WBSP-AS-001530 - The WebSphere Application Server must periodically regenerate LTPA keys.

Information

The encryption of authentication information that is exchanged between servers involves the Lightweight Third-Party Authentication (LTPA) mechanism. LTPA utilizes encryption keys, if LTPA is utilized, the LTPA keys must be regenerated on a regular basis. The time period must be defined, documented and accepted by the ISSO but must be performed at least annually.

Note: If LTPA keys are shared across cells, you must export the keys from the cell where the keys have been regenerated, and import into the cells whose keys have not changed. Instructions for managing the LTPA keys is provided here: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_sslmanagelptakeys.html

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

These steps must be documented and then executed during the down time scheduled for periodic LTPA key regeneration.

The time period must be defined, documented and accepted by the ISSO but must be performed at least annually.

Navigate to Security >> SSL Certificate and Key Management >> Key set groups.

Check 'CellLTPAKeySetGroup'.

Click 'Generate Keys'.

Click 'Save'.

Then synchronize the changes to all nodes.

See Also

http://iasecontent.disa.mil/stigs/zip/U_IBM_WebSphere_Traditional_V9-x_V1R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28(1), CAT|III, CCI|CCI-002475, Rule-ID|SV-96097r1_rule, STIG-ID|WBSP-AS-001530, Vuln-ID|V-81383

Plugin: Unix

Control ID: 1dd6c8e718334fdffd03f11669a58a6ea7a5e33dc2e1b9d0b5e3a8ba5e8dd27b