UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The WebSphere Liberty Server must prohibit the use of cached authenticators after an organization-defined time period.


Overview

Finding ID Version Rule ID IA Controls Severity
V-250345 IBMW-LS-000970 SV-250345r795088_rule Medium
Description
Larger authentication cache timeout values can increase security risks. For example, a user who is revoked can still log in by using a credential that is cached in the authentication cache until the cache is refreshed. Smaller authentication cache timeout values can affect performance. When this value is smaller, the Liberty Server accesses the user registry or repository more frequently. Larger numbers of entries in the authentication cache, which is caused by an increased number of users, increases the memory usage of the authentication cache. Thus, the application server might slow down and affect performance. If cached authentication information is out of date, the validity of the authentication information may be questionable.
STIG Date
IBM WebSphere Liberty Server Security Technical Implementation Guide 2021-08-30

Details

Check Text ( C-53780r795086_chk )
Review system security plan and identify the cache timeout parameters for authentication. The value for admin timeout is 10 minutes. However, a case-by-case exception based on operational requirements can be configured with AO acceptance.

As a privileged user with access to server.xml, review the file and verify the authCache timeout parameter is configured for 10 minutes.

grep -i authcache server.xml

EXAMPLE:


If the authCache timeout parameter is not configured for 10 minutes, or the AO has not accepted the risk for extending the timeout period specified, this is a finding.
Fix Text (F-53734r795087_fix)
Edit the server.xml file and define the authCache timeout value as 10 minutes or AO approved value. Also ensure the appSecurity-3.0 feature is enabled.

EXAMPLE:


appSecurity-3.0