The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
An XCCDF Rule
Description
Quality of Protection in WebSphere Liberty specifies the security level, ciphers, and mutual authentication settings for the Secure Socket Layer (SSL/TLS) configuration. For Quality of Protection settings to apply, the security feature (appSecurity-2.0) must be defined in order to configure a user registry for the servlet to authenticate against. The SSL feature (ssl-1.0) must be defined in order to configure ssl settings, and the ldap feature (ldapRegistry-3.0) must be defined in order to configure an enterprise-level user registry for authentication of users.
- ID
- SV-250323r960759_rule
- Version
- IBMW-LS-000020
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
To ensure the QoP is set to TLS v1.2 or higher, the ${server.config.dir}/server.xml file must be configured as follows:
<featureManager><feature>appSecurity-2.0</feature><feature>ssl-1.0</feature></featureManager>
For every SSL configuration, the sslProtocol field must be set to TLS v1.2 or higher.
<ssl id="TLSSettings" keyStoreRef="TLSKeyStore" trustStoreRef="TLSTrustStore" sslProtocol="TLSv1.2" />