ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-246945 | NAOT-CM-000008 | SV-246945r961863_rule | Medium |
| Description |
| Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this CA will suffice. |
| STIG | Date |
| NetApp ONTAP DSC 9.x Security Technical Implementation Guide | 2024-08-22 |
Details
| Check Text (C-50377r945866_chk) |
| Use the command "security certificate show -instance -type client-ca" to show information about the ca-certificates that are installed. If any of the certificates have the name or identifier of a nonapproved source in the Issuer field, this is a finding. |
| Fix Text (F-50331r945867_fix) |
| Generate a new key-pair from a DOD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil website for procedures for NIPRNet and SIPRNet. RSA: request security pki generate-key-pair certificate-id <cert name> type rsa size <512 | 1024 | 2048 | 4096> ECDSA: request security pki generate-key-pair certificate-id <cert_name> type ecdsa size <256 | 384> Generate a CSR from RSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> Generate a CSR from ECDSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha256 | sha384> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> If no filename is specified, the CSR is displayed on the standard out (terminal). After receiving the approved certificate from the CA, install the certificate with the command "security certificate install -type client-ca -vserver <vserver_name>". For SSH accounts, apply the public key from the cert to the user account with the following command. security login publickey create -vserver <vserver name> -username <username> -index 0 -publickey "ssh-rsa <cert_text>" |