AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-215215	AIX7-00-001105	SV-215215r508663_rule		Medium

Description
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.

Description

Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.

STIG	Date
IBM AIX 7.x Security Technical Implementation Guide	2022-06-06

Details

Check Text ( C-16413r294096_chk )
Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd. Check if the system is using LDAP authentication: # grep LDAP /etc/security/user If no lines are returned, this requirement is not applicable. Check if the useSSL option is enabled: # grep '^useSSL' /etc/security/ldap/ldap.cfg useSSL:yes If "yes" is not the returned value, this is a finding. Verify a certificate is used for client authentication to the server: # grep -i '^ldapsslkeyf' /etc/security/ldap/ldap.cfg ldapsslkeyf:/tmp/key.kdb If no line is found, this is a finding. Identify the Key Database (KDB), and its password, by asking the ISSO/SA). If no Key Database exists on the system, this is a finding. List the certificate issuer with IBM GSK: # gsk8capicmd -cert -list CA -db -pw Make note of the client Key Label: # gsk8capicmd -cert -details -showOID -db -pw -label If the certificate is not issued by DoD PKI or a DoD-approved external PKI, this is a finding. The IBM GSK Database should only have certificates for the client system and for the LDAP server. If more certificates are in the key database than the LDAP server and the client, this is a finding.

Check Text ( C-16413r294096_chk )

Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd.

Check if the system is using LDAP authentication:

# grep LDAP /etc/security/user

If no lines are returned, this requirement is not applicable.

Check if the useSSL option is enabled:

# grep '^useSSL' /etc/security/ldap/ldap.cfg
useSSL:yes

If "yes" is not the returned value, this is a finding.

Verify a certificate is used for client authentication to the server:

# grep -i '^ldapsslkeyf' /etc/security/ldap/ldap.cfg
ldapsslkeyf:/tmp/key.kdb

If no line is found, this is a finding.

Identify the Key Database (KDB), and its password, by asking the ISSO/SA).

If no Key Database exists on the system, this is a finding.

List the certificate issuer with IBM GSK:

# gsk8capicmd -cert -list CA -db -pw

Make note of the client Key Label:

# gsk8capicmd -cert -details -showOID -db -pw -label

If the certificate is not issued by DoD PKI or a DoD-approved external PKI, this is a finding.

The IBM GSK Database should only have certificates for the client system and for the LDAP server.

If more certificates are in the key database than the LDAP server and the client, this is a finding.

Fix Text (F-16411r294097_fix)
Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd. Create a key database with DoD PKI or DoD-approved certificate using one of the following commands: # gsk8capicmd -keydb -create -db -pw -type cms -stash Edit "/etc/security/ldap/ldap.cfg" and add or edit the "ldapsslkeyf" setting to reference a KDB file containing a client certificate issued by DoD PKI or a DoD-approved external PKI. Install a certificate signed by a DoD PKI or a DoD-approved external PKI using the following command: # gsk8capicmd -cert -add -db -pw -file -label Remove un-needed CA certificates using one of the following commands: # gsk8capicmd -cert -delete -db -pw -label Restart LDAP client using command: # /usr/sbin/restart-secldapclntd

Fix Text (F-16411r294097_fix)

Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd.

Create a key database with DoD PKI or DoD-approved certificate using one of the following commands:
# gsk8capicmd -keydb -create -db -pw -type cms -stash

Edit "/etc/security/ldap/ldap.cfg" and add or edit the "ldapsslkeyf" setting to reference a KDB file containing a client certificate issued by DoD PKI or a DoD-approved external PKI.

Install a certificate signed by a DoD PKI or a DoD-approved external PKI using the following command:
# gsk8capicmd -cert -add -db -pw -file -label

Remove un-needed CA certificates using one of the following commands:
# gsk8capicmd -cert -delete -db -pw -label

Restart LDAP client using command:
# /usr/sbin/restart-secldapclntd