TCAT-AS-000700 - DOD root CA certificates must be installed in Tomcat trust store.

Information

Tomcat truststores are used to validate client certificates. On the Ubuntu OS, by default, Tomcat uses the 'cacerts' file as the CA trust store. The file is located in the /etc/ssl/certs/java/ folder with a link to the file in $JAVA_HOME/lib/security/cacerts. However, this location can be modified by setting the value of the javax.net.ssl.trustStore system property. Setting this property within an OS environment variable will change the location to point to a different trust store.

The Java OS environment variables in the systemd Tomcat startup file must be checked in order to identify the location of the trust store on the file system. (The STIG uses the name tomcat.service as a reference, but technically this file can be called anything).

If the property is not set, then the default location is used for the truststore.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Obtain and install the DOD PKI CA certificate bundles by accessing the DOD PKI office website at cyber.mil/pki-pke.

Import the DOD CA certificates.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a), CAT|II, CCI|CCI-000185, CCI|CCI-004909, Rule-ID|SV-222966r985891_rule, STIG-ID|TCAT-AS-000700, STIG-Legacy|SV-111457, STIG-Legacy|V-102515, Vuln-ID|V-222966

Plugin: Unix

Control ID: f2534b528767926230ecb324fe564a96406384b9fdf50e7b229af6151a97df7f