UCF STIG Viewer Logo

The Security Token Service must not be configured with unused realms.


Finding ID Version Rule ID IA Controls Severity
V-239661 VCST-67-000010 SV-239661r816708_rule Medium
The Security Token Service performs user authentication at the application level and not through Tomcat. To eliminate unnecessary features and ensure that the Security Token Service remains in its shipping state, the lack of a "UserDatabaseRealm" configuration must be confirmed.
VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide 2022-01-03


Check Text ( C-42894r816706_chk )
Connect to the PSC, whether external or embedded.

At the command prompt, execute the following command:

# grep UserDatabase /usr/lib/vmware-sso/vmware-sts/conf/server.xml

If the command produces any output, this is a finding.
Fix Text (F-42853r816707_fix)
Connect to the PSC, whether external or embedded.

Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/server.xml.

Remove the nodes returned in the check.