30 Introducing the ASA 310-FIPSThe Concept of iKey AuthenticationAccess to sensitive data on a ASA 310-FIPS is protected by a combinationof hardware tokens (called iKeys), passwords, and encryption procedures.The iKey is a cryptographic token that is used as part of the authenticationprocess for certain operations involving the HSM cards. Whenever youperform an operation on the ASA 310-FIPS calling for iKey authentication,you are prompted by the Command Line Interface to insert the requestediKey into the USB port on the appropriate HSM card. (When prompted fora particular iKey, a flashing LED always directs you to the correct HSMcard.)Types of iKeysFor each HSM card there are two unique iKeys used for identity-basedauthentication: the HSM-SO iKey, and the HSM-USER iKey. Each ofthese iKeys define the two user roles available: Security Officer and User.A password must be defined for each user role, and the passwords aredirectly associated with the corresponding iKey. The ASA 310-FIPS isequipped with two HSM cards, and you therefore need to maintain twopairs of HSM-SO and HSM-USER iKeys with their associated passwordsfor each single ASA 310-FIPS device.After a HSM card has been initialized, that card will only accept theHSM-SO and HSM-USER iKeys that were used when initializing thatparticular card. You cannot create backup copies of the associatedHSM-SO iKey and HSM-USER iKey, and a lost HSM-SO or HSM-USERpassword cannot be retrieved. It is therefore extremely important that youestablish routines for how the iKeys are handled.Wrap Keys for ASA 310-FIPS ClustersIn addition to the HSM-SO and HSM-USER iKeys specific for eachHSM card, one pair of iKeys (the black HSM-CODE iKeys) need also bemaintained for each cluster of ASA 310-FIPS units.Note: You are strongly recommended to label two of the blackHSM-CODE iKeys "CODE-SO" and "CODE-USER" respectively; theseiKeys will be referred to as such both in the documentation and in theCommand Line Interface.During the initialization of the first ASA 310-FIPS in a cluster, a wrap key isautomatically generated. The wrap key is a secret shared among all ASA310-FIPS in the cluster. It encrypts and decrypts sensitive informationthat is sent over the PCI bus within an ASA 310-FIPS, and over thenetwork among the ASA 310-FIPS devices in the cluster. By insertingthe CODE-SO iKey and the CODE-USER iKey in turns when requestedNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.