STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated just now
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM Aspera Platform 4.2 Security Technical Implementation Guide

V-252629

CAT II (Medium)

The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.

Rule ID

SV-252629r818057_rule

STIG

IBM Aspera Platform 4.2 Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-001184

Discussion

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).

Check Content

For implementations using IBM Aspera High-Speed Transfer Server, check for a <ssh_host_key_fingerprint> entry within the <server> section within The IBM Aspera High-Speed Transfer Server installation configuration file at /opt/aspera/etc/aspera.conf using the following command:

$ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint

If the command does not return XML containing the fingerprint, this is a finding.

Test that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for "servername":

$ sudo /opt/aspera/bin/openssl s_client -connect servername:9092

If the certificate is not DoD issued, this is a finding.

Fix Text

For implementations using the IBM Aspera High Speed Transfer Server, configure the host key fingerprint using the following procedure:

1. Retrieve the server's SHA-1 fingerprint using the following command:

$ sudo cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum

2. Set the SSH host key fingerprint in /opt/aspera/etc/aspera.conf using the following command after substituting the string returned from the previous command for "INSERTFINGERPRINTHERE":

$ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssh_host_key_fingerprint,INSERTFINGERPRINTHERE"

3. Restart the IBM Aspera Node service to activate the change using the following command:

$ sudo systemctl restart asperanoded.service

Implement a signed certificate (/opt/aspera/etc/aspera_server_cert.pem) for the IBM Aspera High Speed Transfer Server according to the instructions "Setting up SSL for your Nodes" and "Installing SSL Certificates" within the IBM Aspera High-Speed Transfer Server Admin Guide.

Restart the IBM Aspera Node service to activate the change to the certificate using the following command:

$ sudo systemctl restart asperanoded.service