STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Tomcat must use FIPS-validated ciphers on secured connectors.

DISA Rule

SV-222968r615938_rule

Vulnerability Number

V-222968

Group Title

SRG-APP-000179-AS-000129

Rule Version

TCAT-AS-000750

Severity

CAT I

CCI(s)

• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
• CCI-001188 - The information system generates unique session identifiers for each session with organization-defined randomness requirements.
• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
• CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
• CCI-002475 - The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
• CCI-002476 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Weight

10

Fix Recommendation

In addition to configuring Tomcat, the admin must also configure the underlying OS and Java engine to use FIPS validated encryption modules. This fix instructs how to enable FIPSMode within Tomcat, the OS and Java engine must be configured to use the FIPS validated modules according to the chosen OS and Java engine.

From the Tomcat server as a privileged user:

sudo nano $CATALINA_BASE/conf/server.xml.

In the <Listener/> element, locate the AprLifecycleListener. Either add or modify the FIPSMode setting and set it to FIPSMode="on".

EXAMPLE:
<Listener
className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on"
FIPSMode="on"
/>

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

From the Tomcat server console, run the following two commands to verify Tomcat server is configured to use FIPS:

sudo grep -i fipsmode $CATALINA_BASE/conf/server.xml

sudo grep -i fipsmode $CATALINA_BASE/logs/catalina.out

If server.xml does not contain FIPSMode="on", or if catalina.out contains the error "failed to set property[FIPSMODE] to [on]", this is a finding.

Vulnerability Number

V-222968

Documentable

False

Rule Version

TCAT-AS-000750

Severity Override Guidance

From the Tomcat server console, run the following two commands to verify Tomcat server is configured to use FIPS:

sudo grep -i fipsmode $CATALINA_BASE/conf/server.xml

sudo grep -i fipsmode $CATALINA_BASE/logs/catalina.out

If server.xml does not contain FIPSMode="on", or if catalina.out contains the error "failed to set property[FIPSMODE] to [on]", this is a finding.

Check Content Reference

M

Target Key

4094

Comments