Docker Enterprise Universal Control Plane (UCP) must be configured to use TLS 1.2.

An XCCDF Rule

Description

By default docker UCP is configured to use TLS v1.2, if this setting is misconfigured, older protocols containing security weaknesses could be utilized. TLS requires a handshake between client and server which is where the TLS version utilized in the connection is negotiated. For DoD use cases, all TLS must be at version 1.2.

ID: SV-235874r627749_rule
Version: DKER-EE-006280
Severity: Medium
References: CCI-001453
Updated: 15 days ago

Remediation Templates

This fix only applies to the UCP component of Docker Enterprise.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml

Open the "ucp-config.toml" file under the "[cluster_config]" section set "min_TLS_version = TLSv1.2". 
Save the file.

Execute the following commands to update UCP with the new configuration:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

Docker Enterprise Universal Control Plane (UCP) must be configured to use TLS 1.2.

Description

Remediation Templates

A Manual Procedure