UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Multifactor authentication for network access to privileged accounts must be used.


Overview

Finding ID Version Rule ID IA Controls Severity
V-250335 IBMW-LS-000390 SV-250335r862983_rule High
Description
Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement that the attacker must have something from the user, such as a token, or to biometrically be the user. When accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled. The high level steps required for configuring Liberty Server to use certificate based authentication include the following: 1. Configure Web Application with client certificate authentication. 2. Configure Liberty SSL configuration with client authentication. 3. Configure Liberty LDAP Security Configuration with certificate filter. Satisfies: SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248, SRG-APP-000177-AS-000126
STIG Date
IBM WebSphere Liberty Server Security Technical Implementation Guide 2022-09-09

Details

Check Text ( C-53770r862981_chk )
As a user with local file access to ${server.config.dir}/server.xml file, verify the TLS connection used for managing the server is configured to use clientAuthentication.


appSecurity-2.0
ldapRegistry-3.0
transportSecurity-1.0


Verify the TLS connection used for managing the server is configured to use clientAuthentication. The following is used as an example.

If the clientAuthentication setting for the TLS management application is not set to "true", this is a finding.

EXAMPLE:


clientAuthentication="true"/>

Access the web management interface via a web browser and verify TLS secured connectivity to the web based management application.
Fix Text (F-53724r862982_fix)
Refer to IBM documentation on how to configure TLS and client based certificate authentication for additional configuration details. The following is a summary list of items needed to configure the system for certificate based authentication. Production systems and installations will vary.

The application’s web.xml file must be configured to use client certs.

EXAMPLE:

CLIENT-CERT


The server.xml features must be configured to use transportSecurity and an ldap configuration.


appSecurity-2.0
ldapRegistry-3.0
transportSecurity-1.0


The server.xml TLS and LDAP settings must be configured. The following is an EXAMPLE only. "Default" verbiage and keystore information in the below SSL configuration will be different in production systems.



clientAuthentication="true"/>




Configure LDAP certificate filter settings according the certificates being used.

baseDN="${ldap.server.base.dn}"
ldapType="${ldap.vendor.type}"
certificateMapMode="Certificate_Filter" or "Exact_DN"
certificateFilter="${your certificate mapping}"
searchTimeout="8m"
sslEnabled="true">