IBM WebSphere Traditional V9.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The WebSphere Application Server must accept Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface.
Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requir...Rule Medium Severity -
SRG-APP-000514-AS-000137
Group -
The WebSphere Application Server must use DoD-approved Signer Certificates.
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved...Rule Medium Severity -
SRG-APP-000211-AS-000146
Group -
SRG-APP-000219-AS-000147
Group -
The WebSphere Application Server DoD root CAs must be in the trust store.
This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an applic...Rule Medium Severity -
SRG-APP-000225-AS-000153
Group -
The WebSphere Application Server must be configured to perform complete application deployments when using A/B clusters.
Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an applic...Rule Low Severity -
SRG-APP-000225-AS-000154
Group -
The WebSphere Application servers with an RMF categorization of high must be in a high-availability (HA) cluster.
This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known s...Rule Low Severity -
SRG-APP-000428-AS-000265
Group -
The WebSphere Application Server must not generate LTPA keys automatically.
Automated LTPA key generation can create unplanned outages. Plan to change your LTPA keys during a scheduled outage. Distribute the new keys to all nodes in the cell and to all external systems/cel...Rule Low Severity -
SRG-APP-000428-AS-000265
Group -
SRG-APP-000435-AS-000163
Group -
SRG-APP-000435-AS-000163
Group -
The WebSphere Application Server memory session settings must be defined according to application load requirements.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the...Rule Low Severity -
SRG-APP-000435-AS-000163
Group -
The WebSphere Application Server thread pool size must be defined according to application load requirements.
A thread pool enables components of the application server to reuse threads, which eliminates the need to create new threads at run time. Creating new threads expends system resources and can possi...Rule Medium Severity -
SRG-APP-000439-AS-000274
Group -
The WebSphere Application Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
Export grade encryption suites are not strong and do not meet DoD requirements. The encryption for the session becomes easy for the attacker to break. Do not use export grade encryption. Informatio...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.