Detections
Analytics
IBMW-LS-000020 - The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
Information
Quality of Protection in WebSphere Liberty specifies the security level, ciphers, and mutual authentication settings for the Secure Socket Layer (SSL/TLS) configuration. For Quality of Protection settings to apply, the security feature (appSecurity-2.0) must be defined in order to configure a user registry for the servlet to authenticate against. The SSL feature (ssl-1.0) must be defined in order to configure ssl settings, and the ldap feature (ldapRegistry-3.0) must be defined in order to configure an enterprise-level user registry for authentication of users.Solution
To ensure the QoP is set to TLS v1.2 or higher, the ${server.config.dir}/server.xml file must be configured as follows:<featureManager><feature>appSecurity-2.0</feature><feature>ssl-1.0</feature></featureManager>
For every SSL configuration, the sslProtocol field must be set to TLS v1.2 or higher.
<ssl id="TLSSettings" keyStoreRef="TLSKeyStore" trustStoreRef="TLSTrustStore" sslProtocol="TLSv1.2" />
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_WebSphere_Liberty_Server_V2R2_STIG.zip
Item Details
Audit Name: DISA IBM WebSphere Liberty Server STIG v2r2
Category: ACCESS CONTROL
References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-250323r960759_rule, STIG-ID|IBMW-LS-000020, Vuln-ID|V-250323
Plugin: Unix
Control ID: 1b317811e061d41d724b52edd7f8a3e687d3272dd0786ec0773feb08e290cc7e