The option to enable online certificate validation must be locked.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32833	JRE0050-J62K7	SV-43224r1_rule		Medium

Description
Online certificate validation provides a real-time alternative to validating a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change settings, contributes to a more consistent security profile.

Description

Online certificate validation provides a real-time alternative to validating a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change settings, contributes to a more consistent security profile.

STIG	Date
Java Runtime Environment (JRE) 6 STIG for Win7	2012-07-23

Details

Check Text ( C-41195r5_chk )
Navigate to the 'deployment.properties' file for Java. C:\Program Files\Java\jre6\lib\deployment.properties If the key 'deployment.security.validation.ocsp.locked' is not present, this is a finding.

Fix Text (F-36751r4_fix)
Lock the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. C:\Program Files\Java\jre6\lib\deployment.properties Add the key 'deployment.security.validation.ocsp.locked'.