The CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-71359	CAGW-GW-000350	SV-85983r1_rule		Medium

Description
Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management). When a user is authenticated using PKI, the CA API Gateway must map attributes associated with their certificate in order to query an identity provider mapping the PKI certificate to a user account.

Description

Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management). When a user is authenticated using PKI, the CA API Gateway must map attributes associated with their certificate in order to query an identity provider mapping the PKI certificate to a user account.

STIG	Date
CA API Gateway ALG Security Technical Implementation Guide	2017-04-07

Details

Check Text ( C-71759r1_chk )
Open the CA API Gateway - Policy Manager and double-click the Registered Services requiring certificate mapping to user accounts. Verify that the "Require SSL/TLS with Client Certificate Authentication" Assertion is present, that "Extract Attributes from Certificate" is present, and that one of the "Authenticate Against..." Assertions is also present. In addition, verify the logic necessary to provide access to the Registered Service's resources is properly enabled using the required policy logic after extracting the proper attributes from the certificate using the "Extract Attributes from Certificate" Assertion. If these requirements have not been met within the policy, this is a finding.

Check Text ( C-71759r1_chk )

Open the CA API Gateway - Policy Manager and double-click the Registered Services requiring certificate mapping to user accounts.

Verify that the "Require SSL/TLS with Client Certificate Authentication" Assertion is present, that "Extract Attributes from Certificate" is present, and that one of the "Authenticate Against..." Assertions is also present.

In addition, verify the logic necessary to provide access to the Registered Service's resources is properly enabled using the required policy logic after extracting the proper attributes from the certificate using the "Extract Attributes from Certificate" Assertion.

If these requirements have not been met within the policy, this is a finding.

Fix Text (F-77669r1_fix)
Open the CA API Gateway - Policy Manager and double-click the Registered Services requiring certificate mapping to user accounts. Update the policy with the "Require SSL/TLS with Client Certificate Authentication", the "Extract Attributes from Certificate", and one of the "Authenticate Against..." Assertions. In addition, create the policy logic necessary to provide access to the Registered Service's resources after extracting the proper attributes from the certificate using the "Extract Attributes from Certificate" Assertion in accordance with organizational requirements.

Fix Text (F-77669r1_fix)

Open the CA API Gateway - Policy Manager and double-click the Registered Services requiring certificate mapping to user accounts.

Update the policy with the "Require SSL/TLS with Client Certificate Authentication", the "Extract Attributes from Certificate", and one of the "Authenticate Against..." Assertions. In addition, create the policy logic necessary to provide access to the Registered Service's resources after extracting the proper attributes from the certificate using the "Extract Attributes from Certificate" Assertion in accordance with organizational requirements.