of 16 6 Roles, Authentication and Services The cryptographic module implements both User and Crypto Officer (CO) roles. The module does not support user authentication. The User and CO roles are implicitly KTS [SP 800-38F] 128, 256 AES-KW Key Wrapping, Key Unwrapping A865 CVL [SP 800-135 r1] TLS 1.0/1.1 and 1.2 KDF Key Derivation Vendor Affirmed CKG [SP 800-133 r2] Cryptographic Key Generation establishment methodology provides between 112 and 256 bits of encryption strength MD5 When used with the TLS protocol version 1.0 and 1.1 NDRNG Used only to seed the Approved DRBG 7.3 Non-Approved Cryptographic

Rest / KMIP) Identity Policy / Governance Audit Dynamic Secrets Static Secrets (Versioned) Crypto as a Service LDAP/AD OIDC JWT Github MFA/Radius Okta AWS Azure GCP AliCloud Kubernetes Cloud Foundry

and --etcd-keyfile arguments are set as appropriate (Automated) 1.2.30 Ensure that the --tls-cert-file and --tls-private- key-file arguments are set as appropriate (Automated) 1.2.31 Ensure that the --client-ca-file Ensure that the --client-cert-auth argument is set to true (Automated) 2.3 Ensure that the --auto-tls argument is not set to true (Automated) 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments that the --peer-client-cert-auth argument is set to true (Automated) 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated) 2.7 Ensure that a unique Certificate Authority is used for

true" • --tls-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_W TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" R e m e d i at i on • Ad d t h e f ol l ow i n g t o t h e R K E cluster ts: "true" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_

that the --tls-cert-file and --tls-private-key- file arguments are set as appropriate (Scored) Audit ( --tls-cert-file ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--tls-cert-file= string' Returned Value: --tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem Audit ( --tls-key-file ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--tls-private-key-file=.*").string' string' Returned Value: --tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem Result: Pass 1.1.29 - Ensure that the --client-ca-file argument is set as appropriate (Scored) Audit docker

appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/k appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /e appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/k

appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/k appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /e appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/k

"true" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA 256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH _CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_E CDHE_ CDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_G CM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128 _GCM_SHA256" extra_binds: [] extra_env: [] cluster_domain: "" eout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES _128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECD HE_RSA_WITH_AES_256_GCM_SHA384

"true" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA 256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH _CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_E CDHE_ CDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_G CM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128 _GCM_SHA256" extra_binds: [] extra_env: [] cluster_domain: "" eout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES _128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECD HE_RSA_WITH_AES_256_GCM_SHA384

Rancher Kubernetes Engine 2 using VMware vSAN and vSphere $ kubectl -n $NAMESPACE create secret tls vsystem-tls-certs --key decrypted- .key--cert .crt Deploy an nginx-ingress controller: 10.43.86.90 80:31963/ TCP,443:{di_version}06/TCP 53d In our example here, the TLS port is be 3.306. Note the port IP down as you will need it to access the SAP Data Intelligence installation vsystem servicePort: 8797 path: / tls: - hosts: - "" secretName: vsystem-tls-certs EOF $ kubectl apply -f ingress.yaml Connecting