Rule ID
SV-255884r1067567_rule
Version
V2R1
CCIs
The encryption of authentication information that is exchanged between servers involves the Lightweight Third-Party Authentication (LTPA) mechanism. LTPA utilizes encryption keys, if LTPA is utilized, the LTPA keys must be regenerated on a regular basis. The time period must be defined, documented and accepted by the ISSO but must be performed at least annually. Note: If LTPA keys are shared across cells, you must export the keys from the cell where the keys have been regenerated, and import into the cells whose keys have not changed. Instructions for managing the LTPA keys is provided here: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_sslmanagelptakeys.html
If LTPA is not utilized, this is not applicable. Request the documented process to manually regenerate the LTPA keys. The time period for regeneration must be defined, documented and accepted by the ISSO but must be performed at least annually. Review documented process for LTPA key regeneration. If there is no process to regenerate LTPA keys periodically, this is a finding.
These steps must be documented and then executed during the down time scheduled for periodic LTPA key regeneration. The time period must be defined, documented and accepted by the ISSO but must be performed at least annually. Navigate to Security >> SSL Certificate and Key Management >> Key set groups. Check "CellLTPAKeySetGroup". Click "Generate Keys". Click "Save". Then synchronize the changes to all nodes.