UCF STIG Viewer Logo

The WebSphere Liberty Server LTPA keys password must be changed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-250346 IBMW-LS-001050 SV-250346r850905_rule Medium
Description
The default location of the automatically generated Lightweight Third Party Authentication (LTPA) keys file is ${server.output.dir}/resources/security/ltpa.keys. The LTPA keys are encrypted with a randomly generated key and a default password of WebAS is initially used to protect the keys. The password is required when importing the LTPA keys into another server. To protect the security of the LTPA keys, change the password. When the LTPA keys are exchanged between servers, this password must match across the servers for Single Sign On (SSO) to work. Automated LTPA key generation can create unplanned outages. Plan to change the LTPA keys during a scheduled outage and do not use automated key changes. Distribute the new keys to all nodes in the cell and to all external systems/cells during this outage window.
STIG Date
IBM WebSphere Liberty Server Security Technical Implementation Guide 2022-09-09

Details

Check Text ( C-53781r850904_chk )
If LTPA is not used, this requirement is not a finding.

As a privileged user with access to ${server.config.dir}/server.xml file, review the server.xml file and locate LTPA settings. If the LTPA settings do not exist, this is not a finding.

EXAMPLE:
grep -i "


If the LTPA setting exists and the password is set to "WebAS", this is a finding.
Fix Text (F-53735r795090_fix)
To update key password and force a regeneration of keys follow these steps. To obtain encoded values, use the Liberty "securityUtility encode" command.

1. Shut down the server.

2. Configure the element in the server.xml file as follows, replacing the sample values in the example with local values. The password may be encoded or encrypted.



3. Delete the existing ${wlp.server.dir}/resources/security/ltpa.keys file.

4. Sync changes with all servers in the cell.

5. Start the servers.