Title

Okta must be configured to use only DOD-approved certificate authorities. (Cat II impact)

Discussion

Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not DOD approved, trust of this CA has not been established. The DOD will accept only PKI certificates obtained from a DOD-approved internal or external CA. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). Satisfies: SRG-APP-000427, SRG-APP-000910

Check Content

From the Admin Console: 1. Select Security >> Identity Providers (IdPs). 2. Review the list of IdPs with "Type" as "Smart Card". If the IdP is not listed as "Active", this is a finding. 3. Select Actions >> Configure. 4. Under "Certificate chain", verify the certificate is from a DOD-approved CA. If the certificate is not from a DOD-approved CA, this is a finding.

Fix Text

From the Admin Console: 1. Go to Security >> Identity Providers. 2. Click "Add identity provider." 3. Click "Smart Card IdP". Click "Next". 4. Enter the name of the identity provider. 5. Build a certificate chain: - Click "Browse" to open a file explorer. Select the certificate file to add and click "Open". - To add another certificate, click "Add Another" and repeat step 1. - Click "Build certificate chain". On success, the chain and its certificates are shown. If the build failed, correct any issues and try again. - Click "Reset certificate chain" if replacing the current chain with a new one. 6. In "IdP username", select the "idpuser.subjectAltNameUpn" attribute. This is the attribute that stores the Electronic Data Interchange Personnel Identifier (EDIPI) on the CAC. 7. In the "Match Against" field, select the Okta Profile Attribute in which the EDIPI is to be stored.

Additional Identifiers

Rule ID: SV-273207r1098888_rule

Vulnerability ID: V-273207

Group Title: SRG-APP-000427

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.