The WebSphere Liberty Server must store only encrypted representations of user passwords.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-250336	IBMW-LS-000440	SV-250336r850893_rule		High

Description
WebSphere Liberty can either provide a local account store or integrate with enterprise account stores such as LDAP directories. If the application server stores application passwords in the server.xml configuration files, the application server must store encrypted representations of passwords rather than unencrypted, clear-text passwords. The Liberty Application Server provides a SecurityUtility tool that can take a plain-text or encoded password and convert it to an encrypted password. This tool does not update the ${server.config.dir/server.xml file directly; a manual update of the server.xml is needed once the utility is run. It is imperative that administrators understand that the SecurityUtility tool must be run for each application password that is stored within the server.xml file. Satisfies: SRG-APP-000171-AS-000119, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157

Description

WebSphere Liberty can either provide a local account store or integrate with enterprise account stores such as LDAP directories. If the application server stores application passwords in the server.xml configuration files, the application server must store encrypted representations of passwords rather than unencrypted, clear-text passwords. The Liberty Application Server provides a SecurityUtility tool that can take a plain-text or encoded password and convert it to an encrypted password. This tool does not update the ${server.config.dir/server.xml file directly; a manual update of the server.xml is needed once the utility is run. It is imperative that administrators understand that the SecurityUtility tool must be run for each application password that is stored within the server.xml file. Satisfies: SRG-APP-000171-AS-000119, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157

STIG	Date
IBM WebSphere Liberty Server Security Technical Implementation Guide	2022-09-09

Details

Check Text ( C-53771r795059_chk )
As a privileged user with file access to ${server.config.dir}/server.xml, review and ensure there are no clear-text passwords stored within the server.xml file. If any passwords appear in plain text, or if any passwords start with {xor}, this is a finding.

Fix Text (F-53725r795060_fix)
For additional information regarding the use of the SecurityUtility command, refer to IBM’s website: https://www.ibm.com/docs/en/was-liberty/base?topic=applications-securityutility-command Create a new xml file with file permissions of 660. File owner and group membership is the same as the WebSphere Liberty server user. Add the following line to the new xml file: In the above, "mysecret" is the passphrase selected to create a cryptographic hash that represents the password. Save the file to a secured location. Note the path and name, as it will be needed when updating server.xml. Edit the server.xml file and add the following line: For every unencrypted password in server.xml, run the following SecurityUtility command, which can be found in the Liberty Server install path: SecurityUtility encode --encoding=aes This will prompt the user to enter the plain-text password stored within the server.xml file. The SecurityUtility tool will generate an AES cryptographic hash of the password. Copy and replace the plain-text password with the hashed value. This must be done for every plain-text password in server.xml. Restart the server by entering: server stop server start

Fix Text (F-53725r795060_fix)

For additional information regarding the use of the SecurityUtility command, refer to IBM’s website:
https://www.ibm.com/docs/en/was-liberty/base?topic=applications-securityutility-command

Create a new xml file with file permissions of 660.

File owner and group membership is the same as the WebSphere Liberty server user.

Add the following line to the new xml file:

In the above, "mysecret" is the passphrase selected to create a cryptographic hash that represents the password.

Save the file to a secured location. Note the path and name, as it will be needed when updating server.xml.

Edit the server.xml file and add the following line:

For every unencrypted password in server.xml, run the following SecurityUtility command, which can be found in the Liberty Server install path:

SecurityUtility encode --encoding=aes

This will prompt the user to enter the plain-text password stored within the server.xml file.

The SecurityUtility tool will generate an AES cryptographic hash of the password.

Copy and replace the plain-text password with the hashed value.

This must be done for every plain-text password in server.xml.

Restart the server by entering:
server stop
server start