UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Nutanix AOS must implement cryptography mechanisms to protect the confidentiality and integrity of the remote access session.


Overview

Finding ID Version Rule ID IA Controls Severity
V-254099 NUTX-AP-000040 SV-254099r858120_rule High
Description
Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk. Application servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. Satisfies: SRG-APP-000014-AS-000009, SRG-APP-000015-AS-000010
STIG Date
Nutanix AOS 5.20.x Application Security Technical Implementation Guide 2022-08-24

Details

Check Text ( C-57584r846383_chk )
Validate that the Signing Algorithm of the current SSL certificate.

In the Prism UI, click the gear icon, and then select Settings >> SSL Certificate.

If there is no SSL Certificate loaded, this is a finding.
Fix Text (F-57535r858120_fix)
Import a DoD PKI issued SSL Certificate by Following the "Install an SSL Certificate" instructions in the "AOS Security Guide" located on the Nutanix Portal or by completing the following steps.

1. Click the gear icon in the main menu, and then select SSL Certificate in the Settings page. The SSL Certificate dialog box appears.
2. To replace (or install) a certificate, click "Replace Certificate".
3. To apply a custom certificate that the user provides:
a. Click the Import Key and Certificate option, and then click "Next".
b. Complete the fields as follows, and then click the "Import Files". Note: All three imported files for the custom certificate must be PEM encoded.
i. Private Key Type: Select the appropriate type for the signed certificate from the pull-down list (RSA 4096 bit, RSA 2048 bit, EC DSA 256 bit, EC DSA 384 bit, or EC DSA 521).
ii. Private Key: Click "Browse", and then select the private key associated with the certificate to be imported.
iii. Public Certificate: Click "Browse", and then select the signed public portion of the server certificate corresponding to the private key.
iv. CA Certificate/Chain: Click "Browse", and then select the certificate or chain of the signing authority for the public certificate.

Use the "cat" command to concatenate a list of CA certificates into a chain file.

$ cat signer.crt inter.crt root.crt > server.cert