UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62287 JBOS-AS-000295 SV-76777r1_rule Medium
Description
JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords and other sensitive information. Use the JBoss EAP Password Vault to securely store sensitive strings in plain-text files.
STIG Date
JBoss EAP 6.3 Security Technical Implementation Guide 2017-03-20

Details

Check Text ( C-63091r1_chk )
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the /bin/ folder.
Run the jboss-cli script.
Connect to the server and authenticate.
Run the command:

"ls /core-service=vault"

If "code=undefined" and "module=undefined",
this is a finding.
Fix Text (F-68207r1_fix)
Configure the application server to use the java keystore and JBoss vault as per section 11.13.1 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.

1. Create a java keystore.
2. Mask the keystore password and initialize the password vault.
3. Configure JBoss to use the password vault.