The WebSphere Liberty Server must be configured to use HTTPS only.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-250348 | IBMW-LS-001120 | SV-250348r961635_rule | CCI-002421 | medium |
| Description | ||||
| Transmission of data can take place between the application server and a large number of devices/applications external to the application server. Examples are a web client used by a user, a backend database, a log server, or other application servers in an application server cluster. | ||||
| STIG | Date | |||
| IBM WebSphere Liberty Server Security Technical Implementation Guide | 2025-02-11 | |||
Details
Check Text (C-250348r961635_chk)
Review the ${server.config.dir}/server.xml file and check the ssl-1.0 feature and httpEndpoint settings.
If the ssl-1.0 feature is not defined, this is a finding.
If the httpEndpoint settings do not include ssloptions, this is a finding.
<featureManager>
<feature>servlet-3.0</feature>
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint"
host="localhost"
httpPort="${bvt.prop.HTTP_default}"
httpsPort="${bvt.prop.HTTP_default.secure}" >
<tcpOptions soReuseAddr="true" />
<sslOptions sslRef="testSSLConfig" />
</httpEndpoint>
Fix Text (F-53737r862996_fix)
Modify the server.xml file. Enable the ssl-1.0 feature and configure the httpEndpoint settings. The keystores and truststores must also be configured.
<featureManager>
<feature>servlet-3.0</feature>
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint"
host="localhost"
httpPort="${bvt.prop.HTTP_default}"
httpsPort="${bvt.prop.HTTP_default.secure}" >
<tcpOptions soReuseAddr="true" />
<sslOptions sslRef="testSSLConfig" />
</httpEndpoint>
<ssl id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
trustStoreRef="defaultKeyStore"
serverKeyAlias="default" />
<ssl id="testSSLConfig"
keyStoreRef="defaultKeyStore"
trustStoreRef="alternateTrustStore"
serverKeyAlias="alternateCert"
enabledCiphers="AES256-SHA AES128-SHA" />
<!-- inbound (HTTPS) keystore -->
<keyStore id="defaultKeyStore" password="Liberty"
location="${server.config.dir}/resources/security/sslOptions.jks" />
<keyStore id="defaultTrustStore" password="Liberty"
location="${server.config.dir}/resources/security/trust.jks" />
<keyStore id="alternateTrustStore" password="Liberty"
location="${server.config.dir}/resources/security/optionsTrust.jks" />
<application type="war" id="basicauth" name="basicauth"
location="${server.config.dir}/apps/basicauth.war" />