STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017:

The CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

DISA Rule

SV-86055r1_rule

Vulnerability Number

V-71431

Group Title

SRG-NET-000339-ALG-000090

Rule Version

CAGW-GW-000610

Severity

CAT II

CCI(s)

• CCI-001951 - The information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Weight

10

Fix Recommendation

Open the CA API Gateway - Policy Manager.

Double-click the Registered Services requiring multifactor authentication.

For example, within the policy, configure the policy to leverage an RSA SecurID hardware token along with X.509 by adding a "Require SSL/TLS with Client Certificate" Assertion, which will validate the certificate according to organizational requirements, then using that certificate to authenticate against LDAP or Active Directory, add an "Authenticate Against Identity Provider" Assertion, and then include the value from the hardware token in a request to the RSA SecurID RADIUS service by adding the "Authenticate Against RADIUS Server" Assertion.

Configure additional Registered Services in a similar fashion in accordance with organizational requirements.

Check Contents

Open the CA API Gateway - Policy Manager.

Double-click the Registered Services requiring multifactor authentication.

For example, within the policy that leverages an RSA SecurID hardware token along with X.509, verify the policy includes a "Require SSL/TLS with Client Certificate" Assertion, which will validate the certificate according to organizational requirements, then use that certificate to authenticate against LDAP or Active Directory using the "Authenticate Against Identity Provider" Assertion, and then include the value from the hardware token in a request to the RSA SecurID RADIUS service via the "Authenticate Against RADIUS Server" Assertion.

If the policy is not configured with multiple factors for authentication in a similar fashion, this is a finding.

Vulnerability Number

V-71431

Documentable

False

Rule Version

CAGW-GW-000610

Severity Override Guidance

Open the CA API Gateway - Policy Manager.

Double-click the Registered Services requiring multifactor authentication.

For example, within the policy that leverages an RSA SecurID hardware token along with X.509, verify the policy includes a "Require SSL/TLS with Client Certificate" Assertion, which will validate the certificate according to organizational requirements, then use that certificate to authenticate against LDAP or Active Directory using the "Authenticate Against Identity Provider" Assertion, and then include the value from the hardware token in a request to the RSA SecurID RADIUS service via the "Authenticate Against RADIUS Server" Assertion.

If the policy is not configured with multiple factors for authentication in a similar fashion, this is a finding.

Check Content Reference

M

Target Key

3049

Comments