STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server default keystore passwords must be changed.

DISA Rule

SV-96071r1_rule

Vulnerability Number

V-81357

Group Title

SRG-APP-000176-AS-000125

Rule Version

WBSP-AS-001230

Severity

CAT I

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Navigate to Security >> SSL Certificate and Key Management >> Key stores and certificates.

Select a keystore from the list.

Click "Change Password".

Enter the new password and password confirmation.

Click "OK".

Repeat for every keystore in the list.

Synchronize changes to all nodes.

Check Contents

Review System Security Plan documentation.

Interview the system administrator.

Identify installation folders and DMGR info.

Access the DMGR system via the OS.

Stop the DMGR processes. This will shut down the application server so plan outages accordingly.

The default file paths and DefaultMgr installation names are provided below, adjust paths, and dmgr name if your installation differs from the default.

For UNIX systems:
cd /opt/IBM/Websphere/Profiles/<DefaultDmgr01>/logs/dmgr/

-stopManager.sh -user [admin user name] - password [admin user password]
-archive the SystemOut*.log files. (Copy to another location)
-startManager.sh
-grep -i cwpki0041w SystemOut.log

For Windows:
cd C:\program files\IBM\Websphere\Profiles\<DefaultDmgr01>\logs\dmgr\

-stopManager.exe -user [admin user name] - password [admin user password]
-archive the SystemOut*.log files. (Copy to another location)
-startManager.exe
-findstr -I cwpki0041w systemout.log

If the results include:
"CWPKI0041W: One or more keystores are using the default password", this is a finding.

Vulnerability Number

V-81357

Documentable

False

Rule Version

WBSP-AS-001230

Severity Override Guidance

Review System Security Plan documentation.

Interview the system administrator.

Identify installation folders and DMGR info.

Access the DMGR system via the OS.

Stop the DMGR processes. This will shut down the application server so plan outages accordingly.

The default file paths and DefaultMgr installation names are provided below, adjust paths, and dmgr name if your installation differs from the default.

For UNIX systems:
cd /opt/IBM/Websphere/Profiles/<DefaultDmgr01>/logs/dmgr/

-stopManager.sh -user [admin user name] - password [admin user password]
-archive the SystemOut*.log files. (Copy to another location)
-startManager.sh
-grep -i cwpki0041w SystemOut.log

For Windows:
cd C:\program files\IBM\Websphere\Profiles\<DefaultDmgr01>\logs\dmgr\

-stopManager.exe -user [admin user name] - password [admin user password]
-archive the SystemOut*.log files. (Copy to another location)
-startManager.exe
-findstr -I cwpki0041w systemout.log

If the results include:
"CWPKI0041W: One or more keystores are using the default password", this is a finding.

Check Content Reference

M

Target Key

3399

Comments