Manualshelf

Installation guide

ManualsBrandsAcano ManualsComputer equipmentSolution
51525354555657585960
Additional Security Considerations & QoS
Acano solution: Single combined Acano server Deployment Guide R1.6 76-1054-01-H
Page 51
10 Additional Security Considerations & QoS
A number of security issues have already been discussed (e.g. certificates) but the Acano
solution 1.6 offers a number of additional functions for securing your deployment, as described
in this section.
10.1 Common Access Card (CAC) integration
The Common Access Card (CAC) is used as an authentication token to access computer
facilities. The CAC contains a private key which cannot be extracted but can be used by on-card
cryptographic hardware to prove the identity of the cardholder. The Acano solution 1.6 supports
administrative logins to the SSH and Web Admin Interface using CAC.
The MMP commands available are (also see the MMP Command Reference):
cac enable|disable [strict]: enables/disables CAC mode with optional strict mode
removing all password-based logins
cac issuer <ca cert-bundle>: identifies trusted certificate bundle to verify CAC
certificates
cac ocsp certs <key-file> <crt-file>: identifies certificate and private key for
TLS communications with OCSP server, if used
cac ocsp responder <URL>: identifies URL of OCSP server
cac ocsp enable|disable: enables/disables CAC OCSP verification
10.2 Online Certificate Status Protocol
Online Certificate Status Protocol (OCSP) is a mechanism for checking the validity and
revocation status of certificates. The MMP can use OCSP to work out whether the CAC used for
a login is valid and, in particular, has not been revoked.
10.3 FIPS
You can enable a FIPS 140-2 level 1 certified software cryptographic module, then
cryptographic operations are performed using this module and are restricted to the FIPS-
approved cryptographic algorithms.
The MMP commands are (also see the MMP Command Reference):
fips enable|disable: enables/disables the FIPS-140-2 mode cryptography for all
cryptographic operations for network traffic. After enabling or disabling FIPS mode, a reboot
is required
fips: displays whether FIPS mode is enabled
fips test: runs the built-in FIPS test