Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254087	SPEC-IN-000030	SV-254087r845265_rule		High

Description
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DoD-only or on public-facing servers. Satisfies: SRG-APP-000014, SRG-APP-000156, SRG-APP-000179, SRG-APP-000442, SRG-APP-000555, SRG-APP-000560, SRG-APP-000565, SRG-APP-000605, SRG-APP-000635, SRG-APP-000645, SRG-APP-000219

Description

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DoD-only or on public-facing servers. Satisfies: SRG-APP-000014, SRG-APP-000156, SRG-APP-000179, SRG-APP-000442, SRG-APP-000555, SRG-APP-000560, SRG-APP-000565, SRG-APP-000605, SRG-APP-000635, SRG-APP-000645, SRG-APP-000219

STIG	Date
SPEC Innovations Innoslate 4.x Security Technical Implementation Guide	2022-08-31

Details

Check Text ( C-57572r845235_chk )
1. Consult the System Administrator if needed to determine the location of the Apache Tomcat server.xml file and the network port that was specified during installation for use with Innoslate. The default is 8443; other AO-approved ports may be used. 2. Open the server.xml file with a text editor, and locate the element. The following is an example: Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" SSLProtocol="TLSv1.2" keystoreFile="$keystorepath" keystorePass="123456" keyAlias="tomcatssl" / If "port" is not set to 8443, or other AO-approved port, this is a finding. If "protocol" is not set to "org.apache.coyote.http11.Http11NioProtocol", this is a finding. If "SSLEnabled" is not set to "true", this is a finding. If "scheme" is not set to "https", this is a finding. If "secure" is not set to "true", this is a finding. If "SSLProtocol"or "SSLEnabledProtocols" is not set to "TLSv1.2", this is a finding. The name of this flag varies with Tomcat versions.

Check Text ( C-57572r845235_chk )

1. Consult the System Administrator if needed to determine the location of the Apache Tomcat server.xml file and the network port that was specified during installation for use with Innoslate. The default is 8443; other AO-approved ports may be used.
2. Open the server.xml file with a text editor, and locate the element. The following is an example:

Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" SSLProtocol="TLSv1.2"
keystoreFile="$keystorepath"
keystorePass="123456"
keyAlias="tomcatssl"
/

If "port" is not set to 8443, or other AO-approved port, this is a finding.
If "protocol" is not set to "org.apache.coyote.http11.Http11NioProtocol", this is a finding.
If "SSLEnabled" is not set to "true", this is a finding.
If "scheme" is not set to "https", this is a finding.
If "secure" is not set to "true", this is a finding.
If "SSLProtocol"or "SSLEnabledProtocols" is not set to "TLSv1.2", this is a finding. The name of this flag varies with Tomcat versions.

Fix Text (F-57523r845236_fix)
1. Open the server.xml file inside the conf folder of the tomcat installation (IE "C:\Innoslate4\apache-tomcat\conf" or "$CATALINA_BASE/conf/server.xml"). Add a connector tag for HTTPS scheme with PORT 8443 (or other AO-approved port) using the following example: Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" keystoreFile="C:\Innoslate4\apache-tomcat-8.5.30\conf\keystore.jks" keystorePass="123456" keyAlias="tomcatssl" / 2. Set "port" to 8443, or other AO-approved port. Set "protocol" to "org.apache.coyote.http11.Http11NioProtocol". Set "SSLEnabled" to "true". Set "scheme" to "https". Set "secure" to "true". Set "SSLProtocol" or "SSLEnabledProtocols" to "TLSv1.2". The name of this flag varies with Tomcat versions. Set "keystoreFile" to the path of the keystore utilized by the system, and set the associated password with "keystorePass". 3. Save the server.xml file.

Fix Text (F-57523r845236_fix)

1. Open the server.xml file inside the conf folder of the tomcat installation (IE "C:\Innoslate4\apache-tomcat\conf" or "$CATALINA_BASE/conf/server.xml"). Add a connector tag for HTTPS scheme with PORT 8443 (or other AO-approved port) using the following example:

Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2"
keystoreFile="C:\Innoslate4\apache-tomcat-8.5.30\conf\keystore.jks"
keystorePass="123456"
keyAlias="tomcatssl"
/

2. Set "port" to 8443, or other AO-approved port.
Set "protocol" to "org.apache.coyote.http11.Http11NioProtocol".
Set "SSLEnabled" to "true".
Set "scheme" to "https".
Set "secure" to "true".
Set "SSLProtocol" or "SSLEnabledProtocols" to "TLSv1.2". The name of this flag varies with Tomcat versions.
Set "keystoreFile" to the path of the keystore utilized by the system, and set the associated password with "keystorePass".

3. Save the server.xml file.