The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.

From IBM WebSphere Traditional V9.x Security Technical Implementation Guide

Part of SRG-APP-000149-AS-000102

Associated with: CCI-000187 CCI-000765 CCI-000767 CCI-001184 CCI-001953 CCI-001954 CCI-002009 CCI-002010 CCI-002011

SV-96025r1_rule The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.

Vulnerability discussion

Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement that the attacker must have something from the user, such as a token, or to biometrically be the user.Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition.A privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the web management interface.When accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled.Satisfies: SRG-APP-000149-AS-000102, SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000151-AS-000103, SRG-APP-000177-AS-000126, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248, SRG-APP-000404-AS-000249, SRG-APP-000219-AS-000147

Check content

Check that the admin console is enabled for client certificate logon. In the Deployment Manager, check the file on: /profiles//config/cells//applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/web.xml. If the "XML element FORM" is present, this is a finding.

Fix text

From the admin console, select System Administration >> Deployment Manager >> Java and Process Management >> Process definition >> Java Virtual Machine >> Custom Properties. Select "New". Insert the following case sensitive value into the "Name" field: "adminconsole.certLogin". Select "Value". Enter "true". Click "Apply". Click "Save". Select Security >> SSL Certificate and Key management >> SSL Configurations >> Select CellDefaultSSLSettings >> Quality of Protection (QOP) settings. In the "Client Authentication" drop-box, make sure "Supported" or "Required" is selected. Click "Apply". Click "Save". Save a backup copy and edit the "Web.xml" file as follows: /profiles//config/cells//applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/web.xml: --- Change: < security-constraint> Protected Area / --- So it becomes: < security-constraint> Protected Area / /logon.jsp /logonError.jsp --- Add these security constraints if not already present: free pages /*.jsp /css/* /images/* /j_security_check --- Change: FORM to CLIENT-CERT Save the "web.xml" file. Stop and restart the Deployment Manager. Log on to the admin console using your certificate.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer