STIGQter: STIG Summary: Oracle HTTP Server 12.1.3 Security Technical Implementation Guide Version: 1 Release: 7 Benchmark Date: 24 Jul 2020:

A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

DISA Rule

SV-79169r1_rule

Vulnerability Number

V-64679

Group Title

SRG-APP-000516-WSR-000174

Rule Version

OH12-1X-000221

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores).

2. For each wallet directory located there, do the following:

a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>".
b) Remove the Identity Certificate if it was not issued by a DoD Certificate authority.
c) Remove each Trusted Certificate from the wallet that is not an appropriate DoD Certificate Authority with the command "$ORACLE_HOME/oracle_common/bin/orapki wallet remove -wallet <wallet_directory> -dn <dn_of_the_trusted_certificate> -trusted_cert".

Check Contents

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores).

2. For each wallet directory located there, do the following:

a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>".
b) Confirm that only the appropriate DoD Certificate Authorities are listed as Trusted Certificates and that the Identity Certificate has been issued by a DoD Certificate authority.

3. If any of the Trusted Certificates are not appropriate DoD Certificate Authorities or the Identity Certificate has not been issued by a DoD Certificate authority, this is a finding.

Vulnerability Number

V-64679

Documentable

False

Rule Version

OH12-1X-000221

Severity Override Guidance

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores).

2. For each wallet directory located there, do the following:

a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>".
b) Confirm that only the appropriate DoD Certificate Authorities are listed as Trusted Certificates and that the Identity Certificate has been issued by a DoD Certificate authority.

3. If any of the Trusted Certificates are not appropriate DoD Certificate Authorities or the Identity Certificate has not been issued by a DoD Certificate authority, this is a finding.

Check Content Reference

Target Key

2753

A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments