Rule ID
SV-251237r961116_rule
Version
V2R2
CCIs
This requirement focuses on communications protection for the DBMS session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. Redis Enterprise Software (RS) uses self-signed certificates out-of-the-box to make sure that sessions are secure by default. When using the default self-signed certificates, an untrusted connection notification is shown in the web UI. Depending on the browser used, the user can allow the connection for each session or add an exception to make the site trusted in future sessions.
By default, each cluster node has a different set of self-signed certificates. These certificates can be replaced with a DoD-acceptable certificate, preferably a certificate issued by an intermediate certificate authority (CA). For security reasons, Redis Enterprise only supports the TLS protocol. Therefore, verify that the Redis client or secured tunnel solution is TLS v1.2 or above. Run the following commands and verify that certificates are present: # cd /etc/opt/redislabs # ls Verify the proxy_cert.pem file is present. If no certificates are present, this is a finding.
To configure TLS and configure only organizationally defined CA-signed certificates, refer to the following document: https://docs.redislabs.com/latest/rs/administering/cluster-operations/updating-certificates/