STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017: STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017:SV-85979r1_rule
V-71355
SRG-NET-000140-ALG-000094
CAGW-GW-000330
CAT II
10
Open the CA API Gateway - Policy Manager.
Double-click the Registered Services requiring multifactor authentication that were not properly configured.
For example, within the policy that leverages an RSA SecurID hardware token along with X.509, verify/add the "Require SSL/TLS with Client Certificate" Assertion, which will validate the certificate according to organizational requirements, then using that certificate to authenticate against LDAP or Active Directory, verify/add the "Authenticate Against Identity Provider" Assertion, and then verify/include the value from the hardware token in a request to the RSA SecurID RADIUS service via the "Authenticate Against RADIUS Server" Assertion.
Additionally, to meet the biometric requirement, verify/add an "HTTP(S) Route" Assertion configured to route to a back-end biometric validation web service.
Open the CA API Gateway - Policy Manager.
Double-click the Registered Services requiring multifactor authentication.
For example, within the policy that leverages an RSA SecurID hardware token along with X.509, verify the policy includes a "Require SSL/TLS with Client Certificate" Assertion, which will validate the certificate according to organizational requirements, then use that certificate to authenticate against LDAP or Active Directory using the "Authenticate Against Identity Provider" Assertion, and then include the value from the hardware token in a request to the RSA SecurID RADIUS service via the" Authenticate Against RADIUS Server" Assertion.
If the policy is not configured with multiple factors for authentication in a similar fashion, this is a finding.
Additionally, to meet the biometric requirement, check for the existence of an "HTTP(S) Route" assertion, which routes to a back-end biometric validation web service. If the biometric route assertion is not present, this is also a finding.
V-71355
False
CAGW-GW-000330
Open the CA API Gateway - Policy Manager.
Double-click the Registered Services requiring multifactor authentication.
For example, within the policy that leverages an RSA SecurID hardware token along with X.509, verify the policy includes a "Require SSL/TLS with Client Certificate" Assertion, which will validate the certificate according to organizational requirements, then use that certificate to authenticate against LDAP or Active Directory using the "Authenticate Against Identity Provider" Assertion, and then include the value from the hardware token in a request to the RSA SecurID RADIUS service via the" Authenticate Against RADIUS Server" Assertion.
If the policy is not configured with multiple factors for authentication in a similar fashion, this is a finding.
Additionally, to meet the biometric requirement, check for the existence of an "HTTP(S) Route" assertion, which routes to a back-end biometric validation web service. If the biometric route assertion is not present, this is also a finding.
M
3049