ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246945 | NAOT-CM-000008 | SV-246945r835244_rule | Medium |
| Description |
|---|
| Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this CA will suffice. |
| STIG | Date |
|---|---|
| NetApp ONTAP DSC 9.x Security Technical Implementation Guide | 2022-06-07 |
Details
| Check Text ( C-50377r835242_chk ) |
|---|
| Use the command "security certificate show -instance -type client-ca" to show information about the ca-certificates that are installed. If any of the certificates have the name or identifier of a non-approved source in the Issuer field, this is a finding. |
| Fix Text (F-50331r835243_fix) |
|---|
| Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the http://iase.disa.mil/ website for procedures for NIPRNet and SIPRNet. RSA: request security pki generate-key-pair certificate-id ECDSA: request security pki generate-key-pair certificate-id Generate a CSR from RSA key-pair using the following command and options. request security generate-certificate-request certificate-id L= Generate a CSR from ECDSA key-pair use the following command and options. request security generate-certificate-request certificate-id L= If no filename is specified, the CSR is displayed on the standard out (terminal) After receiving the approved certificate from the CA, install the certificate with the command "security certificate install -type client-ca -vserver |