WBSP-AS-001080 - The WebSphere Application Server must provide security extensions to extend SOAP protocol and provide secure authentication

Information

Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service which is a repeatable process used to make data available to remote clients, should not be confused with a web server.

Many web services utilize SOAP, which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The WS_Security suite is a widely used and acceptable SOAP security extension.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To attach policy sets for your service providers:
From admin console, navigate to Applications >> All applications >> [application].

For each application that is a web service provider and requires secure authentication, click on 'Service provider policy sets and bindings.'

Click button on the 'Select' column to select a resource.

Click on 'Attach Policy Set' drop down.

Select policy set that best matches the provider environment.

Click button on the 'Select' column to select the same resource.

Click on the 'Assign binding' drop down.

Select a binding that best matches the environment.

Click 'Save'.

Restart DMGR and resync the JVMs.

See Also

http://iasecontent.disa.mil/stigs/zip/U_IBM_WebSphere_Traditional_V9-x_V1R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(8), CAT|II, CCI|CCI-001941, Rule-ID|SV-96039r1_rule, STIG-ID|WBSP-AS-001080, Vuln-ID|V-81325

Plugin: Windows

Control ID: 63ea6395d04b7053fc218f587b412564d293821d922cb554a2db3301eb9d34ec