UCF STIG Viewer Logo

The application server must associate security attributes with information exchanged between information systems.


Overview

Finding ID Version Rule ID IA Controls Severity
V-35361 SRG-APP-000203-AS-000143 SV-46648r1_rule Medium
Description
When data is exchanged between information systems, the security attributes associated with said data needs to be maintained. Application servers provide a capability to exchange data between multiple web service hops. In application server terms, this is referred to as message layer security. While transport layer security ensures data security between two points, message layer security is built into the message itself and provides security across multiple hops. Policy sets are used to specify how the message is to be protected (e.g., encrypt the entire message, portions of the message, or just sign the message). The application server must bind policy sets to messages when message layer security is employed.
STIG Date
Application Server Security Requirements Guide 2013-01-08

Details

Check Text ( C-43726r1_chk )
Review AS documentation to validate the AS binds policy sets with information exchanged between information systems. If the AS does not bind policy sets with information exchanged between information systems, this is a finding.
Fix Text (F-39908r1_fix)
Configure the AS to bind policy sets that are used to protect messages.