UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Default password for keystore must be changed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222931 TCAT-AS-000060 SV-222931r879530_rule High
Description
Tomcat currently operates only on JKS, PKCS11, or PKCS12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility which is included in the JDK. The PKCS12 format is an internet standard, and is managed using OpenSSL or Microsoft's Key-Manager. This requirement only applies to JKS keystores. When a new JKS keystore is created, if a password is not specified during creation the default password used by Tomcat is "changeit" (all lower case). If the default password is not changed, the keystore is at risk of compromise. Satisfies: SRG-APP-000033-AS-000023, SRG-APP-000176-AS-000125
STIG Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide 2023-12-18

Details

Check Text ( C-24603r426237_chk )
From the Tomcat server console, run the following command to check the keystore:

sudo keytool -list -v

When prompted for the keystore password type "changeit" sans quotes.

If the contents of the keystore are displayed, this is a finding.
Fix Text (F-24592r426238_fix)
From the Tomcat server as a privileged user, run the following command:

sudo keytool -storepasswd

When prompted for the keystore password, select a strong password, minimum 10 characters, mixed case alpha-numeric.

Document the password and store in a secured location that is only accessible to authorized personnel.