Check: TCAT-AS-000750
Apache Tomcat Application Server 9 STIG:
TCAT-AS-000750
(in versions v2 r7 through v1 r1)
Title
Tomcat must use FIPS-validated ciphers on secured connectors. (Cat I impact)
Discussion
Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends the results back to the requestor. Cryptographic ciphers are associated with the connector to create a secured connector. To ensure encryption strength is adequately maintained, the ciphers used must be FIPS 140-2-validated. The FIPS-validated crypto libraries are not provided by Tomcat; they are included as part of the Java instance and the underlying Operating System. The STIG checks to ensure the FIPSMode setting is enabled for the connector and also checks the logs for FIPS errors, which indicates FIPS non-compliance at the OS or Java layers. The administrator is responsible for ensuring the OS and Java instance selected for the Tomcat installation provide and enable these FIPS modules so Tomcat can be configured to use them. Satisfies: SRG-APP-000224-AS-000152, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157, SRG-APP-000439-AS-000274, SRG-APP-000440-AS-000167
Check Content
From the Tomcat server console, run the following two commands to verify Tomcat server is configured to use FIPS: sudo grep -i fipsmode $CATALINA_BASE/conf/server.xml sudo grep -i fipsmode $CATALINA_BASE/logs/catalina.out If server.xml does not contain FIPSMode="on", or if catalina.out contains the error "failed to set property[FIPSMODE] to [on]", this is a finding.
Fix Text
In addition to configuring Tomcat, the admin must also configure the underlying OS and Java engine to use FIPS validated encryption modules. This fix instructs how to enable FIPSMode within Tomcat, the OS and Java engine must be configured to use the FIPS validated modules according to the chosen OS and Java engine. From the Tomcat server as a privileged user: sudo nano $CATALINA_BASE/conf/server.xml. In the <Listener/> element, locate the AprLifecycleListener. Either add or modify the FIPSMode setting and set it to FIPSMode="on". EXAMPLE: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on" /> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: SV-222968r879616_rule
Vulnerability ID: V-222968
Group Title: SRG-APP-000179-AS-000129
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
CCI-001188 |
The information system generates unique session identifiers for each session with organization-defined randomness requirements. |
CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
CCI-002421 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. |
CCI-002475 |
The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. |
CCI-002476 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components. |
Controls
Number | Title |
---|---|
IA-7 |
Cryptographic Module Authentication |
SC-8 |
Transmission Confidentiality And Integrity |
SC-8 (1) |
Cryptographic Or Alternate Physical Protection |
SC-23 (3) |
Unique Session Identifiers With Randomization |
SC-28 (1) |
Cryptographic Protection |