An error occurred:

IBM WebSphere Liberty Server STIG Version Comparison

IBM WebSphere Liberty Server Security Technical Implementation Guide

Comparison

There are 10 differences between versions v1 r1 (Aug. 31, 2021) (the "left" version) and v1 r2 (Oct. 26, 2022) (the "right" version).

Check IBMW-LS-000020 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.

Check Content

As a privileged user with local file access to ${server.config.dir}/server.xml, verify the appSecurity-x.x feature and the sslProtocol settings are configured. grep -i appsecurity- server.xml RESULT: <feature>appSecurity-3.0</feature> Verify server.xml RESULT: <feature>appSecurity-2.0</feature> Verify the SSL protocol setting is configured for TLSV1.2 for every SSL configuration. There can be multiple SSL configurations and SSL ID settings. grep -i "<ssl id=" server.xml SAMPLE RESULT: <ssl id="TLSSettings" keyStoreRef="TLSKeyStore" trustStoreRef="TLSTrustStore" sslProtocol="TLSv1.2"/> If the SSL protocol setting does not specify TLS v.1.2 or higher, or if the appSecurity feature is not configured, this is a finding.

Discussion

Quality of Protection in WebSphere Liberty specifies the security level, ciphers, and mutual authentication settings for the Secure Socket Layer (SSL/TLS) configuration. For Quality of Protection settings to apply, the security feature (appSecurity-3.0) (appSecurity-2.0) must be defined in order to configure a user registry for the servlet to authenticate against. The SSL feature (ssl-1.0) must be defined in order to configure ssl settings, and the ldap feature (ldapRegistry-3.0) must be defined in order to configure an enterprise-level user registry for authentication of users.

Fix

To ensure the QoP is set to TLS v1.2 or higher, the ${server.config.dir}/server.xml file must be configured as follows: <featureManager><feature>appSecurity-3.0</feature><feature>ssl-1.0</feature></featureManager> For follows: <featureManager><feature>appSecurity-2.0</feature><feature>ssl-1.0</feature></featureManager> For every SSL configuration, the sslProtocol field must be set to TLS v1.2 or higher. <ssl id="TLSSettings" keyStoreRef="TLSKeyStore" trustStoreRef="TLSTrustStore" sslProtocol="TLSv1.2" />