Anasa 310-fips cluster must be reconstructed onto – Nortel Networks NN46120-104 User Manual
Page 158
158
Troubleshooting the NVG
AnASA 310-FIPS Cluster Must be Reconstructed
onto New Devices
If your cluster of ASA 310-FIPS devices has been damaged beyond repair
(by fire, for example) you can reconstruct the complete cluster, including
certificates, private keys, and wrap keys. However, this requires that you
have access to the following:
•
A new set of ASA 310-FIPS devices, replacing the cluster of damaged
devices.
•
A backup configuration file, saved to an FTP/TFTP/SCP/SFTP server
as a precautionary measure by using the
/cfg/ptcfg
command in
the former cluster. For more information about the
ptcfg
command,
see the "Configuration Menu " chapter in the Command Reference.
•
The black CODE-SO and CODE-USER iKeys that were used when
the now damaged cluster of ASA 310-FIPS devices was first created.
The black CODE iKeys are needed to transfer the wrap key used
in the former cluster onto the HSM cards in the new ASA 310-FIPS
devices, as well as for decrypting private key information in the backup
configuration file.
•
The secret passphrase that was defined in the former cluster when first
initialized (Provided your former cluster was running in FIPS mode).
To reconstruct the cluster configuration, certificates, private keys, and wrap
keys used in the former cluster onto a new set of ASA 310-FIPS devices,
follow these steps:
Step
Action
1
Install the first ASA 310-FIPS in a new cluster by following the
instructions on
“ Installing an ASA 310-FIPS” (page 58)
up to and
including
Note: When asked to use FIPS or Extended Security Mode,
select the same mode that was used in the former cluster.
2
When both HSM cards have been initialized, you will be
asked if you want to use new or existing HSM-CODE iKeys.
Type
existing
and press ENTER.
Nortel VPN Gateway
User Guide
NN46120-104
02.01
Standard
14 April 2008
Copyright © 2007-2008 Nortel Networks
.