WBSP-AS-001620 - The WebSphere Application Server distribution and consistency services (DCS) transport links must be encrypted.

Information

A Core Group (HA Domain) is a component of the high availability manager function. It can contain stand-alone servers, cluster members, node agents, administrative agents, and the deployment manager.

Core groups rely on DCS, which uses a reliable multicast message (RMM) system for transport. RMM can use one of several wire transport technologies. Depending on your environment, sensitive information might be transmitted over DCS. For example, data in DynaCache and the security subject cache are transmitted using DCS. To ensure this, select a transport type of channel framework and DCS-Secure as channel chain for each core group.

Be aware that DCS always authenticates messages when global security is enabled. Once the transport is encrypted, you then have a highly secure channel.

Once you have done this, all services that rely on DCS are now using an encrypted and authenticated transport. Those services are DynaCache, memory-to-memory session replication, core groups, Web services caching, and stateful session bean persistence.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the admin console navigate to Core groups >> for every Core Group listed.

Select the [Core Group Name].

Under 'Transport' type, select 'CHANNEL_FRAMEWORK' button.

In the 'Transport chain' drop down box set to 'DCS-SECURE'.

Click 'Save'.

Sync the configuration.

See Also

http://iasecontent.disa.mil/stigs/zip/U_IBM_WebSphere_Traditional_V9-x_V1R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8(2), CAT|II, CCI|CCI-002420, Rule-ID|SV-96107r1_rule, STIG-ID|WBSP-AS-001620, Vuln-ID|V-81393

Plugin: Windows

Control ID: 3b371a6d381732b3e4cd942221ff8c8ac44faf5e01022529f5bd1a566cb52df5