STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS must not use Expired Digital Certificates.

DISA Rule

SV-223420r533198_rule

Vulnerability Number

V-223420

Group Title

SRG-OS-000066-GPOS-00034

Rule Version

ACF2-CE-000020

Severity

CAT II

CCI(s)

CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

Fix Recommendation

If the certificate is a user or device certificate with a status of trust, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it.

Check Contents

Execute the CA-ACF2 SAFCRRPT using the following as SYSIN input
RECORDID(-) DETAIL FIELDS(ISSUER SUBJECT ACTIVE EXPIRE TRUST)

If no certificate information is found, this is not a finding.

NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks.

If the digital certificate information indicates that the issuer's distinguished name leads to a DoD PKI Root Certificate Authority or External Certification Authority (ECA), this is not a finding.

Reference the DoD Cyber Exchange website for complete information as to which certificates are acceptable (https://cyber.mil/pki-pke/interoperability/).

Examples of an acceptable DoD CA are:
DoD PKI Class 3 Root CA
DoD PKI Med Root CA

IBM z/OS must not use Expired Digital Certificates.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments