Title

The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. (Cat II impact)

Discussion

Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service, which is a repeatable process used to make data available to remote clients, should not be confused with a web server. Many web services utilize SOAP, which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The WS_Security suite is a widely used and acceptable SOAP security extension.

Check Content

If SOAP services are not used this check is NA. The Tomcat server must use SSL in order to provide security for the SOAP service. Review the server.xml configuration file and check if the “SSL HTTP/1.1 Connector” entry is uncommented. If the “SSL HTTP/1.1 Connector” entry is commented out or does not exist., this is a finding.

Fix Text

Configure the application server to utilize secure authentication when SOAP web services are used to access sensitive data.

Additional Identifiers

Rule ID: SV-46591r3_rule

Vulnerability ID: V-35304

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.