ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246945	NAOT-CM-000008	SV-246945r961863_rule		Medium

Description
Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this CA will suffice.

STIG	Date
NetApp ONTAP DSC 9.x Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-50377r945866_chk )
Use the command "security certificate show -instance -type client-ca" to show information about the ca-certificates that are installed. If any of the certificates have the name or identifier of a nonapproved source in the Issuer field, this is a finding.

Fix Text (F-50331r945867_fix)
Generate a new key-pair from a DOD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil website for procedures for NIPRNet and SIPRNet. RSA: request security pki generate-key-pair certificate-id type rsa size <512 \| 1024 \| 2048 \| 4096> ECDSA: request security pki generate-key-pair certificate-id type ecdsa size <256 \| 384> Generate a CSR from RSA key-pair using the following command and options. request security generate-certificate-request certificate-id digest domain email ip-address subject “CN=,DC=,DC=,O=,OU=, L=,ST=,C=” filename Generate a CSR from ECDSA key-pair using the following command and options. request security generate-certificate-request certificate-id digest domain email ip-address subject “CN=,DC=,DC=,O=,OU=, L=,ST=,C=” filename If no filename is specified, the CSR is displayed on the standard out (terminal). After receiving the approved certificate from the CA, install the certificate with the command "security certificate install -type client-ca -vserver ". For SSH accounts, apply the public key from the cert to the user account with the following command. security login publickey create -vserver -username -index 0 -publickey "ssh-rsa "

Fix Text (F-50331r945867_fix)

Generate a new key-pair from a DOD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil website for procedures for NIPRNet and SIPRNet.

RSA:
request security pki generate-key-pair certificate-id type rsa size <512 | 1024 | 2048 | 4096>

ECDSA:
request security pki generate-key-pair certificate-id type ecdsa size <256 | 384>

Generate a CSR from RSA key-pair using the following command and options.

request security generate-certificate-request certificate-id digest domain email ip-address subject “CN=,DC=,DC=,O=,OU=,
L=,ST=,C=” filename

Generate a CSR from ECDSA key-pair using the following command and options.

request security generate-certificate-request certificate-id digest domain email ip-address subject “CN=,DC=,DC=,O=,OU=,
L=,ST=,C=” filename

If no filename is specified, the CSR is displayed on the standard out (terminal).

After receiving the approved certificate from the CA, install the certificate with the command "security certificate install -type client-ca -vserver ".

For SSH accounts, apply the public key from the cert to the user account with the following command.

security login publickey create -vserver -username -index 0 -publickey "ssh-rsa "