Re: DISA STIG: DoD-Approved PKI

NetApp93 · ‎2024-01-24

Hello All,

I am currently in the process of implementing the DISA STIG on our six NetApps. Four of these are AFF-A220's (running NFS for vCenter datastores) and reside on a completely private network and are not domain facing, and we utilize a local admin account to manage. We figure these could be exempted from this item. We have two other newer AFF-A150's which are running CIFS/SMB for our network shares. These are partially domain facing, however our management IP's reside on that private network, where we manage via jumpserver. We figure these should get DoD certificates. Two questions on this process:

We were told by our professional services rep that helped us install the AFF-A150's that we should be able to utilize domain authentication since the CIFS Data LIFS are domain facing and have domain IP's, despite our management IP's residing on a private network. Any confirmation of this and how this could be set up?
Main question is in regards to the actual CLI commands. The STIG references the following command for creating a CSR "request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> " however this ONTAP doc has a completely different command listed, called "security certificate generate-csr". I am familiar with the process of getting a DoD cert once I have the CSR, but I'm unsure which command generates the correct one.

TMACMD · ‎2024-01-24

I will answer #2 first. The "request security..." command is NOT an ONTAP command. They are directing you to go create the CSR that has DOD-approved PKI methods. The rule is -> SV-246945r878000 -> ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates

They are expecting you to use an authorized device to create the CSR. You use the resulting information to install the Cert into ONTAP.

#1. If your CIFS vserver has joined the domain, that is the most difficult part. However, for added security, you should have a dedicated SVM for establishing what ONTAP calls a Domain-Tunnel. This allows the admin vserver to tunnel AUTH requests to another vserver for domain authentication. I have instead been creating a more-secure method. I use a lesser known item in ONTAP called active-directory (svm). I typically do something like this:

vserver create -vserver auth -rootvolume-security-style ntfs -data-services management-ad-client
net int create -vserver auth -lif auth -service-policy default-management -address 192.168.0.201 -netmask-length 24 -home-node cluster1-01 -home-port e0c -status-admin up -failover-policy broadcast-domain-wide -auto-revert true
route create -vserver auth  -destination 0.0.0.0/0 -gateway 192.168.0.1
dns create -vserver auth -domains demo.netapp.com -name-servers 192.168.0.253
vserver cifs security modify -vserver auth -is-aes-encryption-enabled true -lm-compatibility-level ntlmv2-krb -session-security-for-ad-ldap sign -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
vserver active-directory create -vserver auth -account-name auth -domain demo.netapp.com -ou CN=Computers
security login domain-tunnel create -vserver auth
security login create -user-or-group-name DEMO\tmac -authentication-method domain -application ssh
security login create -user-or-group-name DEMO\tmac -authentication-method domain -application ontapi
security login create -user-or-group-name DEMO\tmac -authentication-method domain -application http

When creating the LIF, you can give it any IP and any port that it needs to communicate with the DCs.

This allows the user tmac in the DEMO domain to login as DEMO\tmac or even via SSH

NetApp93 · ‎2024-01-29

@TMACMD wrote:
I will answer #2 first. The "request security..." command is NOT an ONTAP command. They are directing you to go create the CSR that has DOD-approved PKI methods. The rule is -> SV-246945r878000 -> ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates
They are expecting you to use an authorized device to create the CSR. You use the resulting information to install the Cert into ONTAP.

What authorized device would create the CSR? The DoD uses the NPE Portal which you have to bring a CSR to request a cert with, it doesn't create the CSR for you. Wouldn't generating the CSR be done by the system needing the cert?

TMACMD · ‎2024-01-29

That would like be an approved Linux or windows box capable of running the command. You don’t need to run the “security certificate generate-csr” on the Netapp. You can do it off box b you just need to be sure to keep the public and private keys

NetApp93 · ‎2024-01-30

Isn't the "security certificate generate-csr..." command an ONTAP CLI command? Wouldn't that only be able to be ran while using ONTAP CLI? Or do you mean having an SSH CLI session from a secure box?

TMACMD · ‎2024-01-30

I am going to partially repeat my last response:

You don’t need to run the “security certificate generate-csr” on the Netapp

Insted, you can use (You will need to Look it up, I am not planning on doing that right now) a command on a Linux box in your PKI infrastructure to run a command that does as teh STIG says:

The STIG references the following command for creating a CSR "request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> "

-> This is not run in any form or fashion ON or against the NetApp. AT ALL. This is a completely OFF-BOX command to generate the approved STIG csr for PKI. The result from the command will produce a private key and a CSR. You send the CSR back and then you will the public key. You then install the certificate into ONTAP and you will need the private key when the CSR was generated.