STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:SV-222965r615938_rule
V-222965
SRG-APP-000172-AS-000121
TCAT-AS-000690
CAT I
10
Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps/<AppName>/WEB-INF/web.xml
From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.
Locate the <Realm> element in the server.xml file, add a nested <Realm> element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements.
EXAMPLE:
This is for illustration purposes only. The user must modify the LDAP settings on a case by case basis as per your individual LDAP server and schema.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://localhost:686"
userPattern="uid={0},ou=people,dc=myunit,dc=mil"
roleBase="ou=groups,dc=myunit,dc=mil"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
From the Tomcat server as a privileged user, run the following commands:
sudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml
If the JNDIRealm connectionURL setting is not configured to use LDAPS, if it does not exist, or is commented out, this is a finding.
EXAMPLE:
This is an example. Substitute localhost for the LDAP server IP and configure other LDAP-related settings as well.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://localhost:686"
...
/>
V-222965
False
TCAT-AS-000690
From the Tomcat server as a privileged user, run the following commands:
sudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml
If the JNDIRealm connectionURL setting is not configured to use LDAPS, if it does not exist, or is commented out, this is a finding.
EXAMPLE:
This is an example. Substitute localhost for the LDAP server IP and configure other LDAP-related settings as well.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://localhost:686"
...
/>
M
4094