The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
An XCCDF Rule
Description
<VulnDiscussion>Quality of Protection in WebSphere Liberty specifies the security level, ciphers, and mutual authentication settings for the Secure Socket Layer (SSL/TLS) configuration. For Quality of Protection settings to apply, the security feature (appSecurity-2.0) must be defined in order to configure a user registry for the servlet to authenticate against. The SSL feature (ssl-1.0) must be defined in order to configure ssl settings, and the ldap feature (ldapRegistry-3.0) must be defined in order to configure an enterprise-level user registry for authentication of users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-250323r862965_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
To ensure the QoP is set to TLS v1.2 or higher, the ${server.config.dir}/server.xml file must be configured as follows:
<featureManager><feature>appSecurity-2.0</feature><feature>ssl-1.0</feature></featureManager>
For every SSL configuration, the sslProtocol field must be set to TLS v1.2 or higher.