SV-106381r1_rule
V-97275
SRG-APP-000171
ISEC-06-550150
CAT II
10
To encrypt the Tomcat Manager Web app password, run the ISEC7 integrated installer or use the following manual procedure.
Note: The ISEC7 integrated installer will configure SHA-512 as the hash algorithm, which is not available with the manual procedure. The manual procedure will configure SHA-256. Both are DoD approved.
Login to the ISEC7 EMM Suite server.
Browse to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf and open Tomcat-Users.xml
Open the Command Prompt and CD to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\bin
Execute the following command:
digest -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler *
*where password is the 15 character password designated for the account
Copy the output, which is the SHA-256 hashed digest password.
In Tomcat-Users.xml, add in the password for the user with the obfuscated output.
ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/>
Save the file.
Open <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe
Select Edit >> Find and search for CredentialHandler.
Replace the text with: <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" />
Save the file.
Restart the ISEC7 EMM Suite Web service using the services.msc
Verify the Apache Tomcat Manager Web app password is hashed using SHA-256 (or SHA-512).
Login to the ISEC7 EMM Suite server.
Navigate to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\
Open tomcat-users.xml and verify the user password has been hashed with an obfuscated password.
ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/>
Open <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe
Select Edit >> Find and search for CredentialHandler.
Confirm the text: <CredentialHandler algorithm="PBKDF2WithHmacSHA512" keyLength="256" />
Close the file.
If the Apache Tomcat Manager Web app password is not hashed using SHA-256 (or SHA-512), this is a finding.
V-97275
False
ISEC-06-550150
Verify the Apache Tomcat Manager Web app password is hashed using SHA-256 (or SHA-512).
Login to the ISEC7 EMM Suite server.
Navigate to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\
Open tomcat-users.xml and verify the user password has been hashed with an obfuscated password.
ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/>
Open <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe
Select Edit >> Find and search for CredentialHandler.
Confirm the text: <CredentialHandler algorithm="PBKDF2WithHmacSHA512" keyLength="256" />
Close the file.
If the Apache Tomcat Manager Web app password is not hashed using SHA-256 (or SHA-512), this is a finding.
M
3503