UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62323 JBOS-AS-000655 SV-76813r1_rule Medium
Description
Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel. If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
STIG Date
JBoss EAP 6.3 Security Technical Implementation Guide 2015-11-09

Details

Check Text ( C-63127r1_chk )
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the /bin/ folder.
Run the jboss-cli script.
Connect to the server and authenticate.

Validate that the TLS protocol is used for HTTPS connections.
Run the command:

"ls /subsystem=web/connector=http/ssl="

Review the cipher suites. The following suites are acceptable as per NIST 800-52r1 section 3.3.1 - Cipher Suites. Refer to the NIST document for a complete list of acceptable cipher suites. The source NIST document and approved encryption algorithms/cipher suites are subject to change and should be referenced.

AES_128_CBC
AES_256_CBC
AES_128_GCM
AES_128_CCM
AES_256_CCM

If the cipher suites utilized by the TLS server are not approved by NIST as per 800-52r1, this is a finding.
Fix Text (F-68243r1_fix)
Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's website for step-by-step instructions on establishing SSL encryption on JBoss.

The overall steps include:

1. Add an HTTPS connector.
2. Configure the SSL encryption certificate and keys.
3. Set the Cipher to an approved algorithm.