WG140 A22 – Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

Details

Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.

Solution

Edit the httpd.conf file and set the value of SSLVerifyClient to ‘require’.

Supportive Information

The following resource is also helpful.

https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_UNIX_V1R11_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

800-53|SC-13.
CAT|II
Rule-ID|SV-33019r1_rule
STIG-ID|WG140_A22
Vuln-ID|V-6531

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles