Detections
Analytics
OH12-1X-000322 - OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version - SSLEngine
Information
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled.NIST SP 800-52 defines the approved TLS versions for government applications.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled '<VirtualHost>' directive.Note: Does not apply to admin.conf.
2a. Search for the 'SSLEngine' directive at the OHS server, virtual host, and/or directory configuration scopes.
2b. Set the 'SSLEngine' directive to 'On'; add the directive if it does not exist.
3a. Search for the 'SSLProtocol' directive at the OHS server configuration, virtual host, and/or directory levels.
3b. Set the 'SSLProtocol' directive to 'TLSv1.2'; add the directive if it does not exist.
4a. Search for the 'SSLWallet' directive at the OHS server configuration, virtual host, and/or directory levels.
4b. Set the 'SSLWallet' directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_HTTP_Server_12-1-3_V2R3_STIG.zip
Item Details
Audit Name: DISA STIG Oracle HTTP Server 12.1.3 v2r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-8, CAT|II, CCI|CCI-002418, Rule-ID|SV-221530r961632_rule, STIG-ID|OH12-1X-000322, STIG-Legacy|SV-79051, STIG-Legacy|V-64561, Vuln-ID|V-221530
Plugin: Unix
Control ID: 1c5d9df66a6d4ae34b6b65598a77765bda3762072dc9626ea0232f06c21cc3fc