The application server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-89135	VRAU-AP-000645	SV-99785r1_rule		Medium

Description
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.

Description

Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.

STIG	Date
VMware Automation 7.x Application Security Technical Implementation Guide	2018-10-12

Details

Check Text ( C-88827r1_chk )
Verify that Smart Card Authentication is in use with the following steps: 1. In vRA, go to Administration >> Directories Management >> Identity Providers. 2. Verify that the identity provider listed is the identity provider used for smart card authentication. 3. In vRA, go to Administration >> Directories Management >> Policies. 4. Verify that the default policy authentication method is set to "certificate". If the identity provider listed is not that used for smart card authentication, this is a finding. If the default policy authentication method is not set to "certificate", this is a finding.

Check Text ( C-88827r1_chk )

Verify that Smart Card Authentication is in use with the following steps:

1. In vRA, go to Administration >> Directories Management >> Identity Providers.
2. Verify that the identity provider listed is the identity provider used for smart card authentication.
3. In vRA, go to Administration >> Directories Management >> Policies.
4. Verify that the default policy authentication method is set to "certificate".

If the identity provider listed is not that used for smart card authentication, this is a finding.

If the default policy authentication method is not set to "certificate", this is a finding.

Fix Text (F-95877r1_fix)
Configure vRA to use Smart Card Authentication with the following steps: 1. Set up smart card infrastructure as per VMware documentation, if required. 2. In vRA, go to Administration >> Directories Management >> Identity Providers. 3. Add the identity provider used for smart card authentication. 4. In vRA, go to Administration >> Directories Management >> Policies. 5. Edit default policy and change authentication method to "certificate".

Fix Text (F-95877r1_fix)

Configure vRA to use Smart Card Authentication with the following steps:

1. Set up smart card infrastructure as per VMware documentation, if required.
2. In vRA, go to Administration >> Directories Management >> Identity Providers.
3. Add the identity provider used for smart card authentication.
4. In vRA, go to Administration >> Directories Management >> Policies.
5. Edit default policy and change authentication method to "certificate".