The ALG with SSL-enabled functions must validate certificates used for SSL functions by constructing a certification path (which includes status information) to an accepted trust anchor.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000164-ALG-000100	SRG-NET-000164-ALG-000100	SRG-NET-000164-ALG-000100_rule		Medium

Description
A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchor" such as a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Deploying the ALG with SSL enabled may require the CA certificates for each proxy to use for SSL traffic decryption/emption. The installation of these certificates in each trusted root certificate store is used by proxied applications and browsers on each client.

Description

A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchor" such as a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Deploying the ALG with SSL enabled may require the CA certificates for each proxy to use for SSL traffic decryption/emption. The installation of these certificates in each trusted root certificate store is used by proxied applications and browsers on each client.

STIG	Date
Application Layer Gateway Security Requirements Guide	2014-06-27

Details

Check Text ( C-SRG-NET-000164-ALG-000100_chk )
If the ALG does not provide SSL-enabled functions, this is not a finding. Verify the ALG validates certificates used for SSL functions by constructing a certification path to an accepted trust anchor. If the ALG does not validate certificates used for SSL functions by constructing a certification path to an accepted trust anchor, this is a finding.

Fix Text (F-SRG-NET-000164-ALG-000100_fix)
Configure the ALG to validate certificates used for SSL functions based authentication by constructing a certification path with status information to an accepted trust anchor.