UCF STIG Viewer Logo

The option to enable online certificate validation must be enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32832 JRE0040-UX SV-43618r2_rule DCBP-1 Medium
Description
Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.
STIG Date
Java Runtime Environment (JRE) version 6 STIG for Unix 2015-12-10

Details

Check Text ( C-41481r8_chk )
If the system is on the SIPRNET, this requirement is NA.

Navigate to the 'deployment.properties' file for Java.
/usr/java/jre/lib/deployment.properties

Examine the deployment.properties file for the 'deployment.security.validation.ocsp' key. If the 'deployment.security.validation.ocsp' key is not present, this is a finding.

If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding.
Fix Text (F-37121r6_fix)
If the system is on the SIPRNET, this requirement is NA.

Enable the 'Enable online certificate validation' option.
Navigate to the 'deployment.properties' file for Java.
/usr/java/jre/lib/deployment.properties
Add or update the key
'deployment.security.validation.ocsp' to be 'true'.