The WebSphere Liberty Server must be configured to use HTTPS only.

An XCCDF Rule

Description

<VulnDiscussion>Transmission of data can take place between the application server and a large number of devices/applications external to the application server. Examples are a web client used by a user, a backend database, a log server, or other application servers in an application server cluster.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-250348r862997_rule
Severity: Medium
References: CCI-002421
Updated: about 1 year ago

Modify the server.xml file. Enable the ssl-1.0 feature and configure the httpEndpoint settings. The keystores and truststores must also be configured.

<featureManager>
<feature>servlet-3.0</feature>
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature></featureManager>
    
    <httpEndpoint id="defaultHttpEndpoint"
          host="localhost"
          httpPort="${bvt.prop.HTTP_default}"
          httpsPort="${bvt.prop.HTTP_default.secure}" >
          <tcpOptions soReuseAddr="true" />
          <sslOptions sslRef="testSSLConfig" />
</httpEndpoint> 

     <ssl id="defaultSSLConfig"
      keyStoreRef="defaultKeyStore"
      trustStoreRef="defaultKeyStore"
      serverKeyAlias="default" />

     <ssl id="testSSLConfig"
      keyStoreRef="defaultKeyStore"
      trustStoreRef="alternateTrustStore"
      serverKeyAlias="alternateCert"
      enabledCiphers="AES256-SHA AES128-SHA" />

<!-- inbound (HTTPS) keystore -->
<keyStore id="defaultKeyStore" password="Liberty"
           location="${server.config.dir}/resources/security/sslOptions.jks" />

<keyStore id="defaultTrustStore" password="Liberty"
           location="${server.config.dir}/resources/security/trust.jks" />
           
<keyStore id="alternateTrustStore" password="Liberty"
           location="${server.config.dir}/resources/security/optionsTrust.jks" />

    <application type="war" id="basicauth" name="basicauth"
             location="${server.config.dir}/apps/basicauth.war" />

The WebSphere Liberty Server must be configured to use HTTPS only.

Description

Remediation - Manual Procedure