STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server must use DoD-approved Signer Certificates.

DISA Rule

SV-96083r1_rule

Vulnerability Number

V-81369

Group Title

SRG-APP-000514-AS-000137

Rule Version

WBSP-AS-001370

Severity

CAT II

CCI(s)

• CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Weight

10

Fix Recommendation

Utilize DoD certificates that have been issued by a DoD PKI CA.

To replace a non-DoD PKI-established certificate:
From the administrative console, navigate to Security >> SSL Certificates and Key Management >> KeyStores and Certificates.

For each keystore that requires the change:
Import a new certificate by clicking "Import".

Click "keystore" file.

Enter the location of the new certificate.

Specify the type of keystore and keystore password.

Specify alias information.

Click "Apply".

After the certificate is imported, click on "Replace" to replace the original certificate with the new certificate.

Check Contents

From administrative console, navigate to Security >> SSL Certificates and Key Management >> KeyStores and Certificates.

For each keystore, click on "Signer Certificates".

If any of the certificates are not issued by an approved DoD CA, this is a finding.

Vulnerability Number

V-81369

Documentable

False

Rule Version

WBSP-AS-001370

Severity Override Guidance

From administrative console, navigate to Security >> SSL Certificates and Key Management >> KeyStores and Certificates.

For each keystore, click on "Signer Certificates".

If any of the certificates are not issued by an approved DoD CA, this is a finding.

Check Content Reference

M

Target Key

3399

Comments