Rule ID
SV-224770r1013824_rule
Version
V3R1
CCIs
Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DOD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; the internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability.
Log in to the ISEC7 SPHERE Console. Confirm that the browser session is secured using a DOD issued certificate. Internet Explorer: Click the Padlock icon at the end of the url field. Select "View Certificates". Confirm that the Issued By is a valid DOD Certificate Authority. Google Chrome: Click the Padlock icon at the front of the url field. Select "Certificate". Confirm that the Issued By is a valid DOD Certificate Authority. Alternately, log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DOD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DOD Trusted Certificate Authority. If certificates used by the server are not DOD-issued certificates, this is a finding.
Submit a CSR for a DOD-issued certificate with the private key. Retrieve the approved certificate from the issuing Certificate Authority. Set the friendly name on the certificate to https. Windows-MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Import the certificate with Private key. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the Keystore Type to Windows-MY. Restart the ISEC7 SPHERE Web service. JavaKeystore: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE Suite keystore. Enter the Keystore password when prompted. Delete the self-signed certificate in the keystore. Import the DOD-issued certificate with the private key. Enter the key password when prompted. Enter the certificate alias as "https" when prompted. Save the keystore with the same keystore password. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the Keystore type is set to JavaKeystore PKCS12. Restart the ISEC7 SPHERE Web service.