Check: TCAT-AS-000720
Apache Tomcat 9 STIG:
TCAT-AS-000720
(in version v1 r0.1)
Title
Default password for keystore must be changed. (Cat I impact)
Discussion
Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility which is included in the JDK. The PKCS12 format is an internet standard, and is managed using OpenSSL or Microsoft's Key-Manager. When a new JKS keystore is created, if a password is not specified during creation, the default password used by Tomcat is "changeit" (all lowercase). If the default password is not changed, the keystore is at risk of compromise.
Check Content
From the Tomcat server console run the following command to check the keystore: sudo keytool -list -v When prompted for the keystore password, type "changeit". If the contents of the keystore are displayed, this is a finding.
Fix Text
From the Tomcat server as a privileged user: sudo keytool -storepasswd When prompted for the keystore password, select a strong password, minimum 10 characters, mixed case alpha-numeric. Document the password and store in a secured location that is only accessible to authorized personnel.
Additional Identifiers
Rule ID: TCAT-AS-000720_rule
Vulnerability ID: TCAT-AS-000720
Group Title: SRG-APP-000176-AS-000125
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000186 |
The information system, for PKI-based authentication, enforces authorized access to the corresponding private key. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |