STIGQter: STIG Summary: IBM DataPower ALG Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Jan 2016:

The DataPower Gateway that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.

DISA Rule

SV-79715r1_rule

Vulnerability Number

V-65225

Group Title

SRG-NET-000164-ALG-000100

Rule Version

WSDP-AG-000042

Severity

CAT II

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

Objects >> Crypto Configuration >> Crypto Validation Credentials >> Press add to create a credential. Supply the following parameters:

Name: Assign a name to these Crypto Validation Credentials

Certificates: Define the certificate aliases for the Crypto Validation Credentials object. Each certificate in the Validation Credentials object is the certificate that a TLS peer might send or is the certificate of the Certification Authority (CA) that signed the certificate sent by a peer or is the root certificate.

Certificate Validation Mode: Select "Full certificate chain checking (PKIX)".

Use CRL: On

Require CRL: On

CRL Distribution Points Handling: Require.
Specifying this option will result in checks against, but does not fetch, the CRLs in the X.509 CRL Distribution Point extensions. If any CRL in a CRL Distribution Point extension no longer exists in the CRL cache, the certificate validation fails.

USE THE ABOVE-DEFINED CRYPTO-VALIDATION CREDENTIALS FOR TLS PATH VALIDATION.

SSL CLIENT PROFILE
Using the WebGUI, go to Objects >> Crypto Configuration >> SSL Client Profile. Supply the following parameters:

Protocols: Check only TLS versions 1.1 and 1.2

Validate server certificate: On

Validation credentials: Select from the dropdown the above-defined Crypto Validation Credentials

SSL SERVER PROFILE
Using the WebGUI, go to Objects >> Crypto Configuration >> SSL Server Profile. Supply the following parameters:

Protocols: Check only TLS versions 1.1 and 1.2

Request client authentication: On

Require client authentication: On

Validate client certificate: On

Send client authentication CA list: On

Validation credentials: Select from the dropdown the above-defined Crypto Validation Credentials.

Check Contents

Using the WebGUI, go to Objects >> Crypto Configuration >> SSL Client Profile and SSL Server Profile.

Confirm that each Profile's parameters are set correctly (as defined in the Fix column) and that each profile is using a correctly defined Crypto Validation Credentials (as defined in the Fix column).

If they are not correctly defined, this is a finding.

Vulnerability Number

V-65225

Documentable

False

Rule Version

WSDP-AG-000042

Severity Override Guidance

Using the WebGUI, go to Objects >> Crypto Configuration >> SSL Client Profile and SSL Server Profile.

Confirm that each Profile's parameters are set correctly (as defined in the Fix column) and that each profile is using a correctly defined Crypto Validation Credentials (as defined in the Fix column).

If they are not correctly defined, this is a finding.

Check Content Reference

M

Target Key

2859

Comments