UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

HTTP management session traffic must be encrypted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62073 JBOS-AS-000010 SV-76563r1_rule Medium
Description
Types of management interfaces utilized by the JBoss EAP application server include web-based HTTP interfaces as well as command line-based management interfaces. In the event remote HTTP management is required, the access must be via HTTPS. This requirement is in conjunction with the requirement to isolate all management access to a restricted network.
STIG Date
JBoss EAP 6.3 Security Technical Implementation Guide 2020-06-12

Details

Check Text ( C-62877r2_chk )
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the /bin/ folder.
Run the jboss-cli script. Connect to the server and authenticate.

For a standalone configuration run the following command:
"ls /core-service=management/management-interface=http-interface"

If "secure-socket-binding"=undefined, this is a finding.

For a domain configuration run the following command:
"ls /host=master/core-service=management/management-interface=http-interface"

If "secure-port" is undefined, this is a finding.
Fix Text (F-67993r1_fix)
Follow the specific instructions in the Red Hat Security Guide for EAP version 6.3 to configure the management console for HTTPS.

This involves the following steps.
1. Create a keystore in JKS format.
2. Ensure the management console binds to HTTPS.
3. Create a new Security Realm.
4. Configure Management Interface to use new security realm.
5. Configure the management console to use the keystore.
6. Restart the EAP server.