STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.

DISA Rule

SV-96043r1_rule

Vulnerability Number

V-81329

Group Title

SRG-APP-000156-AS-000106

Rule Version

WBSP-AS-001090

Severity

CAT II

CCI(s)

• CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

Weight

10

Fix Recommendation

To attach policy sets for your service clients:
From admin console, navigate to Applications >> All applications >> [application].

For each application that is a web service client and requires secure authentication, click on "Service client policy sets and bindings."

Click button on the "Select" column to select a resource.

Click on "Attach Client Policy Set" drop down.

Select policy set that best matches the environment.

Click button on the "Select" column to select the same resource.

Click on the "Assign binding" drop down.

Select a binding that best matches the environment.

Click "Save".

Restart DMGR and resync the JVMs.

Check Contents

Review System Security Plan documentation.

Interview the system administrator.

Identify any application web service clients.

Identify the secure authentication requirements for each client.

From admin console, navigate to Applications >> All applications.

Click on each application that is a web service client where the security plan specifies security extensions are to be applied.

Navigate to "Service client policy sets and bindings".

Verify that any web service clients that are required to have security extensions applied as per the security plan have a policy attached.

If "Attached policy set" column displays none, but the System Security Plan specifies security extensions as required, this is a finding.

Vulnerability Number

V-81329

Documentable

False

Rule Version

WBSP-AS-001090

Severity Override Guidance

Review System Security Plan documentation.

Interview the system administrator.

Identify any application web service clients.

Identify the secure authentication requirements for each client.

From admin console, navigate to Applications >> All applications.

Click on each application that is a web service client where the security plan specifies security extensions are to be applied.

Navigate to "Service client policy sets and bindings".

Verify that any web service clients that are required to have security extensions applied as per the security plan have a policy attached.

If "Attached policy set" column displays none, but the System Security Plan specifies security extensions as required, this is a finding.

Check Content Reference

M

Target Key

3399

Comments