Rule ID
SV-237374r643672_rule
Version
V1R3
CCIs
CCI-001188
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. The CA API Gateway uses random numbers for session IDs. Random number generation, out of the box, uses the FIPS 140-2 validated RSA BSAFE Crypto-J Software Module for random number generation for all cryptographic algorithms. By default, JsafeJCE FIPS 186 PRNG algorithm is used in all crypto operations. This can be overridden as per organizational requirements when configured to use a SafeNet Luna HSM, whereupon all cryptographic algorithms performed within the HSM will use its FIPS 140-2 validated random number generation.
Verify the CA API Gateway is configured to use a SafeNet Luna HSM, whereupon all cryptographic algorithms performed within the HSM will use its FIPS 140-2 validated random number generation. If the CA API Gateway is not configured to use the SafeNet Luna HSM, this is a finding.
Refer to the “CA API Management Documentation Wiki" at the link below for directions on installing and configuring the CA API Gateway to use a SafeNet Luna HSM. https://docops.ca.com/ca-api-gateway/9-0/en/install-and-configure-the-gateway/configure-the-appliance-gateway/configure-hardware-security-modules-hsm/configure-the-safenet-luna-sa-hsm