UCF STIG Viewer Logo

The WebSphere Liberty Server must use DoD-issued/signed certificates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-250338 IBMW-LS-000500 SV-250338r850895_rule Medium
Description
The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information, but the key can be mapped to a user. Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. Satisfies: SRG-APP-000177-AS-000126, SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137
STIG Date
IBM WebSphere Liberty Server Security Technical Implementation Guide 2022-09-09

Details

Check Text ( C-53773r850894_chk )
As a privileged user with access to the ${server.config.dir}/server.xml file; search for SSLDefault in order to identify the default SSL configuration.

grep -i ssldefault server.xml

Identify the default ssl configuration by examining the sslRef flag.

SAMPLE:


Review the default ssl configuration to identify the default truststore.

SAMPLE:



Use the java keytool or ikeyman utilities to open and examine the certificates stored in the truststore.

If the certificates are self signed or not signed by a DoD approved CA, this is a finding.
Fix Text (F-53727r795066_fix)
Do not use self-signed certificates in a production environment. Only import certificates signed by an authorized DoD CA or authorized for DoD use.

Obtain the signer certificate either as a Base 64-encoded ASCII file or as binary DER data.

Using the JDK’s ikeyman or keytool utility, open the default trusted keystore specified in the ${server.config.dir}/server.xml.

Click on signer certificates and import the file that contains the DoD signed certificate.