STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017:

The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.

DISA Rule

SV-86065r1_rule

Vulnerability Number

V-71441

Group Title

SRG-NET-000355-ALG-000117

Rule Version

CAGW-GW-000660

Severity

CAT II

CCI(s)

CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

Fix Recommendation

Log on to the CA API Gateway - Policy Manager.

Click "Task" from the main menu and select "Manage Certificates".

Remove all non-approved certificates and click "Add".

Select the proper options to import the approved certificates and complete the Certificate Import Wizard, selecting the values and options defined by the organization for approved certificates.

Check Contents

Log on to the CA API Gateway - Policy Manager.

Click "Task" from the main menu and select "Manage Certificates".

If the DoD-approved PKI CA certificates are not listed or non-approved certificates are shown, this is a finding.

The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments