STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Certificates in the trust store must be issued/signed by an approved CA.

DISA Rule

SV-222994r615938_rule

Vulnerability Number

V-222994

Group Title

SRG-APP-000427-AS-000264

Rule Version

TCAT-AS-001430

Severity

CAT II

CCI(s)

CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

Fix Recommendation

Obtain and install the DoD PKI CA certificate bundles by accessing the DoD PKI office website at https://cyber.mil/pki-pke.

Download the certificate bundles and then use certificate management utilities such as keytool or openssl to import the DoD CA certificates into the trust store.

Check Contents

For the systemd Ubuntu OS, check the tomcat.service file to read the content of the JAVA_OPTS environment variable setting.

sudo cat /etc/systemd/system/tomcat.service |grep -i truststore

EXAMPLE output:
set JAVA_OPTS="-Djavax.net.ssl.trustStore=/path/to/truststore" "-Djavax.net.ssl.trustStorePassword=************"

If the variable is not set, use the default location command below. If the variable is set, use the alternate location command below and include the path and truststore file.

-Default location:
keytool -list -cacerts -v | grep -i issuer

-Alternate location:
keytool -list -keystore <location of trust store file> -v |grep -i issuer

If there are no CA certificates issued by a Certificate Authority (CA) that is part of the DoD PKI/PKE, this is a finding.

Certificates in the trust store must be issued/signed by an approved CA.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments