Check: TCAT-AS-000750
Apache Tomcat 9 STIG:
TCAT-AS-000750
(in version v1 r0.1)
Title
Tomcat must use FIPS-validated ciphers on secured connectors. (Cat I impact)
Discussion
Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends back the results to the requestor. Cryptographic ciphers are associated with the connector to create a secured connector. To ensure encryption strength is adequately maintained, the ciphers used must be FIPS 140-2-validated. Crypto libraries are provided by either the Java instance that Tomcat uses or by the OpenSSL implementation.
Check Content
From the Tomcat server console, run the following command: sudo grep -i fipsmode $CATALINA_HOME/conf/server.xml. If there are no results displayed or if FIPSMode is not set to FIPSMode="on", this is a finding.
Fix Text
From the Tomcat server as a privileged user: sudo nano $CATALINA_HOME/conf/server.xml. In the <Listener/> element, locate the AprLifecycleListener, either add or modify the FIPSMode setting and set it to FIPSMode="on" EXAMPLE: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on" /> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: TCAT-AS-000750_rule
Vulnerability ID: TCAT-AS-000750
Group Title: SRG-APP-000179-AS-000129
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
Controls
Number | Title |
---|---|
IA-7 |
Cryptographic Module Authentication |