The HPE 3PAR OS WSAPI process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-255296 | HP3P-33-121103 | SV-255296r870207_rule | High |
| Description |
|---|
| Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. The HPE 3PAR OS cimserver utilizes a vendor-affirmed FIPS module and operates OpenSSL in FIPS mode when configured as described. If the service is not enabled in FIPS mode it is incorrectly configured. |
| STIG | Date |
|---|---|
| HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide | 2023-11-30 |
Details
| Check Text ( C-58969r870205_chk ) |
|---|
| If the mission does not require WSAPI functionality, this requirement is not applicable. Verify if WSAPI is configured to run. Use the command: cli% showwsapi -d If "service State" shows "Disabled", this is not applicable. If "HTTP State" shows "Enabled", this is a finding. If "HTTPS State" shows "Disabled", this is a finding. If "Policy" contains "no_tls_strict", this is a finding. |
| Fix Text (F-58913r870206_fix) |
|---|
| Stop the WSAPI process: cli% stopwsapi -f Reconfigure the WSAPI to use only HTTPS on TLSV1.2: cli% setwsapi -f -http disable cli% setwsapi -f -https enable cli% setwsapi -f -pol tls_strict Restart the WSAPI process: cli% startwsapi -f Wait up to five minutes for WSAPI to start up and verify it is Enabled/Active: cli% showwsapi Once WSAPI is active, verify FIPS mode: cli% controlsecurity fips status If WSAPI is "Disabled", this is an error that requires a service escalation. |