AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - Certificate Issuer

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.

Solution

Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd.

Create a key database with DoD PKI or DoD-approved certificate using one of the following commands:
# gsk8capicmd -keydb -create -db <KDB_FILE> -pw <KDB_PASSWORD> -type cms -stash

Edit '/etc/security/ldap/ldap.cfg' and add or edit the 'ldapsslkeyf' setting to reference a KDB file containing a client certificate issued by DoD PKI or a DoD-approved external PKI.

Install a certificate signed by a DoD PKI or a DoD-approved external PKI using the following command:
# gsk8capicmd -cert -add -db <KDB_FILE> -pw <KDB_PASSWORD> -file <CERT_FILE> -label <CERT_LABEL>

Remove un-needed CA certificates using one of the following commands:
# gsk8capicmd -cert -delete -db <KDB_FILE> -pw <KDB_PASSWORD> -label <CERT_LABEL>

Restart LDAP client using command:
# /usr/sbin/restart-secldapclntd

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_AIX_7-x_V2R6_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000185, Rule-ID|SV-215173r508663_rule, STIG-ID|AIX7-00-001006, STIG-Legacy|SV-101375, STIG-Legacy|V-91277, Vuln-ID|V-215173

Plugin: Unix

Control ID: ed5b0e7800f56dd96445e04c65fbe8075e9b9a0d2247aa678651345d01307050