Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-222993 | TCAT-AS-001320 | SV-222993r985888_rule | CCI-001953 | medium |
| Description | ||||
| Password authentication does not provide sufficient security control when accessing a management interface. DOD has specified that a CAC will be used when authenticating and passwords will only be used when CAC authentication is not a plausible solution. Tomcat provides the ability to do certificate based authentication and client authentication; therefore, the Tomcat server must be configured to use CAC. Satisfies: SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248 | ||||
| STIG | Date | |||
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 | |||
Details
Check Text (C-222993r985888_chk)
If the manager application has been deleted from the Tomcat server, this is not a finding. From the Tomcat server as a privileged user, issue the following command:
sudo grep -i auth-method $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
If the <Auth-Method> for the web manager application is not set to CLIENT-CERT, this is a finding.
Fix Text (F-24654r426424_fix)
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/webapps/manager/WEB-INF/web.xml file and modify the auth-method for the manager application security constraint.
sudo nano $CATALINA_BASE/webapps/manager/WEB-INF/web.xml
Locate <auth-method> contained within the <login-config> section, modify <auth-method> to specify CLIENT-CERT.
EXAMPLE:
<auth-method>CLIENT-CERT</auth-method>
In addition, the connector used for accessing the manager application must be configured to require client authentication by setting clientAuth="true" and the manager application roles must be configured in the LDAP server.
Restart the Tomcat server:
sudo systemctl restart tomcat