The ISEC7 SPHERE must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

An XCCDF Rule

Description

<VulnDiscussion>FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard. The cryptographic module used must have one FIPS-validated encryption algorithm (i.e., validated Advanced Encryption Standard [AES]). This validated algorithm must be used for encryption for cryptographic security function within the product being evaluated. SPHERE is using the standard JCE module coming with OpenJDK 17 (included in installer) or Oracle JRE either legacy 1.8 or latest release. see https://openjdk.java.net/groups/security/ There are two module providers, IBM and RSA. The check/fix are written assuming the RSA module is used. Any FIPS 140-2 compliant JCE module (.jar) can be replaced and configured and used with SPHERE.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-224779r1013850_rule
Severity: Medium
References: CCI-002450
Updated: 17 days ago

Submit a CSR for a DOD Issued Certificate with the private key.
Retrieve the approved certificate from the issuing Certificate Authority.
Set the friendly name on the certificate to https.

Windows-MY:
Open the Microsoft Management Console.Add the Certificates Snap-In for the ISEC7 Service Account.
Navigate to the Personal Certificates Store.
Import the certificate with Private key.
Log in to the ISEC7 SPHERE Console.
Navigate to Administration >> Configuration >> Apache Tomcat Settings.
Set the Keystore Type to Windows-MY.
Restart the ISEC7 SPHERE Web service.

JavaKeystore:
Using a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore.
Enter the Keystore password when prompted.
Delete the self-signed certificate in the keystore.
Import the DOD issued certificate with the private key.
Enter the key password when prompted.
Enter the certificate alias as https when prompted.
Save the keystore with the same keystore password.
Log in to the ISEC7 SPHERE Console.
Navigate to Administration >> Configuration >> Apache Tomcat Settings.
Verify the Keystore type is set to JavaKeystore PKCS12.
Restart the ISEC7 SPHERE Web service.

Description

Remediation - Manual Procedure