20 - Enable Encryption

Information

The ENCRYPT protocol uses a keystore in order to encrypt the communication layer of all the other protocols below it.

Before configuring the AS, you must create another keystore to use specifically in JGroups.

Unfortunately, JGroups does not support the keystores generated with the standard JDK keytool. You must create your custom keystore with a java file called KeyStoreGenerator which is included in the demo package of JGroups.

java -cp /your/path/to/jboss/modules/system/layers/base/org/jgroups/main/JGroups-version.jar org.jgroups.demos.KeyStoreGenerator --alg AES --size 128 --storeName FILENAME --storePass PASSWORD --alias MyKey

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Include the ENCRYPT protocol in the standalone-full-ha of your JBoss AS instance:


<stack name="udp">
....
<transport type="UDP" socket-binding="jgroups-udp" diagnostics-socket-binding="jgroups-diagnostics"/>
<protocol type="ENCRYPT">
<property name="encrypt_entire_message">true</property>
<property name="sym_init">128</property>
<property name="sym_algorithm">AES/ECB/PKCS5Padding</property>
<property name="asym_init">512</property>
<property name="asym_algorithm">RSA</property>
<property name="keyPassword">YOURKEYSTOREPASSWORD</property>
<property name="keyStoreName">path/to/keystore</property>
<property name="alias">MyKey</property>
<property name="storePassword">YOURTRUSTSTOREPASSWORD</property>
</protocol>
....
</transport>
</stack>

You can move the ENCRYPT element up and down trough the protocols stack, this will configure the subsystem to encrypt only the protocols below the ENCRYPT element.

See Also

https://docs.jboss.org/author/display/AS72/Hardening+Guidelines

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Unix

Control ID: 6a959134a9c2c963036d43bcb65480b0a7f46df0e4c7f9d34e12315087f28f7d