The WebSphere Liberty Server must be configured to use HTTPS only.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-250348 | IBMW-LS-001120 | SV-250348r961635_rule | Medium |
| Description |
| Transmission of data can take place between the application server and a large number of devices/applications external to the application server. Examples are a web client used by a user, a backend database, a log server, or other application servers in an application server cluster. |
| STIG | Date |
| IBM WebSphere Liberty Server Security Technical Implementation Guide | 2025-02-11 |
Details
| Check Text (C-53783r862995_chk) |
| Review the ${server.config.dir}/server.xml file and check the ssl-1.0 feature and httpEndpoint settings. If the ssl-1.0 feature is not defined, this is a finding. If the httpEndpoint settings do not include ssloptions, this is a finding. <featureManager> <feature>servlet-3.0</feature> <feature>ssl-1.0</feature> <feature>appSecurity-2.0</feature> </featureManager> <httpEndpoint id="defaultHttpEndpoint" host="localhost" httpPort="${bvt.prop.HTTP_default}" httpsPort="${bvt.prop.HTTP_default.secure}" > <tcpOptions soReuseAddr="true" /> <sslOptions sslRef="testSSLConfig" /> </httpEndpoint> |
| Fix Text (F-53737r862996_fix) |
| Modify the server.xml file. Enable the ssl-1.0 feature and configure the httpEndpoint settings. The keystores and truststores must also be configured. <featureManager> <feature>servlet-3.0</feature> <feature>ssl-1.0</feature> <feature>appSecurity-2.0</feature> </featureManager> <httpEndpoint id="defaultHttpEndpoint" host="localhost" httpPort="${bvt.prop.HTTP_default}" httpsPort="${bvt.prop.HTTP_default.secure}" > <tcpOptions soReuseAddr="true" /> <sslOptions sslRef="testSSLConfig" /> </httpEndpoint> <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultKeyStore" serverKeyAlias="default" /> <ssl id="testSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="alternateTrustStore" serverKeyAlias="alternateCert" enabledCiphers="AES256-SHA AES128-SHA" /> <!-- inbound (HTTPS) keystore --> <keyStore id="defaultKeyStore" password="Liberty" location="${server.config.dir}/resources/security/sslOptions.jks" /> <keyStore id="defaultTrustStore" password="Liberty" location="${server.config.dir}/resources/security/trust.jks" /> <keyStore id="alternateTrustStore" password="Liberty" location="${server.config.dir}/resources/security/optionsTrust.jks" /> <application type="war" id="basicauth" name="basicauth" location="${server.config.dir}/apps/basicauth.war" /> |