The CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.
An XCCDF Rule
Description
<VulnDiscussion>Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management). When a user is authenticated using PKI, the CA API Gateway must map attributes associated with their certificate in order to query an identity provider mapping the PKI certificate to a user account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-85983r1_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Open the CA API Gateway - Policy Manager and double-click the Registered Services requiring certificate mapping to user accounts.
Update the policy with the "Require SSL/TLS with Client Certificate Authentication", the "Extract Attributes from Certificate", and one of the "Authenticate Against..." Assertions. In addition, create the policy logic necessary to provide access to the Registered Service's resources after extracting the proper attributes from the certificate using the "Extract Attributes from Certificate" Assertion in accordance with organizational requirements.