10.4 Force SSL when accessing the manager application via HTTP

Information

Use the transport-guarantee attribute to ensure SSL protection when accessing the manager application.

Rationale:

By default when accessing the manager application via HTTP, login information is sent over the wire in plain text. By setting the transport-guarantee within web.xml, SSL is enforced.

Note: This requires SSL to be configured.

Solution

Set <transport-guarantee> to CONFIDENTIAL in $CATALINA_HOME/webapps/manager/WEB-INF/web.xml:

<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Default Value:

By default this configuration is not present.

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: bbec0410c41c6d2792da593f95ed725f19f025fc21bf3a4d17481362dedeb79d