DKER-EE-003920 - Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.

Information

Both the UCP and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane includes its own managed user database, and also allows for LDAP integration in UCP and DTR. To meet the requirements of this control, configure LDAP integration. UCP also includes two certificate authorities for establishing root of trust. One CA is used to sign client bundles and the other is used for TLS communication between UCP components and nodes. Both of these CAs should be integrated with an external, trusted CA. DTR should be integrated with this same external, trusted CA as well.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

This fix only applies to the UCP component of Docker Enterprise.

Integrate UCP with a trusted CA.

via UI:

In the UCP web console, navigate to 'Admin Settings' | 'Certificates'. Fill in (or click on the 'Upload' links) the 'CA Certificate' field with the contents of your public CA certificate. Assuming the user has generated a server certificate from that CA for UCP, also fill in the 'Server Certificate' and 'Private Key' fields with the contents of the public/private certificates respectively. The 'Server Certificate' field must include both the UCP server certificate and any intermediate certificates. Click on the 'Save' button.

If DTR was previously integrated with this UCP cluster, execute a 'dtr reconfigure' command as a superuser on one of the UCP Manager nodes in the cluster to re-configure DTR with the updated UCP certificates.

via CLI:
Linux : As a superuser, execute the following commands on each UCP Manager node in the cluster and in the directory where keys and certificates are stored:

Create a container that attaches to the same volume where certificates are stored:

docker create --name replace-certs -v ucp-controller-server-certs:/data busybox

Copy keys and certificates to the container's volumes:

docker cp cert.pem replace-certs:/data/cert.pem
docker cp ca.pem replace-certs:/data/ca.pem
docker cp key.pem replace-certs:/data/key.pem

Remove the container, since it is no longer needed:

docker rm replace-certs

Restart the container, since it is no longer needed:

docker rm replace-certs

Restart the ucp-controller container:

docker restart ucp-controller

If DTR was previously integrated with this UCP cluster, execute a 'dtr reconfigure' command as a superuser on one of the UCP Manager nodes in the cluster to re-configure DTR with the updated UCP certificates.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-Unix_V2R2_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5), CAT|II, CCI|CCI-002470, Rule-ID|SV-235841r961596_rule, STIG-ID|DKER-EE-003920, STIG-Legacy|SV-104853, STIG-Legacy|V-95715, Vuln-ID|V-235841

Plugin: Unix

Control ID: b64dd8a53595bfbd6414242f0770fed4ae6ab8f459b27608182a971eab602dc3