SSL must be enabled on Apache Tomcat.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-224792	ISEC-06-551600	SV-224792r505933_rule		Medium

Description
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPSEC. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

Description

Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPSEC. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

STIG	Date
ISEC7 Sphere Security Technical Implementation Guide	2020-09-04

Details

Check Text ( C-26483r461632_chk )
Verify SSL is enabled on Apache Tomcat. Verify Enable HTTPS has been configured to use HTTP over SSL: Open a web browser that is able to reach the ISEC7 EMM Suite console. Verify that the address used has a prefix of https:// Alternately: Login to the ISEC7 EMM Suite server. Open the server.xml file located at :\Program Files\ISEC7 EMM Suite\Tomcat\conf with Notepad.exe Select Edit >> Find and search for Connector port="443" Confirm the connector is present and not commented out. If SSL is not enabled on Apache Tomcat, this is a finding.

Check Text ( C-26483r461632_chk )

Verify SSL is enabled on Apache Tomcat.

Verify Enable HTTPS has been configured to use HTTP over SSL:

Open a web browser that is able to reach the ISEC7 EMM Suite console.
Verify that the address used has a prefix of https://

Alternately:

Login to the ISEC7 EMM Suite server.
Open the server.xml file located at :\Program Files\ISEC7 EMM Suite\Tomcat\conf with Notepad.exe
Select Edit >> Find and search for Connector port="443"
Confirm the connector is present and not commented out.

If SSL is not enabled on Apache Tomcat, this is a finding.

Fix Text (F-26471r461633_fix)
To configure SSL support on Tomcat, run the ISEC7 integrated installer or use the following manual procedure: To configure SSL support on Tomcat, you need to change the connector type in :\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml Log in to the ISEC7 EMM Suite server. Browse to :\Program Files\ISEC7 EMM Suite\Tomcat\conf\ Edit the server.xml with Notepad.exe Select Edit >> Find and search for connector port=443 Replace the existing connection with the connection below, modifying the keystoreFile path and password as needed. Remark: The user should not uncomment the connector tag for port 80/8080. It is recommended to keep this for the automated ISEC7 EMM Suite Agent update from the ISEC7 EMM Suite Tomcat portal (see 2.2.3). If you decline port 80/8080, the user has to enable J2SE SSL as described in section 2.2.1 with the same keystore file for very ISEC7 EMM Suite Agent host. Then the user can click on OK and restart the Apache Tomcat service to put the new configuration into effect. One can find further information at https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html Alternatively, you can use the Windows certificate store instead of a local keystore file. The SSL certificate needs to be imported into the My user account – Personal using mmc certificate snap-in. Make sure that the cert has a friendly name, it can be verified in mmc under cert properties. The friendly name is case sensitive.

Fix Text (F-26471r461633_fix)

To configure SSL support on Tomcat, run the ISEC7 integrated installer or use the following manual procedure:

To configure SSL support on Tomcat, you need to change the connector type in :\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml

Log in to the ISEC7 EMM Suite server.
Browse to :\Program Files\ISEC7 EMM Suite\Tomcat\conf\
Edit the server.xml with Notepad.exe
Select Edit >> Find and search for connector port=443
Replace the existing connection with the connection below, modifying the keystoreFile path and password as needed.

Remark: The user should not uncomment the connector tag for port 80/8080. It is recommended to keep this for the automated ISEC7 EMM Suite Agent update from the ISEC7 EMM Suite Tomcat portal (see 2.2.3). If you decline port 80/8080, the user has to enable J2SE SSL as described in section 2.2.1 with the same keystore file for very ISEC7 EMM Suite Agent host.

Then the user can click on OK and restart the Apache Tomcat service to put the new configuration into effect.

One can find further information at https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

Alternatively, you can use the Windows certificate store instead of a local keystore file.

The SSL certificate needs to be imported into the My user account – Personal using mmc certificate snap-in. Make sure that the cert has a friendly name, it can be verified in mmc under cert properties. The friendly name is case sensitive.