If the vAMI uses PKI Class 3 or Class 4 certificates, the certificates must be DoD- or CNSS-approved. If the vAMI does not use PKI Class 3 or Class 4 certificates, this requirement is Not Applicable.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-240964	VRAU-VA-000640	SV-240964r879885_rule		Medium

Description
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The vAMI must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.

Description

Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The vAMI must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.

STIG	Date
VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide	2023-09-12

Details

Check Text ( C-44197r676057_chk )
Interview the ISSO and/or the SA. Determine if the vAMI is using PKI Class 3 or Class 4 certificates. If the vAMI is using PKI Class 3 or Class 4 certificates, and the certificates are not DoD- or CNSS-approved, this is a finding.

Fix Text (F-44156r676058_fix)
If the vAMI is using PKI Class 3 or Class 4 certificates, install certificates that are DoD or CNSS approved.