The application server, when using PKI-based authentication, must restrict keystore access to authorized users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35324 | SRG-APP-000176-AS-000125 | SV-46611r1_rule | High |
| Description |
|---|
| The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Java based application servers utilize the Java keystore which provides storage for cryptographic keys and certificates. The keystore is usually maintained in a file stored on the file system. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-43694r1_chk ) |
|---|
| Review AS configuration and documentation to ensure the java keystores are protected so as to enforce only authorized access to private keys. Approved protection mechanisms are OS file permissions, passwords and encryption based mechanisms that encrypt key values contained within the file. If the AS is not configured to enforce authorized access to private keys, this is a finding. |
| Fix Text (F-39870r1_fix) |
|---|
| Configure the keystore to protect keystore information from unauthorized access. |