Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222993	TCAT-AS-001320	SV-222993r615938_rule		Medium

Description
Password authentication does not provide sufficient security control when accessing a management interface. DoD has specified that the CAC will be used when authenticating and passwords will only be used when CAC authentication is not a plausible solution. Tomcat provides the ability to do certificate based authentication and client authentication; therefore, the Tomcat server must be configured to use CAC. Satisfies: SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248

Description

Password authentication does not provide sufficient security control when accessing a management interface. DoD has specified that the CAC will be used when authenticating and passwords will only be used when CAC authentication is not a plausible solution. Tomcat provides the ability to do certificate based authentication and client authentication; therefore, the Tomcat server must be configured to use CAC. Satisfies: SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248

STIG	Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide	2021-06-15

Details

Check Text ( C-24665r426423_chk )
If the manager application has been deleted from the Tomcat server, this is not a finding. From the Tomcat server as a privileged user, issue the following command: sudo grep -i auth-method $CATALINA_BASE/webapps/manager/WEB-INF/web.xml If the for the web manager application is not set to CLIENT-CERT, this is a finding.

Fix Text (F-24654r426424_fix)
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/webapps/manager/WEB-INF/web.xml file and modify the auth-method for the manager application security constraint. sudo nano $CATALINA_BASE/webapps/manager/WEB-INF/web.xml Locate contained within the section, modify to specify CLIENT-CERT. EXAMPLE: CLIENT-CERT In addition, the connector used for accessing the manager application must be configured to require client authentication by setting clientAuth="true" and the manager application roles must be configured in the LDAP server. Restart the Tomcat server: sudo systemctl restart tomcat

Fix Text (F-24654r426424_fix)

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/webapps/manager/WEB-INF/web.xml file and modify the auth-method for the manager application security constraint.

sudo nano $CATALINA_BASE/webapps/manager/WEB-INF/web.xml

Locate contained within the section, modify to specify CLIENT-CERT.

EXAMPLE:

CLIENT-CERT

In addition, the connector used for accessing the manager application must be configured to require client authentication by setting clientAuth="true" and the manager application roles must be configured in the LDAP server.

Restart the Tomcat server:
sudo systemctl restart tomcat