecting a certificate to use for a feature, such as a listener or destination control,
the appliance does not display non-compliant certificates as an option.
the appliance does not display non-compliant certificates as an option.
See
for more information on using certficates on your appliance.
You can use FIPS-compliant certificates with any of the following services:
•
SMTP receiving and delivery. Use the Network > Listeners page (or the
listenerconfig -> edit
-> certificate
CLI command) to assign the certificate to any listeners that require encryption
using TLS. You may want to only enable TLS on listeners facing the Internet (that is, public
listeners), or you may want to enable encryption for all listeners, including internal systems (that is,
private listeners).
listeners), or you may want to enable encryption for all listeners, including internal systems (that is,
private listeners).
•
Destination controls. Use the Mail Policies > Destination Controls page (or the
destconfig
CLI
command) to assign the certificate as a global setting to for all outgoing TLS connections for email
delivery.
delivery.
•
Interfaces. Use the Network > IP Interfaces page (or the
interfaceconfig
CLI command) to
enable the certificate for HTTPS services on an interface, including the management interface.
•
LDAP. Use the System Administration > LDAP page to assign the certificate for all LDAP traffic
that requires TLS connections. The appliance can also use LDAP for external authentication of
users.
that requires TLS connections. The appliance can also use LDAP for external authentication of
users.