The HPE 3PAR OS must map the authenticated identity to the user account for PKI-based authentication.
An XCCDF Rule
Description
<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. PKI authentication is performed by the HPE 3PAR SSMC, and the authenticated user's identity is extracted from the certificate and forwarded to the HPE 3PAR OS over a mutually authenticated TLS channel. The HPE 3PAR OS then queries/authorizes the identity in the external Account Management system (LDAP/AD), and authorizes the individual as appropriate based on that. The ldap-2fa-cert-field is used to tell the SSMC which field to extract from the user certificate. The ldap-2fa-object-attr is used to search the account management system for an account with a matching attribute.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-255286r870281_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
To configure the two factor authentication parameters (2fa) to support PKI based authentication/authorization:
cli% setauthparam -f ldap-2fa-cert-field <name of certificate field containing user identity string>
cli% setauthparam -f ldap-2fa-object-attr <attribute in ldap object corresponding to cert field value>