JBOS-AS-000300 - JBoss KeyStore and Truststore passwords must not be stored in clear text.

Information

Access to the JBoss Password Vault must be secured, and the password used to access must be encrypted. There is a specific process used to generate the encrypted password hash. This process must be followed in order to store the password in an encrypted format.

The admin must utilize this process in order to ensure the Keystore password is encrypted.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the application server to mask the java keystore password as per the procedure described in section 11.13.3 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R4_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c), CAT|II, CCI|CCI-000196, Rule-ID|SV-213531r954864_rule, STIG-ID|JBOS-AS-000300, STIG-Legacy|SV-76779, STIG-Legacy|V-62289, Vuln-ID|V-213531

Plugin: Unix

Control ID: be604bcfb4481578fcb6113814a11aad8f5948cf3e0d7104a13676d2ce9edbac