AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - useSSL

Information

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.

Solution

Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd.

Create a key database with DoD PKI or DoD-approved certificate using one of the following commands:
# gsk8capicmd -keydb -create -db <KDB_FILE> -pw <KDB_PASSWORD> -type cms -stash

Edit '/etc/security/ldap/ldap.cfg' and add or edit the 'ldapsslkeyf' setting to reference a KDB file containing a client certificate issued by DoD PKI or a DoD-approved external PKI.

Install a certificate signed by a DoD PKI or a DoD-approved external PKI using the following command:
# gsk8capicmd -cert -add -db <KDB_FILE> -pw <KDB_PASSWORD> -file <CERT_FILE> -label <CERT_LABEL>

Remove un-needed CA certificates using one of the following commands:
# gsk8capicmd -cert -delete -db <KDB_FILE> -pw <KDB_PASSWORD> -label <CERT_LABEL>

Restart LDAP client using command:
# /usr/sbin/restart-secldapclntd

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_AIX_7-x_V2R9_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a), CAT|II, CCI|CCI-000185, Rule-ID|SV-215173r508663_rule, STIG-ID|AIX7-00-001006, STIG-Legacy|SV-101375, STIG-Legacy|V-91277, Vuln-ID|V-215173

Plugin: Unix

Control ID: ed5b0e7800f56dd96445e04c65fbe8075e9b9a0d2247aa678651345d01307050