The WebSphere Application Server must not generate LTPA keys automatically.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-81381	WBSP-AS-001520	SV-96095r1_rule		Low

Description
Automated LTPA key generation can create unplanned outages. Plan to change your LTPA keys during a scheduled outage. Distribute the new keys to all nodes in the cell and to all external systems/cells during this outage window.

STIG	Date
IBM WebSphere Traditional V9.x Security Technical Implementation Guide	2018-08-24

Details

Check Text ( C-81091r1_chk )
If LTPA is not utilized, this is not applicable. Request the documented process to manually regenerate the LTPA keys. The time period for regeneration must be defined, documented, and accepted by the ISSO but must be performed at least annually. Navigate to Security >> SSL Certificate and Key Management >> Key set groups >> Cell LTPAKeySetGroup. If automatically generate keys is checked, this is a finding.

Check Text ( C-81091r1_chk )

If LTPA is not utilized, this is not applicable.

Request the documented process to manually regenerate the LTPA keys.

The time period for regeneration must be defined, documented, and accepted by the ISSO but must be performed at least annually.

Navigate to Security >> SSL Certificate and Key Management >> Key set groups >> Cell LTPAKeySetGroup.

If automatically generate keys is checked, this is a finding.

Fix Text (F-88167r2_fix)
Navigate to Security >> SSL Certificate and Key Management >> Key set groups >> Cell LTPAKeySetGroup. Uncheck automatically generate keys. Click "OK". Click "Save". Restart the "Deployment Manager".