beautypg.com

Nortel Networks NN46120-104 User Manual

Page 59

background image

Installing an ASA 310-FIPS in a New Cluster

59

2

Follow the instructions for installing a VPN Gateway in a
new cluster.

Read the sections starting with

“Installing an NVG in a New

Cluster” (page 42)

. When the basic setup is completed, new

prompts for configuring an ASA 310-FIPS will automatically
appear.

3

Choose the appropriate security mode for the ASA 310-FIPS
cluster.

Decide which security mode to use for the new ASA 310-FIPS
cluster—FIPS mode or Extended Security mode. The default
Extended Security mode should be used whenever your security
policy does not explicitly require conforming to the FIPS 140-1,
Level 3 standard.

For more information about the FIPS mode and the Extended
Security mode, see

“Introducing the ASA 310-FIPS” (page 27)

.

(

new

setup, continued)

Use FIPS or Extended Security Mode?

(fips/extended)

[extended]:

extended mode, or change the security mode to fips>

4

Initialize HSM card 0 by inserting the first pair of HSM-SO
and HSM-USER iKeys, and by defining passwords.

Step 4

and

Step 5

are related to initializing the HSM cards that

your ASA 310-FIPS is equipped with. The Setup utility will
identify the first HSM card as card 0, and the second HSM
card as card 1. Each HSM card is initialized by inserting the
proper iKeys and defining a password for each user role. To
successfully initialize both HSM cards, you need to have the
following iKeys:

One pair of iKeys to be used for initializing HSM card 0.

— The purple HSM Security Officer iKey, embossed with

"HSM-SO".

— The blue HSM User iKey, embossed with "HSM-USER".

Label these iKeys and HSM card 0 in a way so that the
connection between them is obvious. After HSM card 0
has been initialized, this card will only accept the HSM-SO
and HSM-USER iKeys that were used when initializing this
particular HSM card. Even if you choose to use the same
HSM-SO and HSM-USER passwords when you initialize
card 1 as the passwords you defined when initializing card
0, the HSM-SO and HSM-USER iKeys for card 1 are not
interchangeable with the HSM-SO and HSM-USER iKeys for
card 0.

One pair of iKeys to be used for initializing HSM card 1.

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.