The Sentry that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-251027	SRG-NET-000164-ALG-000100	MOIS-AL-000420	SV-251027r1028193_rule	2024-09-25	3

Description
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Description

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

ℹ️ Check
The Sentry is configured with TLS by default. The Sentry enables TLS 1.2 by default. To check the status: 1. Log in to Sentry. 2. Go to Settings >> Services >> Sentry. 3. For each of the following configurations, follow step 4: a. Incoming SSL configuration b. Outgoing SSL configuration c. UEM SSL configuration d. Access SSL configuration 4. In Protocols, verify TLS 1.2 is enabled. If TLS 1.2 is not enabled for each configuration, this is a finding. For more information, go to the "Sentry 9.8.0 Guide for Core" and refer to the main section "Standalone Sentry Settings", which includes subsections on how TLS 1.2 is set as the default protocol: 1. Incoming SSL configuration 2. Outgoing SSL configuration 3. UEM SSL configuration 4. Access SSL configuration Sentry conforms to the NIST SP 800-52 TLS settings by setting TLS 1.2 by default.

ℹ️ Check

The Sentry is configured with TLS by default. The Sentry enables TLS 1.2 by default. To check the status: 1. Log in to Sentry. 2. Go to Settings >> Services >> Sentry. 3. For each of the following configurations, follow step 4: a. Incoming SSL configuration b. Outgoing SSL configuration c. UEM SSL configuration d. Access SSL configuration 4. In Protocols, verify TLS 1.2 is enabled. If TLS 1.2 is not enabled for each configuration, this is a finding. For more information, go to the "Sentry 9.8.0 Guide for Core" and refer to the main section "Standalone Sentry Settings", which includes subsections on how TLS 1.2 is set as the default protocol: 1. Incoming SSL configuration 2. Outgoing SSL configuration 3. UEM SSL configuration 4. Access SSL configuration Sentry conforms to the NIST SP 800-52 TLS settings by setting TLS 1.2 by default.

✔️ Fix
The Sentry is configured with TLS by default. To configure the Sentry with TLS 1.2: 1. Log in to Sentry. 2. Go to Settings >> Services >> Sentry. 3. Select each of the configurations listed below and follow steps 4 and 5: a. Incoming SSL configuration b. Outgoing SSL configuration c. UEM SSL Configuration d. Access SSL Configuration 4. In protocols, make TLS 1.2 enabled. 5. Apply the configuration and click "Save" in the top right corner.

✔️ Fix

The Sentry is configured with TLS by default. To configure the Sentry with TLS 1.2: 1. Log in to Sentry. 2. Go to Settings >> Services >> Sentry. 3. Select each of the configurations listed below and follow steps 4 and 5: a. Incoming SSL configuration b. Outgoing SSL configuration c. UEM SSL Configuration d. Access SSL Configuration 4. In protocols, make TLS 1.2 enabled. 5. Apply the configuration and click "Save" in the top right corner.