The ISEC7 SPHERE must accept Personal Identity Verification (PIV) credentials.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-224769 | SRG-APP-000391 | ISEC-06-001730 | SV-224769r1013821_rule | 2024-08-20 | 3 |
| Description |
|---|
| The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DOD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems. |
| ℹ️ Check |
|---|
| Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Settings. Verify the CAC login box has been checked. On the ISEC7 SPHERE server, browse to the install directory. Default is %Install Drive%/Program Files/ISEC7 SPHERE Select the conf folder. Open config.properties and confirm the following lines exist: cacUserUIDRegex=^CN=[^0-9]*\\.([0-9]+), cacUserUIDProperty=UserPrincipalName Browse to %Install Drive%/Program Files >> ISEC7 SPHERE >> Tomcat >> conf Confirm the server.xml file has clientAuth="required" under the Connection. If the required commands do not exist in config.properties or if clientAuth does not ="required" in the server.xml file, this is a finding. |
| ✔️ Fix |
|---|
| Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> LDAP. Check "Also enable user certificate logins. e.g. from smart cards (CAC)". Check "Only allow certificates with extended key usage for smartcard logon (1.3.6.1.4.1.311.20.2.2)". Browse to %Install Drive%/Program Files >> ISEC7 SPHERE >> Tomcat >> conf. Open the server.xml file and add clientAuth="required" under the Connection. |