The WebSphere Application Server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

From IBM WebSphere Traditional V9.x Security Technical Implementation Guide

Part of SRG-APP-000395-AS-000109

Associated with: CCI-001967

SV-96055r1_rule The WebSphere Application Server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Vulnerability discussion

Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device.Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.Device authentication is performed when the application server is providing web services capabilities and data protection requirements mandate the need to establish the identity of the connecting device before the connection is established.Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.Note: with LDAP registry, the entire DN in the certificate is used to look up LDAP. Filters may be configured. With other registries, only the first attribute after the first "=", e.g., CN=<user> is used.

Check content

Review System Security Plan documentation. Identify mutual authentication connection requirements. From the admin console, navigate to Security >> SSL Certificate and Key Management >> SSL Configuration. Select each [NodeDefaultSSLSettings] then go to Quality of Protection (QoP) Settings. If "Client authentication" is not set according to the security plan, this is a finding. Note: with LDAP registry, the entire DN in the certificate is used to look up LDAP. Filters may be configured. With other registries, only the first attribute after the first "=", e.g., CN= is used.

Fix text

From the admin console, navigate to Security >> SSL Certificate and Key Management >> SSL Configuration. For each [NodeDefaultSSLSettings] select Quality of Protection (QoP) Settings. Set "Client authentication" according to the security plan.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer