The application server must be configured to mutually authenticate connecting proxies, application servers or gateways.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-204762	SRG-APP-000219-AS-000147	SV-204762r508029_rule		Medium

Description
Application architecture may sometimes require a configuration where an application server is placed behind a web proxy, an application gateway or communicates directly with another application server. In those instances, the application server hosting the service/application is considered the server. The application server, proxy or application gateway consuming the hosted service is considered a client. Authentication is accomplished via the use of certificates and protocols such as TLS mutual authentication. Authentication must be performed when the proxy is exposed to an untrusted network or when data protection requirements specified in the system security plan mandate the need to establish the identity of the connecting application server, proxy or application gateway.

Description

Application architecture may sometimes require a configuration where an application server is placed behind a web proxy, an application gateway or communicates directly with another application server. In those instances, the application server hosting the service/application is considered the server. The application server, proxy or application gateway consuming the hosted service is considered a client. Authentication is accomplished via the use of certificates and protocols such as TLS mutual authentication. Authentication must be performed when the proxy is exposed to an untrusted network or when data protection requirements specified in the system security plan mandate the need to establish the identity of the connecting application server, proxy or application gateway.

STIG	Date
Application Server Security Requirements Guide	2022-09-20

Details

Check Text ( C-4882r282933_chk )
Review application server documentation, system security plan and application data protection requirements. If the connected web proxy is exposed to an untrusted network or if data protection requirements specified in the system security plan mandate the need to establish the identity of the connecting application server, proxy or application gateway and the application server is not configured to mutually authenticate the application server, proxy server or gateway, this is a finding.

Check Text ( C-4882r282933_chk )

Review application server documentation, system security plan and application data protection requirements.

If the connected web proxy is exposed to an untrusted network or if data protection requirements specified in the system security plan mandate the need to establish the identity of the connecting application server, proxy or application gateway and the application server is not configured to mutually authenticate the application server, proxy server or gateway, this is a finding.

Fix Text (F-4882r282934_fix)
Configure the application server to mutually authenticate proxy servers, other application servers and application gateways as specified.