A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

From Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

Part of SRG-APP-000516-WSR-000174

Associated with: CCI-000366

SV-79169r1_rule A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

Vulnerability discussion

A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatically; the user is notified only if the authentication fails. The authentication process between the server and the client is performed using the SSL/TLS protocol. Digital certificates are authenticated, issued, and managed by a trusted Certification Authority (CA). The use of a trusted certificate validation hierarchy is crucial to the ability to control access to the server and prevent unauthorized access. This hierarchy needs to lead to the DoD PKI Root CA or to an approved External Certificate Authority (ECA) or are required for the server to function.

Check content

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS//keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet ". b) Confirm that only the appropriate DoD Certificate Authorities are listed as Trusted Certificates and that the Identity Certificate has been issued by a DoD Certificate authority. 3. If any of the Trusted Certificates are not appropriate DoD Certificate Authorities or the Identity Certificate has not been issued by a DoD Certificate authority, this is a finding.

Fix text

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS//keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet ". b) Remove the Identity Certificate if it was not issued by a DoD Certificate authority. c) Remove each Trusted Certificate from the wallet that is not an appropriate DoD Certificate Authority with the command "$ORACLE_HOME/oracle_common/bin/orapki wallet remove -wallet -dn -trusted_cert".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer