The option to enable users to check publisher certificates for revocation must be locked.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32831	JRE0030-J6XP	SV-43216r4_rule	DCBP-1	Medium

Description
Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change these settings assures a more consistent security profile.

Description

Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change these settings assures a more consistent security profile.

STIG	Date
Java Runtime Environment (JRE) 6 STIG for Windows XP	2014-10-05

Details

Check Text ( C-41512r8_chk )
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre6\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre6\lib\deployment.properties C:\Program Files (x86)\Java\jre6\lib\deployment.properties If the key 'deployment.security.validation.crl.locked' is not present in the deployment.properties file, this is a finding. If the key 'deployment.security.revocation.check.locked' is not present in the deployment.properties file, this is a finding. If the key 'deployment.security.validation.ocsp.locked' is not present in the deployment.properties file, this is a finding.

Check Text ( C-41512r8_chk )

If the system is on the SIPRNET, this requirement is NA.

Navigate to the 'deployment.properties' file for Java.

For 32 bit systems:
C:\Program Files\Java\jre6\lib\deployment.properties.

For 64 bit systems you must check both the 64 bit and the 32 bit files:
C:\Program Files\Java\jre6\lib\deployment.properties
C:\Program Files (x86)\Java\jre6\lib\deployment.properties

If the key 'deployment.security.validation.crl.locked' is not present in the deployment.properties file, this is a finding.

If the key 'deployment.security.revocation.check.locked' is not present in the deployment.properties file, this is a finding.

If the key 'deployment.security.validation.ocsp.locked' is not present in the deployment.properties file, this is a finding.

Fix Text (F-37148r5_fix)
Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre6\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre6\lib\deployment.properties C:\Program Files (x86)\Java\jre6\lib\deployment.properties Add the key 'deployment.security.validation.crl.locked' to the deployment.properties file. Add the key 'deployment.security.validation.ocsp.locked' to the deployment.properties file.

Fix Text (F-37148r5_fix)

Navigate to the 'deployment.properties' file for Java.

For 32 bit systems:
C:\Program Files\Java\jre6\lib\deployment.properties.

For 64 bit systems you must check both the 64 bit and the 32 bit files:
C:\Program Files\Java\jre6\lib\deployment.properties
C:\Program Files (x86)\Java\jre6\lib\deployment.properties

Add the key 'deployment.security.validation.crl.locked' to the deployment.properties file.

Add the key 'deployment.security.validation.ocsp.locked' to the deployment.properties file.