STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017:

The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.

DISA Rule

SV-86097r1_rule

Vulnerability Number

V-71473

Group Title

SRG-NET-000510-ALG-000025

Rule Version

CAGW-GW-000880

Severity

CAT II

CCI(s)

• CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Weight

10

Fix Recommendation

Open the CA API Gateway - Policy Manager.

Select "Manage Cluster-Wide Properties" from the "Tasks" menu.

Click "Add" and select "security.fips.enabled" from the "Key:" drop-down list.

Set the value to "True" and click "OK".

API Gateway version 8.3 and later will automatically deselect TLS 1.0. For version 8.2 and prior, select Tasks >> Manage Listen Ports, double-click on each SSL listen port, select the SSL/TLS settings, deselect TLS 1.0, and select TLS 1.1 and TLS 1.2.

Verify that each Enabled Cipher Suites with a checkmark is included in NIST SP 800-52 section 3.3.2 Cipher Suites (or Appendix C if applicable).

Within each Registered Service using the following Assertions in the policy, enable only the approved secure hashes are selected: "Sign XML Element", "Sign Element", "Generate Security Hash".

Also verify SHA-1 and below are not selected wherever appropriate.

Check Contents

Open the CA API Gateway - Policy Manager.

Select "Manage Cluster-Wide Properties" from the "Tasks" menu.

If the "security.fips.enabled" property is not listed or set to "True", this is a finding.

Additionally, select Tasks >> Manage Listen Ports and double-click on each SSL listen port. Verify that no SSL versions are selected, TLS 1.0 is not selected, and only TLS 1.1, 1.2, and above are selected.

Verify that each Enabled Cipher Suites with a checkmark is included in NIST SP 800-52 section 3.3.2 Cipher Suites (or Appendix C if applicable).

When using the following Assertions in the policy, verify only the approved secure hashes are selected: "Sign XML Element", "Sign Element", "Generate Security Hash".

Verify that SHA-1 and below are not selected wherever appropriate.

If not, this is also a finding.

Vulnerability Number

V-71473

Documentable

False

Rule Version

CAGW-GW-000880

Severity Override Guidance

Open the CA API Gateway - Policy Manager.

Select "Manage Cluster-Wide Properties" from the "Tasks" menu.

If the "security.fips.enabled" property is not listed or set to "True", this is a finding.

Additionally, select Tasks >> Manage Listen Ports and double-click on each SSL listen port. Verify that no SSL versions are selected, TLS 1.0 is not selected, and only TLS 1.1, 1.2, and above are selected.

Verify that each Enabled Cipher Suites with a checkmark is included in NIST SP 800-52 section 3.3.2 Cipher Suites (or Appendix C if applicable).

When using the following Assertions in the policy, verify only the approved secure hashes are selected: "Sign XML Element", "Sign Element", "Generate Security Hash".

Verify that SHA-1 and below are not selected wherever appropriate.

If not, this is also a finding.

Check Content Reference

M

Target Key

3049

Comments