Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

An XCCDF Rule

Description

<VulnDiscussion>Password authentication does not provide sufficient security control when accessing a management interface. DoD has specified that the CAC will be used when authenticating and passwords will only be used when CAC authentication is not a plausible solution. Tomcat provides the ability to do certificate based authentication and client authentication; therefore, the Tomcat server must be configured to use CAC. Satisfies: SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-222993r879764_rule
Severity: Medium
References: CCI-001953 CCI-001954 CCI-002009 CCI-002010
Updated: 8 months ago

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/webapps/manager/WEB-INF/web.xml file and modify the auth-method for the manager application security constraint.

sudo nano $CATALINA_BASE/webapps/manager/WEB-INF/web.xml

Locate <auth-method> contained within the <login-config> section, modify <auth-method> to specify CLIENT-CERT. 
EXAMPLE:
<auth-method>CLIENT-CERT</auth-method>

In addition, the connector used for accessing the manager application must be configured to require client authentication by setting clientAuth="true" and the manager application roles must be configured in the LDAP server.

Restart the Tomcat server:
sudo systemctl restart tomcat

Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

Description

Remediation - Manual Procedure