The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.

An XCCDF Rule

Description

<VulnDiscussion>Quality of Protection in WebSphere Liberty specifies the security level, ciphers, and mutual authentication settings for the Secure Socket Layer (SSL/TLS) configuration. For Quality of Protection settings to apply, the security feature (appSecurity-2.0) must be defined in order to configure a user registry for the servlet to authenticate against. The SSL feature (ssl-1.0) must be defined in order to configure ssl settings, and the ldap feature (ldapRegistry-3.0) must be defined in order to configure an enterprise-level user registry for authentication of users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-250323r960759_rule
Severity: Medium
References: CCI-000068
Updated: 19 days ago

To ensure the QoP is set to TLS v1.2 or higher, the ${server.config.dir}/server.xml file must be configured as follows: 

<featureManager><feature>appSecurity-2.0</feature><feature>ssl-1.0</feature></featureManager>

For every SSL configuration, the sslProtocol field must be set to TLS v1.2 or higher.
 <ssl id="TLSSettings" keyStoreRef="TLSKeyStore" trustStoreRef="TLSTrustStore"  sslProtocol="TLSv1.2" />

The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.

Description

Remediation - Manual Procedure