If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.

An XCCDF Rule

Description

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.

ID: SV-215173r958448_rule
Version: AIX7-00-001006
Severity: Medium
References: CCI-000185
Updated: 23 days ago

Remediation Templates

Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd.

Create a key database with DoD PKI or DoD-approved certificate using one of the following commands: 
# gsk8capicmd -keydb -create -db <KDB_FILE> -pw <KDB_PASSWORD> -type cms -stash

Edit "/etc/security/ldap/ldap.cfg" and add or edit the "ldapsslkeyf" setting to reference a KDB file containing a client certificate issued by DoD PKI or a DoD-approved external PKI. 
Install a certificate signed by a DoD PKI or a DoD-approved external PKI using the following command: 
# gsk8capicmd -cert -add -db <KDB_FILE> -pw <KDB_PASSWORD> -file <CERT_FILE> -label <CERT_LABEL>

Remove un-needed CA certificates using one of the following commands: 
# gsk8capicmd -cert -delete -db <KDB_FILE> -pw <KDB_PASSWORD> -label <CERT_LABEL>

Restart LDAP client using command:
# /usr/sbin/restart-secldapclntd

If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.

Description

Remediation Templates

A Manual Procedure