The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
DISA Rule
SV-96079r1_rule
Vulnerability Number
V-81365
Group Title
SRG-APP-000179-AS-000129
Rule Version
WBSP-AS-001290
Severity
CAT II
CCI(s)
- CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- CCI-001188 - The information system generates unique session identifiers for each session with organization-defined randomness requirements.
- CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
- CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
- CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.
- CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Weight
10
Fix Recommendation
From administrative console, click Security >> SSL certificate and key management >> Manage FIPS.
Check "Enable FIPS 140-2".
Click "Save".
Synchronize with the nodes.
Restart all the JVMs.
Check Contents
From administrative console, click Security >> SSL certificate and key management >> Manage FIPS.
If "Enable FIPS 140-2" is not selected, this is a finding.
Vulnerability Number
V-81365
Documentable
False
Rule Version
WBSP-AS-001290
Severity Override Guidance
From administrative console, click Security >> SSL certificate and key management >> Manage FIPS.
If "Enable FIPS 140-2" is not selected, this is a finding.
Check Content Reference
M
Target Key
3399
Comments
STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018: