TCAT-AS-001320 - Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

Information

Password authentication does not provide sufficient security control when accessing a management interface. DOD has specified that a CAC will be used when authenticating and passwords will only be used when CAC authentication is not a plausible solution. Tomcat provides the ability to do certificate based authentication and client authentication; therefore, the Tomcat server must be configured to use CAC.

Satisfies: SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248

Solution

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/webapps/manager/WEB-INF/web.xml file and modify the auth-method for the manager application security constraint.

sudo nano $CATALINA_BASE/webapps/manager/WEB-INF/web.xml

Locate <auth-method> contained within the <login-config> section, modify <auth-method> to specify CLIENT-CERT.

EXAMPLE:
<auth-method>CLIENT-CERT</auth-method>

In addition, the connector used for accessing the manager application must be configured to require client authentication by setting clientAuth='true' and the manager application roles must be configured in the LDAP server.

Restart the Tomcat server:
sudo systemctl restart tomcat

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(12), 800-53|IA-8(1), CAT|II, CCI|CCI-001953, CCI|CCI-001954, CCI|CCI-002009, CCI|CCI-002010, CCI|CCI-004046, CCI|CCI-004047, Rule-ID|SV-222993r985888_rule, STIG-ID|TCAT-AS-001320, STIG-Legacy|SV-111509, STIG-Legacy|V-102569, Vuln-ID|V-222993

Plugin: Unix

Control ID: 449d8a10ad0cbb0d3dbffd0cb6b6a11d827bfdff0f9fff1aec10f8cf32b6461a