Cisco Cisco Email Security Appliance C680
9
Release Notes for Cisco IronPort AsyncOS 7.3.1 for Email
OL-23626-02
Software Notes
FIPS Officer Password
To manage certificate/key pairs and signing keys on the Email Security
appliance’s HSM card, you must log into the Email Security appliance as an
administrator and then provide the FIPS Officer password. You need the FIPS
Officer password to access the FIPS Management console or to use the
appliance’s HSM card, you must log into the Email Security appliance as an
administrator and then provide the FIPS Officer password. You need the FIPS
Officer password to access the FIPS Management console or to use the
fipsconfig
CLI command.
Warning
AsyncOS for Email keeps track of the total number of failed login attempts to the
HSM card using the FIPS Officer password. On the third subsequent login
failure, the HSM card is initialized, which clears its contents. There is no
timeout between failed login attempts. Because the HSM card gets initialized,
it loses the certificate and key for accessing the appliance web interface. If the
HSM card initializes after the third unsuccessful login attempt, the browser
displays a generic error message that it cannot display the web page.
HSM card using the FIPS Officer password. On the third subsequent login
failure, the HSM card is initialized, which clears its contents. There is no
timeout between failed login attempts. Because the HSM card gets initialized,
it loses the certificate and key for accessing the appliance web interface. If the
HSM card initializes after the third unsuccessful login attempt, the browser
displays a generic error message that it cannot display the web page.
There is no way to retrieve the FIPS Officer password once it is set. If you forget
the FIPS Officer password, the only way to access the HSM card is to initialize it,
which wipes all certificates and keys it manages.
the FIPS Officer password, the only way to access the HSM card is to initialize it,
which wipes all certificates and keys it manages.
Configuration Files
When you save the appliance configuration to a file using AsyncOS 7.3, the
certificate and keys that the HSM card manages are not included in the
configuration file. Also, if you restore the appliance configuration from a file that
erroneously includes certificate and key information, AsyncOS 7.3 ignores the
certificate and key information in the file.
certificate and keys that the HSM card manages are not included in the
configuration file. Also, if you restore the appliance configuration from a file that
erroneously includes certificate and key information, AsyncOS 7.3 ignores the
certificate and key information in the file.
To back up the certificates and keys the HSM card manages:
Step 1
From the FIPS Mode menu, choose FIPS Backup/Restore.
The Backup and Restore page is displayed.
Step 2
Under the Backup Certificates and Keys section, choose the file name to use for
the XML file that will contain the encrypted certificate and key pairs. You can
define your own file name or AsyncOS can choose one for you.
the XML file that will contain the encrypted certificate and key pairs. You can
define your own file name or AsyncOS can choose one for you.
Step 3
Click Backup.