MarkLogic Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.

An XCCDF Rule

Description

<VulnDiscussion>The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information resource/or CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. Database Management Systems that do not validate certificates by performing RFC 5280-compliant certification path validation are in danger of accepting certificates that are invalid and/or counterfeit. This could allow unauthorized access to the database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-220366r879612_rule
Severity: Medium
References: CCI-000185
Updated: 9 months ago

Organizations must develop a strategy for maintaining a record of CRLs that have been applied to MarkLogic as well as a strategy for regularly obtaining updated CRLs from applicable Certificate Authorities.

Use one of the following two methods to add a CRL to MarkLogic:

Option 1 - Use the MarkLogic REST API "PUT /manage/v2/certificate-revocation-lists" (requires user authenticating to the system and have security and manage-admin roles)
Using a compatible HTTP request generator (i.e., Postman or curl) construct an HTTP PUT request:EXAMPLE:
 curl -X PUT --anyauth --user admin:admin --header "Content-Type:text/html" \
 -d "http://crl.verisign.com/pca3.crl" \
 http://localhost:8002/manage/v2/certificate-revocation-lists?url=url
NOTE: If the "url" param is a CRL then the request body must contain the PEM- or DER-encoded CRL. If the "url" parameter is a URL, then the request body must contain the URL from which the CRL was downloaded.

Option 2 - Use the Query Console in MarkLogic to insert the CRL using pki:insert-certificate-revocation-list() method (requires user authenticating to the system have security and manage-admin roles)
EXAMPLE:
xquery version "1.0-ml"; 
import module namespace pki = "http://marklogic.com/xdmp/pki" at "/MarkLogic/pki.xqy";
let $URI := "http://crl.verisign.com/pca3.crl"
 return
 pki:insert-certificate-revocation-list(
 $URI, 
 xdmp:document-get($URI)/binary() )

MarkLogic Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.

Description

Remediation - Manual Procedure