UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If passwords are used for authentication, the MarkLogic Server must transmit only encrypted representations of passwords.


Overview

Finding ID Version Rule ID IA Controls Severity
V-220365 ML09-00-003800 SV-220365r961029_rule High
Description
The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, passwords must be protected at all times, and encryption is the standard method for protecting passwords during transmission. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. MarkLogic Types of Authentication: Basic* Digest Digest-Basic* Certificate Application Level Kerberos Ticket SAML * Indicates that the authentication method allows the username and password to be transmitted in clear text. For more information on the types of authentication MarkLogic offers, follow this link: https://docs.marklogic.com/9.0/guide/security/authentication#id_14250
STIG Date
MarkLogic Server v9 Security Technical Implementation Guide 2024-06-12

Details

Check Text ( C-22080r401546_chk )
Review MarkLogic configuration settings for encrypting passwords in transit across the network.

Perform the check from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges.

1. Click the Groups icon.
2. Click the group in which the App Server to be checked resides (e.g., Default).
3. Click the App Servers icon on the left tree menu.
4. Select each of the App Servers.
5. Inspect the selected authentication method, if "basic" or "digest-basic" is selected, this is a finding.

If Application Level is selected and the application server is not configured for SSL, this is a finding
Fix Text (F-22069r401547_fix)
If the MarkLogic application server in question is configured with "digest" or "digest-basic" authentication or is configured with "Application Level" authentication and is not SSL enabled, implement the corrective action outlined below.

Perform the fix from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges.

1. Click the Groups icon.
2. Click the group in which the App Server to be checked resides (e.g., Default).
3. Click the App Servers icon on the left tree menu.
4. Select each of the App Servers.
5. Inspect the selected authentication method, if "basic" or "digest-basic" is selected, change the authentication method to something other than those two.

If Application Level is selected, ensure the application server is configured for SSL.