IBM WebSphere Traditional V9.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The WebSphere Application Server must disable JSP class reloading.
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system...Rule Medium Severity -
The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service which is a repeatable process used to make data...Rule Medium Severity -
The WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.
Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device. Device authentication is accomplish...Rule Medium Severity -
The WebSphere Application Server application security must be enabled for each security domain except for publicly available applications specified in the System Security Plan.
By default, all administrative and user applications in WebSphere® Application Server use the global security configuration. For example, a user registry defined in global security is used to authe...Rule High Severity -
The WebSphere Application Server default keystore passwords must be changed.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiati...Rule High Severity -
The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
The WebSphere Application Servers must not be in the DMZ.
The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user...Rule Medium Severity -
The WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient secur...Rule Medium Severity -
The WebSphere Application Server must periodically regenerate LTPA keys.
The encryption of authentication information that is exchanged between servers involves the Lightweight Third-Party Authentication (LTPA) mechanism. LTPA utilizes encryption keys, if LTPA is utiliz...Rule Low Severity -
The WebSphere Application Server high availability applications must be installed on a cluster.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.