Title

Redis Enterprise DBMS must recognize only system-generated session identifiers. (Cat II impact)

Discussion

This requirement focuses on communications protection for the DBMS session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. Redis Enterprise Software (RS) uses self-signed certificates out-of-the-box to make sure that sessions are secure by default. When using the default self-signed certificates, an untrusted connection notification is shown in the web UI. Depending on the browser used, the user can allow the connection for each session or add an exception to make the site trusted in future sessions.

Check Content

By default, each cluster node has a different set of self-signed certificates. These certificates can be replaced with a DoD-acceptable certificate, preferably a certificate issued by an intermediate certificate authority (CA). For security reasons, Redis Enterprise only supports the TLS protocol. Therefore, verify that the Redis client or secured tunnel solution is TLS v1.2 or above. Run the following commands and verify that certificates are present: # cd /etc/opt/redislabs # ls Verify the proxy_cert.pem file is present. If no certificates are present, this is a finding.

Fix Text

To configure TLS and configure only organizationally defined CA-signed certificates, refer to the following document: https://docs.redislabs.com/latest/rs/administering/cluster-operations/updating-certificates/

Additional Identifiers

Rule ID: SV-251237r879638_rule

Vulnerability ID: V-251237

Group Title: SRG-APP-000223-DB-000168

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.