The WebSphere Liberty Server must use an LDAP user registry.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-250333	IBMW-LS-000380	SV-250333r862978_rule		Medium

Description
To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature. Best practice guideline to is to use a centralized enterprise LDAP server. To ensure support to the enterprise, the authentication must use an enterprise solution.

Description

To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature. Best practice guideline to is to use a centralized enterprise LDAP server. To ensure support to the enterprise, the authentication must use an enterprise solution.

STIG	Date
IBM WebSphere Liberty Server Security Technical Implementation Guide	2022-09-09

Details

Check Text ( C-53768r862976_chk )
As a user with local file access to ${server.config.dir}/server.xml file, verify the LDAP user registry is used to authenticate users. If the LDAP user registry is not defined within server.xml, this is a finding. appSecurity-2.0 ldapRegistry-3.0 baseDN="${ldap.server.base.dn}" ldapType="${ldap.vendor.type}" searchTimeout="8m">

Fix Text (F-53722r862977_fix)
To ensure an enterprise user management system is configured to uniquely identify and authenticate users and processes acting on behalf of org users, the server.xml must be configured to use an ldap configuration as follows: appSecurity-2.0 ldapRegistry-3.0 baseDN="${ldap.server.base.dn}" ldapType="${ldap.vendor.type}" searchTimeout="8m">