Connectors must be secured.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222935	TCAT-AS-000100	SV-222935r615938_rule		Medium

Description
The unencrypted HTTP protocol does not protect data from interception or alteration which can subject users to eavesdropping, tracking, and the modification of received data. To secure an HTTP connector, both the secure and scheme flags must be set.

STIG	Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide	2020-12-11

Details

Check Text ( C-24607r426249_chk )
From the Tomcat server console, run the following command: sudo cat $CATALINA_BASE/conf/server.xml. Examine each element. For each connector, verify the secure= flag is set to "true" and the scheme= flag is set to "https" on each connector. If the secure flag is not set to "true" and/or the scheme flag is not set to "https" for each HTTP connector element, this is a finding.

Fix Text (F-24596r426250_fix)
From the Tomcat server as a privileged user, edit the server.xml file. sudo nano $CATALINA_BASE/conf/server.xml. Locate each element which is lacking a secure setting. EXAMPLE Connector: connectionTimeout="20000" redirectPort="443" /> Set or add scheme="https" and secure="true" for each HTTP connector element. EXAMPLE: maxThreads="150" scheme="https" secure="true".../> Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon

Fix Text (F-24596r426250_fix)

From the Tomcat server as a privileged user, edit the server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml.

Locate each element which is lacking a secure setting.

EXAMPLE Connector:
connectionTimeout="20000"
redirectPort="443" />

Set or add scheme="https" and secure="true" for each HTTP connector element.

EXAMPLE:
maxThreads="150" scheme="https" secure="true".../>

Save the server.xml file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl reload-daemon