STIGQter: STIG Summary: CA API Gateway NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 19 Sep 2016:

The CA API Gateway must obtain LDAPS server certificates securely to use bidirectional authentication that is cryptographically based.

DISA Rule

SV-86183r1_rule

Vulnerability Number

V-71559

Group Title

SRG-APP-000395-NDM-000310

Rule Version

CAGW-DM-000300

Severity

CAT II

CCI(s)

• CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Weight

10

Fix Recommendation

Configure LDAPS/LDAPS+RADIUS to use LDAPS server certificates for bidirectional authentication that is cryptographically based.

Place the LDAPS server certificate in "/etc/openldap/cacerts".

Set "TLS_REQCERT" to demand in "/etc/openldap/ldap.conf".

Check Contents

Verify the LDAPS server certificate is in "/etc/openldap/cacerts". Verify TLS_REQCERT is set to demand in "/etc/openldap/ldap.conf".

If the LDAPS server certificate is not in "/etc/openldap/cacerts", this is a finding.

If "TLS_REQCERT" is not set to demand in "/etc/openldap/ldap.conf", this is a finding.

Vulnerability Number

V-71559

Documentable

False

Rule Version

CAGW-DM-000300

Severity Override Guidance

Verify the LDAPS server certificate is in "/etc/openldap/cacerts". Verify TLS_REQCERT is set to demand in "/etc/openldap/ldap.conf".

If the LDAPS server certificate is not in "/etc/openldap/cacerts", this is a finding.

If "TLS_REQCERT" is not set to demand in "/etc/openldap/ldap.conf", this is a finding.

Check Content Reference

M

Target Key

3051

Comments