STIGQter STIGQter: STIG Summary: IBM DataPower ALG Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Jan 2016:

The DataPower Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.

DISA Rule

SV-79693r1_rule

Vulnerability Number

V-65203

Group Title

SRG-NET-000062-ALG-000092

Rule Version

WSDP-AG-000017

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure FIPS 140-2 Level 1 in Firmware only.

Privileged account user log on to default domain >> In the search field type "crypto" >> Press "enter" >> From the search results, click "Crypto Tools" >> Click the "Set Cryptographic Mode" tab >> From the "Cryptographic Mode" list, select "FIPS 140-2 Level 1" >> Click the "Set Cryptographic Mode" button.

When prompted to confirm cryptographic mode change, click "confirm" >> When notified that the action completed successfully, click "Close" >> click "Save Configuration".

Restart the appliance >> Control Panel >> System Control >> Shutdown >> Select "Mode" from dropdown list: "Reboot System" >> Click "Shutdown" button >> Click "Confirm" >> Click "Close".

Configure FIPS 140-2 Level 3 Hardware Security module as follows:

Log on to the command line of the appliance.

Command Prompt >> "configure terminal"

Command Prompt >> "crypto"

Command Prompt >> "hsm-reinit hsm-domain datapower3" (see online documentation; "datapower3" refers to the name of the configured key-sharing domain)

Command Prompt >> prompt: "Do you want to continue ('yes' or 'no')"; enter "yes"

Command Prompt >> "shutdown reboot"

Check Contents

For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the WebGUI >> In the search field type "crypto" >> Press "enter".

From the search results, click "Cryptographic Mode Status"; the "Cryptographic Mode Status" table is displayed.

If the "Target" is not "FIPS 140-2 Level 1", this is a finding.

For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the CLI >> Enter "show crypto-engine" >> Confirm "Crypto Accelerator Type" is "hsm2" >> Confirm "Crypto Accelerator Status" is "fully operational" >> Confirm "Crypto Accelerator FIPS 140-2 Level" is "3".

If these three settings cannot be confirmed, this is a finding.

Vulnerability Number

V-65203

Documentable

False

Rule Version

WSDP-AG-000017

Severity Override Guidance

For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the WebGUI >> In the search field type "crypto" >> Press "enter".

From the search results, click "Cryptographic Mode Status"; the "Cryptographic Mode Status" table is displayed.

If the "Target" is not "FIPS 140-2 Level 1", this is a finding.

For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the CLI >> Enter "show crypto-engine" >> Confirm "Crypto Accelerator Type" is "hsm2" >> Confirm "Crypto Accelerator Status" is "fully operational" >> Confirm "Crypto Accelerator FIPS 140-2 Level" is "3".

If these three settings cannot be confirmed, this is a finding.

Check Content Reference

M

Target Key

2859

Comments