STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.

DISA Rule

SV-96025r1_rule

Vulnerability Number

V-81311

Group Title

SRG-APP-000149-AS-000102

Rule Version

WBSP-AS-001030

Severity

CAT II

CCI(s)

• CCI-000187 - The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.
• CCI-000765 - The information system implements multifactor authentication for network access to privileged accounts.
• CCI-000767 - The information system implements multifactor authentication for local access to privileged accounts.
• CCI-001184 - The information system protects the authenticity of communications sessions.
• CCI-001953 - The information system accepts Personal Identity Verification (PIV) credentials.
• CCI-001954 - The information system electronically verifies Personal Identity Verification (PIV) credentials.
• CCI-002009 - The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies.
• CCI-002010 - The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.
• CCI-002011 - The information system accepts FICAM-approved third-party credentials.

Weight

10

Fix Recommendation

From the admin console, select System Administration >> Deployment Manager >> Java and Process Management >> Process definition >> Java Virtual Machine >> Custom Properties.

Select "New".

Insert the following case sensitive value into the "Name" field: "adminconsole.certLogin".

Select "Value".

Enter "true".

Click "Apply".

Click "Save".

Select Security >> SSL Certificate and Key management >> SSL Configurations >> Select CellDefaultSSLSettings >> Quality of Protection (QOP) settings.

In the "Client Authentication" drop-box, make sure "Supported" or "Required" is selected.

Click "Apply".

Click "Save".

Save a backup copy and edit the "Web.xml" file as follows: <WAS_INSTALL>/profiles/<profileName>/config/cells/<cellName>/applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/web.xml:
--- Change:
< security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/</url-pattern>
--- So it becomes:
< security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/</url-pattern>
<url-pattern>/logon.jsp</url-pattern>
<url-pattern>/logonError.jsp</url-pattern>
--- Add these security constraints if not already present:
<security-constraint>
<web-resource-collection>
<web-resource-name>free pages</web-resource-name>
<url-pattern>/*.jsp</url-pattern>
<url-pattern>/css/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<url-pattern>/j_security_check</url-pattern>
</web-resource-collection>
</security-constraint>
--- Change:
<auth-method>FORM</auth-method>
to
<auth-method>CLIENT-CERT</auth-method>

Save the "web.xml" file.

Stop and restart the Deployment Manager.

Log on to the admin console using your certificate.

Check Contents

Check that the admin console is enabled for client certificate logon.

In the Deployment Manager, check the file on: <WAS_INSTALL>/profiles/<profileName>/config/cells/<cellName>/applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/web.xml.

If the "XML element <auth-method>FORM</auth-method>" is present, this is a finding.

Vulnerability Number

V-81311

Documentable

False

Rule Version

WBSP-AS-001030

Severity Override Guidance

Check that the admin console is enabled for client certificate logon.

In the Deployment Manager, check the file on: <WAS_INSTALL>/profiles/<profileName>/config/cells/<cellName>/applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/web.xml.

If the "XML element <auth-method>FORM</auth-method>" is present, this is a finding.

Check Content Reference

M

Target Key

3399

Comments