STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017:

The CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.

DISA Rule

SV-85983r1_rule

Vulnerability Number

V-71359

Group Title

SRG-NET-000166-ALG-000101

Rule Version

CAGW-GW-000350

Severity

CAT II

CCI(s)

• CCI-000187 - The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.

Weight

10

Fix Recommendation

Open the CA API Gateway - Policy Manager and double-click the Registered Services requiring certificate mapping to user accounts.

Update the policy with the "Require SSL/TLS with Client Certificate Authentication", the "Extract Attributes from Certificate", and one of the "Authenticate Against..." Assertions. In addition, create the policy logic necessary to provide access to the Registered Service's resources after extracting the proper attributes from the certificate using the "Extract Attributes from Certificate" Assertion in accordance with organizational requirements.

Check Contents

Open the CA API Gateway - Policy Manager and double-click the Registered Services requiring certificate mapping to user accounts.

Verify that the "Require SSL/TLS with Client Certificate Authentication" Assertion is present, that "Extract Attributes from Certificate" is present, and that one of the "Authenticate Against..." Assertions is also present.

In addition, verify the logic necessary to provide access to the Registered Service's resources is properly enabled using the required policy logic after extracting the proper attributes from the certificate using the "Extract Attributes from Certificate" Assertion.

If these requirements have not been met within the policy, this is a finding.

Vulnerability Number

V-71359

Documentable

False

Rule Version

CAGW-GW-000350

Severity Override Guidance

Open the CA API Gateway - Policy Manager and double-click the Registered Services requiring certificate mapping to user accounts.

Verify that the "Require SSL/TLS with Client Certificate Authentication" Assertion is present, that "Extract Attributes from Certificate" is present, and that one of the "Authenticate Against..." Assertions is also present.

In addition, verify the logic necessary to provide access to the Registered Service's resources is properly enabled using the required policy logic after extracting the proper attributes from the certificate using the "Extract Attributes from Certificate" Assertion.

If these requirements have not been met within the policy, this is a finding.

Check Content Reference

M

Target Key

3049

Comments