The WebSphere Application Server distribution and consistency services (DCS) transport links must be encrypted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-81393	WBSP-AS-001620	SV-96107r1_rule		Medium

Description
A Core Group (HA Domain) is a component of the high availability manager function. It can contain stand-alone servers, cluster members, node agents, administrative agents, and the deployment manager. Core groups rely on DCS, which uses a reliable multicast message (RMM) system for transport. RMM can use one of several wire transport technologies. Depending on your environment, sensitive information might be transmitted over DCS. For example, data in DynaCache and the security subject cache are transmitted using DCS. To ensure this, select a transport type of channel framework and DCS-Secure as channel chain for each core group. Be aware that DCS always authenticates messages when global security is enabled. Once the transport is encrypted, you then have a highly secure channel. Once you have done this, all services that rely on DCS are now using an encrypted and authenticated transport. Those services are DynaCache, memory-to-memory session replication, core groups, Web services caching, and stateful session bean persistence.

Description

A Core Group (HA Domain) is a component of the high availability manager function. It can contain stand-alone servers, cluster members, node agents, administrative agents, and the deployment manager. Core groups rely on DCS, which uses a reliable multicast message (RMM) system for transport. RMM can use one of several wire transport technologies. Depending on your environment, sensitive information might be transmitted over DCS. For example, data in DynaCache and the security subject cache are transmitted using DCS. To ensure this, select a transport type of channel framework and DCS-Secure as channel chain for each core group. Be aware that DCS always authenticates messages when global security is enabled. Once the transport is encrypted, you then have a highly secure channel. Once you have done this, all services that rely on DCS are now using an encrypted and authenticated transport. Those services are DynaCache, memory-to-memory session replication, core groups, Web services caching, and stateful session bean persistence.

STIG	Date
IBM WebSphere Traditional V9.x Security Technical Implementation Guide	2018-08-24

Details

Check Text ( C-81103r1_chk )
From the admin console navigate to Servers >> Core groups. For every Core Group listed, select the Core Group [CoreGroup Name]. Under "Transport Type", select the "Channel Framework" button. If the "transport chain" drop down box is not set to "DCS-Secure", this is a finding.

Fix Text (F-88179r1_fix)
From the admin console navigate to Core groups >> for every Core Group listed. Select the [Core Group Name]. Under "Transport" type, select "CHANNEL_FRAMEWORK" button. In the "Transport chain" drop down box set to "DCS-SECURE". Click "Save". Sync the configuration.