The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-250323	IBMW-LS-000020	SV-250323r960759_rule		Medium

Description

Quality of Protection in WebSphere Liberty specifies the security level, ciphers, and mutual authentication settings for the Secure Socket Layer (SSL/TLS) configuration. For Quality of Protection settings to apply, the security feature (appSecurity-2.0) must be defined in order to configure a user registry for the servlet to authenticate against. The SSL feature (ssl-1.0) must be defined in order to configure ssl settings, and the ldap feature (ldapRegistry-3.0) must be defined in order to configure an enterprise-level user registry for authentication of users.

STIG	Date
IBM WebSphere Liberty Server Security Technical Implementation Guide	2025-02-11

Details

Check Text (C-53758r862963_chk)

As a privileged user with local file access to ${server.config.dir}/server.xml, verify the appSecurity-x.x feature and the sslProtocol settings are configured.

grep -i appsecurity- server.xml

RESULT:
<feature>appSecurity-2.0</feature>

Verify the SSL protocol setting is configured for TLSV1.2 for every SSL configuration. There can be multiple SSL configurations and SSL ID settings.

grep -i "<ssl id=" server.xml

SAMPLE RESULT:
<ssl id="TLSSettings" keyStoreRef="TLSKeyStore" trustStoreRef="TLSTrustStore" sslProtocol="TLSv1.2"/>

If the SSL protocol setting does not specify TLS v.1.2 or higher, or if the appSecurity feature is not configured, this is a finding.

Fix Text (F-53712r862964_fix)

To ensure the QoP is set to TLS v1.2 or higher, the ${server.config.dir}/server.xml file must be configured as follows:

<featureManager><feature>appSecurity-2.0</feature><feature>ssl-1.0</feature></featureManager>

For every SSL configuration, the sslProtocol field must be set to TLS v1.2 or higher.

<ssl id="TLSSettings" keyStoreRef="TLSKeyStore" trustStoreRef="TLSTrustStore" sslProtocol="TLSv1.2" />