STIGQter STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS must not use Expired Digital Certificates.

DISA Rule

SV-223420r533198_rule

Vulnerability Number

V-223420

Group Title

SRG-OS-000066-GPOS-00034

Rule Version

ACF2-CE-000020

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If the certificate is a user or device certificate with a status of trust, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it.

Check Contents

Execute the CA-ACF2 SAFCRRPT using the following as SYSIN input
RECORDID(-) DETAIL FIELDS(ISSUER SUBJECT ACTIVE EXPIRE TRUST)

If no certificate information is found, this is not a finding.

NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks.

If the digital certificate information indicates that the issuer's distinguished name leads to a DoD PKI Root Certificate Authority or External Certification Authority (ECA), this is not a finding.

Reference the DoD Cyber Exchange website for complete information as to which certificates are acceptable (https://cyber.mil/pki-pke/interoperability/).

Examples of an acceptable DoD CA are:
DoD PKI Class 3 Root CA
DoD PKI Med Root CA

Vulnerability Number

V-223420

Documentable

False

Rule Version

ACF2-CE-000020

Severity Override Guidance

Execute the CA-ACF2 SAFCRRPT using the following as SYSIN input
RECORDID(-) DETAIL FIELDS(ISSUER SUBJECT ACTIVE EXPIRE TRUST)

If no certificate information is found, this is not a finding.

NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks.

If the digital certificate information indicates that the issuer's distinguished name leads to a DoD PKI Root Certificate Authority or External Certification Authority (ECA), this is not a finding.

Reference the DoD Cyber Exchange website for complete information as to which certificates are acceptable (https://cyber.mil/pki-pke/interoperability/).

Examples of an acceptable DoD CA are:
DoD PKI Class 3 Root CA
DoD PKI Med Root CA

Check Content Reference

M

Target Key

4100

Comments