UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Application security must be enabled on the WebSphere Liberty Server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-250341 IBMW-LS-000770 SV-250341r862989_rule High
Description
Application security enables security for the applications in the environment. This type of security provides application isolation and requirements for authenticating application users. When a user enables security, both administrative and application security is enabled. Application security is in effect only when administrative security is enabled via the security feature. If the application server is to be used for only web applications, only the servlet-3.1 feature needs to be defined. If the application server is to be used for only ejb applications, only the ejbLite-3.1 feature needs to be defined. If both web and ejb applications are to be deployed on the application server, then both the servlet-3.1 and ejbLite-3.1 features need to be defined. The check and fix assumes that the application server will have both web and ejb applications deployed. Satisfies: SRG-APP-000315-AS-000094, SRG-APP-000014-AS-000009
STIG Date
IBM WebSphere Liberty Server Security Technical Implementation Guide 2022-09-09

Details

Check Text ( C-53776r862987_chk )
As a user with local file access to ${server.config.dir}/server.xml file, verify application security is enabled.

If the appSecurity-2.0 feature is not defined within server.xml, this is a finding.


appSecurity-2.0

appSecurity-3.0
Fix Text (F-53730r862988_fix)
Configure the ${server.config.dir}/server.xml file and add the appSecurity-2.0 feature.


appSecurity-2.0


Review ${server.config.dir}/logs/messages.log

Validate log entry that indicates "Security service is ready".