Руководство Пользователя для Cisco Cisco Email Security Appliance X1070
1-3
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Chapter 1 FIPS Management
•
Destination controls. This applies to all outgoing TLS connections from the
Email Security appliance for email delivery. You can upload or generate a
certificate and key pair using the FIPS Management page in the web interface
or the
Email Security appliance for email delivery. You can upload or generate a
certificate and key pair using the FIPS Management page in the web interface
or the
fipsconfig > certconfig
CLI command.
•
LDAP. This applies to TLS transactions between the Email Security
appliance and LDAP servers, including using an LDAP server for external
authentication. You can upload or generate a certificate and key pair using the
web interface or the
appliance and LDAP servers, including using an LDAP server for external
authentication. You can upload or generate a certificate and key pair using the
web interface or the
fipsconfig > certconfig
CLI command. Note that
external authentication using a RADIUS server is not compliant with the
FIPS 140-2 requirements.
FIPS 140-2 requirements.
•
DomainKeys and DKIM signing. This applies to the signing keys used for
DomainKeys and DKIM signatures, which are used to verify the source of an
email and that the contents were not altered during transit. To use
DomainKeys or DKIM for signing outgoing messages, a public key stored in
the public DNS and a private key stored on the HSM card are used to sign
outgoing mail sent by the Email Security appliance. You can upload or
generate a certificate and key pair using the web interface or the
DomainKeys and DKIM signatures, which are used to verify the source of an
email and that the contents were not altered during transit. To use
DomainKeys or DKIM for signing outgoing messages, a public key stored in
the public DNS and a private key stored on the HSM card are used to sign
outgoing mail sent by the Email Security appliance. You can upload or
generate a certificate and key pair using the web interface or the
fipsconfig
> domainkeysconfig
CLI command.
Note
The only SSL version that AsyncOS 7.3 for Email supports is TLS version 1.
Someone within your organization should be designated as the FIPS Officer. The
FIPS Officer is responsible for managing the certificate and keys on the HSM
card. For more information, see
FIPS Officer is responsible for managing the certificate and keys on the HSM
card. For more information, see
.
AsyncOS for Email provides a FIPS Management console where the FIPS Officer
manages all certificates and keys on the HSM card. Access the FIPS management
console from the FIPS Mode > FIPS Management: Certificates and Keys page.
For more information, see
manages all certificates and keys on the HSM card. Access the FIPS management
console from the FIPS Mode > FIPS Management: Certificates and Keys page.
For more information, see
.
Because all certificate and key pairs and signing keys are managed in the FIPS
Management console, you cannot upload or generate them elsewhere in the web
interface. For example, to enable DKIM signing, you must first import or generate
a signing key through the FIPS Management console and then go to the Mail
Policies > Domain Profiles page to implement DKIM signing using the key. You
cannot import or generate a signing key on the Mail Policies > Signing Keys page.
Management console, you cannot upload or generate them elsewhere in the web
interface. For example, to enable DKIM signing, you must first import or generate
a signing key through the FIPS Management console and then go to the Mail
Policies > Domain Profiles page to implement DKIM signing using the key. You
cannot import or generate a signing key on the Mail Policies > Signing Keys page.