JBOS-AS-000015 - HTTPS must be enabled for JBoss web interfaces.

Information

Encryption is critical for protection of web-based traffic. If encryption is not being used to protect the application server's web connectors, malicious users may gain the ability to read or modify the application traffic while it is in transit over the network. The use of cryptography on web connectors secures web-based traffic and mitigates that risk. HTTPS and Transport Layer Security (TLS) are the means in which cryptographic protections are applied to web connectors.

FIPS 140-2 approved TLS versions include TLS V1.2 or greater.

Solution

Follow procedure '4.4. Configure the JBoss Web Server to use HTTPS.' The detailed procedure is found in the JBoss EAP 6.3 Security Guide available at the vendor's site, RedHat.com. An overview of steps is provided here.

1. Obtain or generate DoD-approved SSL certificates.
2. Configure the SSL certificate using your certificate values.
3. Set the SSL protocol to TLS V1.2 or greater.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R4_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-001453, Rule-ID|SV-213495r954688_rule, STIG-ID|JBOS-AS-000015, STIG-Legacy|SV-76705, STIG-Legacy|V-62215, Vuln-ID|V-213495

Plugin: Unix

Control ID: 102aa18e3768adee6d9b25f23248d524cffcdad82cb7967a643117e0f031288b