Check: TCAT-AS-000060
Apache Tomcat 9 STIG:
TCAT-AS-000060
(in version v1 r0.1)
Title
Default password for keystore must be changed. (Cat I impact)
Discussion
Tomcat currently operates only on JKS, PKCS11, or PKCS12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility which is included in the JDK. The PKCS12 format is an internet standard, and is managed using OpenSSL or Microsoft's Key-Manager. This requirement only applies to JKS keystores. When a new JKS keystore is created, if a password is not specified during creation the default password used by Tomcat is "changeit" (all lower-case). If the default password is not changed, the keystore is at risk of compromise.
Check Content
From the Tomcat server console, run the following command to check the keystore: sudo keytool -list -v When prompted for the keystore password, type "changeit". If the contents of the keystore are displayed, this is a finding.
Fix Text
From the Tomcat server as a privileged user, run the following command: sudo keytool -storepasswd When prompted for the keystore password, select a strong password, minimum 10 characters, mixed case alpha-numeric. Document the password and store in a secured location that is only accessible to authorized personnel.
Additional Identifiers
Rule ID: TCAT-AS-000060_rule
Vulnerability ID: TCAT-AS-000060
Group Title: SRG-APP-000033-AS-000023
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |