Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review system documentation. Identify the application session requirements. In the administrative console page, click Servers >> Server Types >> WebSphere application servers >> [server_name] >> Session management. Ensure the Maximum in-memory session count field is set to the number of sessions allowable. If not set according to application requirements, this is a finding.
In the administrative console page, click Servers >> Server Types >> WebSphere application servers >> [server_name] >> Session management. Edit the Maximum in-memory session count field to be the number of sessions allowable.
Review System Security Plan and system configuration documentation. Access the Deployment Manager (DMGR) operating system. Locate the deployment.xml file. The default file location where deployment.xml is installed are provided below. UNIX: /opt/IBM/WebSphere/Profiles/DefaultDmgr01/config/cells/<CELL NAME>/applications/isclite.ear/deployments/isclite/ Windows: C:\Program Files\IBM\WebSphere\Profiles\DefaultDmgr01\config\cells\<CELL NAME>\applications\isclite.ear\deployments\isclite\ Search the deployment.xml file for the string, "invalidationtimeout=" UNIX: grep -i invalidationtimeout $PATH/deployment.xml Windows: findstr -I invalidationtimeout= $PATH\deployment.xml The value is expressed in minutes and the default value is set to "30 minutes". If "invalidationtimeout" is not set to "10 minutes", this is a finding.
Locate the deployment.xml file. The default file locations where deployment.xml is installed are provided below. UNIX: /opt/IBM/WebSphere/Profiles/DefaultDmgr01/config/cells/<CELL NAME>/applications/isclite.ear/deployments/isclite/ Windows: C:\Program Files\IBM\WebSphere\Profiles\DefaultDmgr01\config\cells\<CELL NAME>\applications\isclite.ear\deployments\isclite\ Make a backup copy of the deployment.xml file. Edit the deployment.xml file. Modify the "invalidationtimeout=" value and set to "10". Restart the DMGR and all the JVMs.
Review System Security Plan documentation. Identify the required "Automatic CheckPoint Depth" setting that has been defined. From administrative console, click System administration >> Extended repository service. If "Enable automatic repository checkpoints" is not selected or if the "automatic checkpoint depth" is less than the number of saves defined in the System Security Plan, this is a finding.
From administrative console click System administration >> Extended repository service >> Enable automatic repository checkpoints. Enter a "checkpoint depth value" according to the security plan. Restart the DMGR and all the JVMs.
From the administrative console, click Security >> Global Security. If "Enable administrative security" is not selected, this is a finding.
From the administrative console, click Security >> Global Security. Click "Enable administrative security". Click "Save". Restart the DMGR and all the JVMs.
Review System Security Plan documentation. Interview the system administrator. Identify the service integration buses configured on the WAS. If there are no service integration buses, this requirement is NA. From the administration console, navigate to Security >> Bus Security. For each service integration bus, if security is not enabled, this is a finding.
From the administration console, navigate to Security >> Bus Security. For each service integration bus where security is not enabled, click on "Disabled". Click the check box to "Enable bus security". Configure the transport settings and authorization policies according to application security access requirements specified in the security plan.
In the administrative console, navigate to Security >> Security auditing. If "Enable security auditing" is not enabled, this is a finding.
In the administrative console, navigate to Security >> Security auditing to enable. Restart the DMGR and all the JVMs.
Review System Security Plan documentation. Identify groups and roles. In the administrative console, navigate to Users and Groups >> Administrative Group Roles. Check the roles for each group and compare to System Security Plan. If any group is not authorized by the ISSO/ISSM to be in an auditor role, this is a finding.
Document all groups in an Auditor role in the security plan. In the administrative console, navigate to Users and Groups >> Administrative group roles. If an unauthorized group is in the auditor role, remove the auditor role from the group. Restart the DMGR and all the JVMs.
Review System Security Plan documentation. Identify users and roles. In the administrative console, navigate to Users and Groups >> Administrative User Roles. Check the roles for each user. If any user is not authorized by the ISSO/ISSM to be in the role of an auditor, this is a finding.
In the administrative console, navigate to Users and Groups >> Administrative User roles. If an unauthorized user is in the auditor role, remove the user from the auditor role. Restart the DMGR and all the JVMs.
In the administrative console, navigate to Security >> Security auditing >> Event type Filters. Verify the following events and outcomes are enabled in the "Events and Outcomes" box. Also note the name of the filter associated with these events. This name will be referenced in STIG ID WBSP-AS-000110. AUTHN: SUCCESS,INFO,WARNING,ERROR,DENIED,REDIRECT AUTHZ: SUCCESS,INFO,WARNING,ERROR,DENIED,REDIRECT AUTHN_TERMINATE: SUCCESS,INFO,WARNING,ERROR,DENIED,REDIRECT REPOSITORY_SAVE: SUCCESS,INFO,WARNING,ERROR,DENIED,REDIRECT If these audit filters are not configured in "Events and Outcomes", this is a finding.
In the administrative console, navigate to Security >> Security auditing >> Event type Filters. Click the "New" button to create a new filter; give it a unique name. Select SECURITY_AUTHN, SECURITY_AUTHZ, SECURITY_AUTHN_TERMINATE, and ADMIN_REPOSITORY_SAVE from "Selectable events". Add them to the "Enabled events" box by clicking on the right arrow. Select INFO, ERROR, SUCCESS, DENIED, REDIRECT, and WARNING from the "Selectable event outcomes" box. Click the right arrow to fill in "Enabled events outcomes" box. Click "OK". Restart the DMGR and all the JVMs.
In the administrative console, navigate to Security >> Security auditing >> Audit Service Provider [provider name]. Under "Enabled filters", determine if the filter name from select the name of the filter that was recorded from STIG ID WBSP-AS-000100. If the filter that was identified in STIG ID WBSP-AS-000100 is not enabled, this is a finding.
In the administrative console, navigate to Security >> Security auditing >> Event type Filters. Identify and record the event type filter that contains the required "Events and Outcomes". In the administrative console, click on Security >> Security auditing >> Audit Service Provider [provider name]. Under "Selectable filters", select the filter that was previously identified and recorded. Click the right arrow to add it to the list. Click "OK". Click "Save" to save the changes. Restart the DMGR and all the JVMs.
If the systems user registry is managed by LDAP, this requirement is NA. Review the System Security Plan documentation. Interview the system administrator. Obtain a list of authorized users. In the administrative console, navigate to Users and Groups >> Manage Groups. Select each group. Select the "Members" tab. Validate the members of the group are authorized. If users in the group are not authorized by the ISSO/ISSM, this is a finding.
From administrative console, navigate to Users and Groups >> Administrative group roles. Note: names of the groups and the roles assigned to each group. Navigate back to User and Groups >> Manage Groups. Click on every group. For each group, click on users. If there is any user who does not belong to the group based on the roles assigned to the group, click on the checkbox next to the user. Click "Remove". Restart the DMGR and all the JVMs.
From the administrative console, navigate to Security >> SSL certificate and key management. Click "SSL configurations". Click on each SSL configuration to review. Under "Additional Properties", click "Quality of protection (QoP)" settings. If the "Protocol" field does not show "TLSv1.2 or greater", this is a finding.
From the administrative console, navigate to Security >> SSL certificate and key management. Click "SSL configurations". Click on each SSL configuration. Under "Additional Properties", click "Quality of protection (QoP)" settings. At the "Protocol" pull-down menu, select "TLSv1.2 or greater". Click "OK". Click "Save". Restart the DMGR and all the JVMs.
From the administrative console, navigate to Security >> Global Security. If "Enable administrative security" and "Enable application security" are not selected, this is a finding.
From the administrative console, navigate to Security >> Global Security. Click on "Enable administrative security". Click on "Enable application security". Click "OK". Click "Save". Restart the DMGR and all the JVMs.
From the administrative console, navigate to Security >> Global Security. Expand "Web and SIP security". Click on "Single sign-on (SSO)". If "requires SSL" is not selected, this is a finding.
From the administrative console, navigate to Security >> Global Security. Expand "Web and SIP security". Click on "Single sign-on (SSO)". Select "Requires SSL". Click "OK". Click "Save". Restart the DMGR and all the JVMs.
From the administrative console, navigate to Security >> Global Security. Expand "Web and SIP security". Click on "Single sign-on (SSO)". If "Set security cookies to HTTPOnly" is not selected, this is a finding.
From the administrative console, navigate to Security >> Global Security. Expand "Web and SIP security". Select "Set security cookies to HTTPOnly". Click "OK". Click "Save". Restart the DMGR and all the JVMs.
From the admin console, select Security >> Global Security >> Java 2 Security. If "Use Java 2 security to restrict application access to local resources" is not selected, this is a finding.
From the admin console, select Security >> Global Security >> Java 2 Security. Select the "Use Java 2 security to restrict application access to local resources" check box. Ensure the application security policies are defined and access permissions are granted accordingly. Policies are created and access is granted on an application by application basis. Application access to the underlying host is based upon application access requirements.
If the system is a development or test system, this requirement is NA. From the admin console, select Servers >> Server Types >> WebSphere application servers. For each application server, select Server Infrastructure >> Administration >> Custom properties. If the "com.ibm.websphere.java2secman.norethrow" resource value exists and is set to "true", this is a finding.
From the admin console, select Servers >> Server Types >> WebSphere application servers. For each application server, select Server Infrastructure >> Administration >> Custom properties. Delete the "com.ibm.websphere.java2secman.norethrow" resource value from production systems.
Review System Security Plan documentation. In the administrative console, navigate to Users and Groups >> Administrative user roles. If users assigned to the admin role are not authorized by the ISSO/ISSM, this is a finding.
Navigate to User and Groups >> Administrative user roles. If an unauthorized user is assigned to the admin role, click on the user, remove admin rights and assign proper roles as defined in System Security Plan. Do not delete any user with the "Primary administrative user name" designation. Click "OK". Click "Save". Restart the DMGR and all the JVMs.
Review System Security Plan documentation. Review details regarding LDAP groups that are mapped to WebSphere roles. In the administrative console, under Users and Groups >> Administrative group roles. If there is a LDAP group or groups assigned to a WebSphere role that has not been authorized by the ISSO/ISSM, this is a finding.
Navigate to User and Groups >> Administrative group roles. If any group is assigned roles that the group should not have, click on the group. Assign only the role(s) the group should have. Click "OK". Click "Save". Restart the DMGR and all the JVMs.
If a file based or local federated repository is in use, this requirement is NA. Review System Security Plan documentation. Interview the system administrator. In the administrative console select Security >> Global Security. Under "User Account Repository", verify the "Available realm Definition" is set to "Standalone LDAP registry". Select "Configure". The properties of the LDAP repository are displayed for purposes of identifying the LDAP server. Work with the admin of LDAP repository. Identify users and groups. Validate members of groups are authorized. If the group members have not been authorized by the ISSO/ISSM, this is a finding.
In the LDAP server admin console, assign WebSphere users to the appropriate WebSphere group.
Point browser to the URL of the WebSphere administration console. If the Standard Mandatory DoD Notice and Consent Banner is not displayed, this is a finding.
Open the file ${WAS_HOME}/properties/login.info. Follow the instructions in the HTML comment section to create the pre-logon banner. Enter the Standard DoD Mandatory Notice and Consent banner into the HTML section. If logged on to the admin console, log out and log back on to validate the changes. Restart the DMGR and all the JVMs.
Point browser to the URL of the WebSphere administration console. If the Standard Mandatory DoD Notice and Consent Banner is not retained until the user acknowledges the usage conditions, this is a finding.
Open the file ${WAS_HOME}/properties/login.info. Follow the instructions in the HTML comment section to create the pre-logon banner. Enter the Standard DoD Mandatory Notice and Consent banner into the HTML section. If logged on to the admin console, log out and log back on to validate the changes. Restart the DMGR and all the JVMs.
In the administrative console, navigate to Security >> Security auditing >> Audit Service Provider. Click on the providers in the list. Note: names of all the filters, e.g., "DefaultAuditSpecification_1". Go back to Security >> Security auditing >> Event type Filters. Find the filters previously noted. If you do not see the filter for SECURITY_AUTHN, SECURITY_AUTHZ, SECURITY_AUTHN_TERMINATE, and ADMIN_REPOSITORY_SAVE that has INFO, ERROR, SUCCESS, DENIED, REDIRECT, and WARNING defined, this is a finding.
In the administrative console, navigate to Security >> Security auditing >> Audit Service Provider. Click on the providers in the list. Note the names of all the filters, e.g., "DefaultAuditSpecification_1". Go back to Security >> Security auditing >> Event type Filters. Find the filters previously noted. If you do not see that the provider filter for SECURITY_AUTHN, SECURITY_AUTHZ, SECURITY_AUTHN_TERMINATE, and ADMIN_REPOSITORY_SAVE that has INFO, ERROR, SUCCESS, DENIED, REDIRECT, and WARNING defined, click the "New" button to create a new filter. Give it a unique name. Select "SECURITY_AUTHN" and "ADMIN_REPOSITORY_SAVE" from the "Events to associate with audit filter" field. Click the right arrow to fill in "Enabled events" field. From "Event outcomes to associate with an audit filter" field, select INFO, ERROR, SUCCESS, DENIED, REDIRECT, and WARNING. Click the right arrow to fill in "Enabled event outcomes" field. Click "OK". Go back to Security >> Security auditing >> Audit Service Provider >> [provider]. Under "Selectable filters", select the new filter just created. Click the right arrow to add it to the list. Click "OK". Click "Save". Restart the DMGR and all the JVMs.
Review System Security Plan documentation. Identify the JVM log size and rotation settings based on component log policy. From the administrative console, navigate to Troubleshooting >> Logs and Trace. Choose [server name]. Click on the server name to select it. Click "JVM" Logs. For "System.out" verify "File Size" is selected and "Maximum size" and "Maximum Historical Log Files" are set according to the System Security Plan. For "System.err" verify "File Size" is selected and "Maximum size" and "Maximum Historical Log Files" are set according to the System Security Plan. If log size and log history retention settings for "System.err" and "System.out" are not set as per the System Security Plan, this is a finding.
Identify JVM log size and history retention based on component log policy. Document those values in the System Security Plan. From the administrative console, navigate to Troubleshooting >> Logs and Trace. Select each [server name]. Click "JVM" Logs. Under "System.out", "Log Rotation", select "File size" in the "Maximum Size" entry field, enter the maximum log size based on policy. Under "System.err", "Log Rotation", select "File Size" in the "Maximum Size" entry field, enter the maximum log size based on policy. Click "OK". Click "Save".
Review System Security Plan documentation. Identify the Audit Service Provider log size and rotation settings based on component log policy. From administrative console, click Security >> Security auditing >> Audit service provider. Select each [audit_service_provider_name]. If "Audit Log Size" and "Max Number of Audit Log Files" are not configured as per the System Security Plan, this is a finding.
Identify Audit Service Provider log size and history retention based on component log policy. Document those values in the System Security Plan. From administrative console, click Security >> Security auditing >>Related Items>> Audit service provider >> [audit_service_provider_name]. Under Audit log file size specify the size of the file in MB as defined by your policy. Under "Maximum number of audit logs files", specify the maximum number of logs you want to keep on the file system as defined by your policy. Click "OK". Click "Save".
If notifications of log processing failures are done via an alternative notification process, this is not a finding. In the administrative console, navigate to Security >> Security auditing >> Audit monitor. If "Enabled monitoring" is not checked and "Monitor notification" is not set to a name in the notifications list, this is a finding.
Establish and utilize a notification process for WebSphere log events or configure WebSphere to send log events alerts via email. In the administrative console, navigate to Security >> Security auditing >> Audit monitor. Select a "Monitor" notification from the dropdown box or create a new notification. Click on "New". Specify a unique name for the new notification. Click "Message log" checkbox. Select "Email sent to notification list". Enter emails in the "Email address to add" field. Enter the mail server address in the "Outgoing mail (STMP) server" field. Click ">" to put email in "List of email addresses" field. Click "OK". Select the "Enable monitoring" check box to turn on audit failure notifications. Select the notification configuration to be used from the "Monitor notification" dropdown menu. Click "OK". Click "Save".
If the SA and ISSO are notified of log processing failures via an alternative notification process, this is not a finding. In the administrative console, navigate to Security >> Security auditing >> Audit monitor. If "Enabled monitoring" is not checked and "Monitor notification" is not set to a notification in the notifications list, that includes the SA and ISSO, this is a finding.
Establish and utilize a notification process for WebSphere log events or configure WebSphere to send log event alerts via email. In the administrative console, navigate to Security >> Security auditing >> Audit monitor. Click on "New" button. Specify a unique name for the new notification name. Click "Message log" checkbox. Select "Email sent to notification list". Enter SA and ISSO emails in the "Email address to add" field. Enter the mail server address in the "Outgoing mail (STMP) server" field. Click ">" to put email in "List of email addresses" field. Click "OK". Select the "Enable monitoring" check box to turn on audit failure notifications. Select the notification configuration to be used from the "Monitor notification" dropdown menu. Click "OK". Click "Save".
In the administrative console, navigate to Security >> Security auditing. If "Audit subsystem failure action" is not set to "Log Warning", this is a finding.
In the administrative console, navigate to Security >> Security auditing. Click the "Audit subsystem failure action" dropdown box. Select "Log Warning". Click "Apply". Click "Save" to save the configuration. Restart the DMGR and all JVMs.
If the System Security Plan documentation specifies system availability is an overriding concern, this requirement is NA. In the admin console click Security >> Security Auditing. If "Audit subsystem failure action" is not set to "Terminate", this is a finding.
In the admin console click Security >> Security Auditing. Set "Audit subsystem failure action" to "Terminate". Restart the DMGR and all JVMs.
If the System Security Plan documentation does not require redundancy, this requirement is NA. Click Servers >> Clusters >> WebSphere application server clusters. Ensure you have a cluster defined for every application requiring redundancy. If there is not a cluster defined for every application requiring redundancy, this is a finding.
In the admin console, Click Servers >> Clusters >> WebSphere application server clusters. Define a cluster for every high availability application as outlined in the System Security Plan documentation. Refer to vendor documentation for steps on creating a fail over cluster.
Review system documentation and System Security Plan. Identify the home folder and user account for the WebSphere installation. Log on to the operating system that is hosting the WebSphere application server. By default, WebSphere will be installed in the "/opt/IBM/Websphere" folder on UNIX like systems and in the "C:\Program Files\IBM\Websphere\" folder on Windows systems. On UNIX systems, verify file permissions for the "WebSphere" folder are set to "770" for the WebSphere user, group, and other. Permissions do not propagate to sub-folders. On Windows systems, verify file permissions for "WebSphere" folder allow SYSTEM, WebSphere User and Admin Group full control. Permissions do not propagate to sub-folders. If file permissions exceed these restrictions, this is a finding.
On the system hosting the WebSphere application server, log on to the operating system with admin rights. Navigate to the WebSphere folder, change permissions on the folder. Do not propagate permissions to sub-folders. For UNIX systems: set "WebSphere" folder permissions to "770". For Windows systems: set "WebSphere" folder permission to allow full control for SYSTEM, WebSphere user and Admin Group. Do not propagate permissions to sub-folders.
Review System Security Plan and the system documentation. Identify the home folder and user account for the WebSphere installation. Log on to the operating system that is hosting the WebSphere application server. By default, WebSphere will be installed in the "/opt/IBM/Websphere" folder on UNIX like systems and in the "C:\Program Files\IBM\Websphere\" folder on Windows systems. On UNIX systems, verify file permissions for the "WebSphere" folder are set to "770" for the WebSphere user, group and other. Permissions do not propagate to sub-folders. On Windows systems, verify file permissions for "WebSphere" folder allow SYSTEM, WebSphere User, and Admin Group full control. Permissions do not propagate to sub-folders. If file permissions exceed these restrictions, this is a finding.
On the system hosting the WebSphere application server, log on to the operating system with admin rights. Navigate to the "WebSphere" folder, change permissions on the folder. Do not propagate permissions to sub-folders. For UNIX systems: set "WebSphere folder" permissions to "770". For Windows systems: set "WebSphere folder" permission to allow full control for SYSTEM, WebSphere user, and Admin Group. Do not propagate permissions to sub-folders.
Review System Security Plan and the system documentation. Identify the home folder and user account for the WebSphere installation. Log on to the operating system that is hosting the WebSphere application server. By default, WebSphere will be installed in the "/opt/IBM/Websphere" folder on UNIX like systems and in the "C:\Program Files\IBM\Websphere\" folder on Windows systems. On UNIX systems, verify file permissions for the "WebSphere" folder are set to "770" for the WebSphere user, group, and other. Permissions do not propagate to sub-folders. On Windows systems, verify file permissions for "WebSphere" folder allow SYSTEM, WebSphere User and Admin Group full control. Permissions do not propagate to sub-folders. If file permissions exceed these restrictions, this is a finding.
On the system hosting the WebSphere application server, log on to the operating system with admin rights. Navigate to the WebSphere folder, change permissions on the folder. Do not propagate permissions to sub-folders. For UNIX systems: set "WebSphere" folder permissions to "770". For Windows systems: set "WebSphere" folder permission to allow full control for SYSTEM, WebSphere user, and Admin Group. Do not propagate permissions to sub-folders.
Review System Security Plan and the system documentation. Identify the home folder and user account for the WebSphere installation. Log on to the operating system that is hosting the WebSphere application server. By default, WebSphere will be installed in the "/opt/IBM/Websphere" folder on UNIX like systems and in the "C:\Program Files\IBM\Websphere\" folder on Windows systems. On UNIX systems, verify file permissions for the "WebSphere" folder are set to "770" for the WebSphere user, group, and other. Permissions do not propagate to sub-folders. On Windows systems, verify file permissions for "WebSphere" folder allow SYSTEM, WebSphere User, and Admin Group full control. Permissions do not propagate to sub-folders. If file permissions exceed these restrictions, this is a finding.
On the system hosting the WebSphere application server, log on to the operating system with admin rights. Navigate to the "WebSphere" folder, and change permissions on the folder. Do not propagate permissions to sub-folders. For UNIX systems: set the "WebSphere" folder permissions to "770". For Windows systems: set the "WebSphere" folder permission to allow full control for SYSTEM, WebSphere user, and Admin Group. Do not propagate permissions to sub-folders.
Review System Security Plan and the system documentation. Identify the home folder and user account for the WebSphere installation. Log on to the operating system that is hosting the WebSphere application server. By default, WebSphere will be installed in the "/opt/IBM/Websphere" folder on UNIX like systems and in the "C:\Program Files\IBM\Websphere\" folder on Windows systems. On UNIX systems, verify file permissions for the "WebSphere" folder are set to "770" for the WebSphere user, group, and other. Permissions do not propagate to sub-folders. On Windows systems, verify file permissions for "WebSphere" folder allow SYSTEM, WebSphere User, and Admin Group full control. Permissions do not propagate to sub-folders. If file permissions exceed these restrictions, this is a finding.
On the system hosting the WebSphere Application Server, log on to the operating system with admin rights. Navigate to the "WebSphere" folder. Change the permissions on the folder. Do not propagate permissions to sub-folders. For UNIX systems: set the "WebSphere" folder permissions to "770". For Windows systems: set the "WebSphere" folder permission to allow full control for SYSTEM, WebSphere user, and Admin Group. Do not propagate permissions to sub-folders.
Review system documentation and security plan. Identify the home folder and user account for the WebSphere installation. Log on to the operating system that is hosting the WebSphere application server. By default, WebSphere will be installed in the "/opt/IBM/Websphere" folder on UNIX like systems and in the "C:\Program Files\IBM\Websphere\" folder on Windows systems. On UNIX systems, verify file permissions for the "WebSphere" folder are set to "770" for the WebSphere user, group, and other. Permissions do not propagate to sub-folders. On Windows systems, verify file permissions for WebSphere folder allow SYSTEM, WebSphere User, and Admin Group full control. Permissions do not propagate to sub-folders. If file permissions exceed these restrictions, this is a finding.
On the system hosting the WebSphere application server, log on to the operating system with admin rights. Navigate to the "WebSphere" folder, change permissions on the folder. Do not propagate permissions to sub-folders. For UNIX systems: set the "WebSphere" folder permissions to "770". For Windows systems: set "WebSphere" folder permission to allow full control for SYSTEM, WebSphere user, and Admin Group. Do not propagate permissions to sub-folders.
Review System Security Plan documentation. If the System Security Plan does not specify the encryption of audit records, this requirement is NA. From the administrative console, click Security >> Security Auditing >> Audit record encryption configuration. If the "Enable encryption" check box is not selected, this is a finding.
From the administrative console, click Security >> Security Auditing >> Audit record encryption configuration. Select the "Enable encryption" checkbox. Select the keystore that contains the encrypting certificate from the drop-down menu or click "New" to create a new keystore. If you are using an existing certificate to encrypt your audit records, ensure the Certificate in the keystore is selected and specify the intended certificate in the "Certificate alias" drop-down menu. If you are generating a new certificate to encrypt your audit records, do NOT use the "Create a new certificate in the selected keystore" option, this will generate a SHA-1 signed certificate, which is not allowed. Instead, select Security >> SSL Certificate and key management >> KeyStores and Certificates. Select the keystore that is associated with the server hosting the audit logs. Select "Personal Certificates". Select "Create". Select either a CA-Signed or Chained Certificate based on your requirements. Fill in the information required to generate the certificate. Restart the DMGR and all the JVMs.
From the administrative console, click Security >> Security Auditing >> Audit record signing configuration. If the "Enable signing" checkbox is not selected, this is a finding.
From the administrative console, click Security >> Security Auditing >> Audit record signing configuration. Select the "Enable signing" checkbox. Select the keystore that contains the encrypting certificate from the drop-down menu. If you are using an existing certificate to sign your audit records, ensure the Certificate in keystore is selected and specify the intended certificate in the "Certificate alias" drop-down menu. If you are generating a new certificate to sign your audit records, do NOT use the "Create a new certificate in the selected keystore" option, this will generate a SHA-1 signed certificate, which is not allowed. Instead, select Security >> SSL Certificate and key management >> KeyStores and Certificates. Select the keystore that is associated with the server hosting the audit logs. Select "Personal Certificates". Select "Create". Select either a CA-Signed or Chained Certificate based on your requirements. Fill in the information required to generate the certificate. Restart the DMGR and all the JVMs.
Review System Security Plan documentation. Interview the system administrator. Access operating system to list commands currently running. For UNIX: run "ps -ef | grep -i wsadmin.sh" For windows: from a DOS prompt as admin user run "WMIC path win32_process where "caption='wsadmin.exe'" get CommandLine" If the results show "wsadmin.sh(exe) -user <username> -password <password>", this is a finding.
When starting WebSphere commands, such as wsadmin, stopManager, stopNode, stopServer, or syncNode; do not use the "-password <password>" option. Use the interactive mode instead; you will be prompted for user id and password. For scripts, you may configure user id and password in the "connector properties" files. These files are under "Profile_Root/Properties" folder. - soap.client.props: for default SOAP - sas.client.props : for RMI and JSR160RMI connectors - ipc.client.props: for IPC connector
Review System Security Plan documentation. Interview the system administrator. Determine the OS user and group information associated with the WebSphere processes. Identify the paths, files, and folders associated with the WebSphere installation. These include: - <WAS_HOME>: where you installed WebSphere. <WAS_HOME> default location: For UNIX: /opt/IBM/WebSphere/AppServer For Windows: C:\Program Files\IBM\WebSphere\AppServer - <PROFILE_HOME>: where the appserver instance resides. The default location is under "<WAS_HOME>/profiles". - <OTHER_HOME>: any additional files that may reside outside of <WAS_HOME>. Examples include: - shared library .jar files - Resource Adapter .rar files - Key and trust store files (.jks and .p12) - Other files such as jdbc drivers For Linux, use the command "find <directory> -user root" to find files owned by root user. On windows use the "dir /Q /S" command from the root directories to show the owners of all files. Examine the output for files owned by the administrator or root account. If any WebSphere file or additional files as described above are owned by root or the administrator, this is a finding.
Note: executing this fix without proper planning regarding file ownership can render your installation inoperable. See vulnerability discussion before executing this fix. Ensure all WebSphere related files and folders are owned by the WebSphere OS user. Ensure OS group membership is restricted. File ownership changes for UNIX systems: chown -R <user> <WAS_HOME> chown -R <user> <PROFILE_HOME>, chown -R <user> <OTHER_HOME>, <OTHER_HOME> may be zero or more directories for other files Group ownership changes for UNIX systems: chgrp -R <user> <WAS_HOME> chgrp -R <user> <PROFILE_HOME>, chgrp -R <user> <OTHER_HOME>, where <OTHER_HOME> may be zero or more root directories for other files File ownership changes for Windows systems: "takeown /r /u <user> /f <directory /p <password of user>", where the <directory> is <WAS_HOME>, <PROFILE_HOME>, or <OTHER_HOME>
Navigate to Applications >> All Applications. Review all applications installed on the application server. If the sample applications snoop, ivt, or DefaultApplication are installed on a production system, this is a finding.
Navigate to Applications >> All Applications. Click on the corresponding application checkbox. Select "Remove". Click "OK". Click "Save".
This check needs to be run on the web server operating in the DMZ. Review system documentation. Identify web servers operating in DMZ. If there are no web servers configured for the DMZ, this is not applicable. From the administrative console, select Server Types >> Web Servers. Select each web server operating in the DMZ. Identify the "Web server installation location". Open a secured command shell to the web server in the DMZ. Change directory to the web server installation location. CD to the /plugins folder. If a /java directory exists in the plugins folder, this is a finding.
For web servers provided with the WebSphere installation that are operating in the DMZ. Remove the /java directory from within the plugins folder.
Interview systems manager. Identify the OS user ID that the WAS server runs as. Using relevant OS commands review OS processes and search for WAS processes (running as Java). Ensure they are running under the assigned non-administrative user id. For UNIX: "ps -ef|grep -i websphere" For Windows: "wmic path win32_process where "caption = 'java.exe'" get CommandLine If the WebSphere processes are running as the root or administrator user, this is a finding.
Ensure that WAS processes are started via the specified non-privileged OS user ID when running commands such as startManager, startNode, and startServer. If startManager and startNode are in the system startup scripts, ensure that they are not started as the root user or admin user for Windows systems. For example, in the UNIX system, the inittab entry may look like: "was:235:respawn:/usr/WebSphere/AppServer/bin/rc.was >/dev/console 2>&1". Ensure the user is not a root user and is instead a regular OS user.
From admin console, navigate to: Applications >> All applications >> [application name] >> JSP and JSP options. If "JSP enable class reloading" is checked, this is a finding.
To disable JSP reloading: From the admin console, navigate to: Applications >> All applications >> [application name] >> JSP and JSP options. Uncheck "JSP enable class reloading".
In the administrative console, click Servers >> All Servers. Select each [server_name]. Select >> Ports. Confirm server ports are registered with PPSM. Navigate to System Administration >> Deployment Manager >> Ports. Confirm ports are registered with PPSM. Navigate to System Administration >> node agents. For each [node agent], select >> Ports. Confirm ports are registered with PPSM. If any of available ports are not registered with PPSM, or if those ports to be connected through the firewall are not approved by PPSM, this is a finding.
Ensure all available ports are registered with PPSM.
In the administrative console, click Security >> Global security. If the "Available realm definitions" drop down box under the "User account repository" section is not set to "Standalone LDAP registry", this is a finding.
In the administrative console, click Security >> Global security. Under "User account repository", click the "Available realm definitions" drop-down list. Select "Standalone LDAP" registry. Click "Configure". Provide the Primary Administrative user name, type of LDAP server, hostname for the LDAP server, define the Base distinguished name. Click "OK". On "Global security" panel, click "Set as current". Click "Apply". Click "Save". Recycle and synchronize the JVMS.
Navigate to Security >> Global Security. Under "User Account Repository" if the "Federated Repositories" is chosen, click on "Configure". Under "Repositories in the realm", if "o=defaultWIMFileBasedRealm" appears in the "Base Entry" column, this is a finding.
Navigate to Security >> Global Security. Under "User Account Repository", select "Stand alone LDAP" from the "Available realm definitions" drop-down. Click on "Configure". Select an existing user from the LDAP directory to be the primary WebSphere admin user. Identify the type of LDAP server; specify an IP or DNS name for the LDAP Server, and the port used to connect to the LDAP server. Specify BASE DN. Specify the BIND DN. Specify the BIND Password. Select the "SSL enabled" check box to use secure LDAP. Click "Apply". Click "Save". Go to Global Security. Select "Standalone LDAP registry" from the "Available realm definitions" drop-down. Click "Set as current". Click "Apply". Click "Save". Restart the dmgr and synchronize the JVMs.
Check that the admin console is enabled for client certificate logon. In the Deployment Manager, check the file on: <WAS_INSTALL>/profiles/<profileName>/config/cells/<cellName>/applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/web.xml. If the "XML element <auth-method>FORM</auth-method>" is present, this is a finding.
From the admin console, select System Administration >> Deployment Manager >> Java and Process Management >> Process definition >> Java Virtual Machine >> Custom Properties. Select "New". Insert the following case sensitive value into the "Name" field: "adminconsole.certLogin". Select "Value". Enter "true". Click "Apply". Click "Save". Select Security >> SSL Certificate and Key management >> SSL Configurations >> Select CellDefaultSSLSettings >> Quality of Protection (QOP) settings. In the "Client Authentication" drop-box, make sure "Supported" or "Required" is selected. Click "Apply". Click "Save". Save a backup copy and edit the "Web.xml" file as follows: <WAS_INSTALL>/profiles/<profileName>/config/cells/<cellName>/applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/web.xml: --- Change: < security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/</url-pattern> --- So it becomes: < security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/</url-pattern> <url-pattern>/logon.jsp</url-pattern> <url-pattern>/logonError.jsp</url-pattern> --- Add these security constraints if not already present: <security-constraint> <web-resource-collection> <web-resource-name>free pages</web-resource-name> <url-pattern>/*.jsp</url-pattern> <url-pattern>/css/*</url-pattern> <url-pattern>/images/*</url-pattern> <url-pattern>/j_security_check</url-pattern> </web-resource-collection> </security-constraint> --- Change: <auth-method>FORM</auth-method> to <auth-method>CLIENT-CERT</auth-method> Save the "web.xml" file. Stop and restart the Deployment Manager. Log on to the admin console using your certificate.
Review System Security Plan documentation. Interview the system administrator. Identify any application web service providers and the secure authentication requirements for each service provider. From admin console, navigate to Applications >> All applications. Click on each application that is a web service provider where the security plan specifies security extensions are to be applied. Navigate to "Service provider policy sets and bindings". Verify that any web service providers that are required to have security extensions applied as per the security plan have a policy attached. If "Attached policy set" column displays none, but the System Security Plan specifies security extensions as required, this is a finding.
To attach policy sets for your service providers: From admin console, navigate to Applications >> All applications >> [application]. For each application that is a web service provider and requires secure authentication, click on "Service provider policy sets and bindings." Click button on the "Select" column to select a resource. Click on "Attach Policy Set" drop down. Select policy set that best matches the provider environment. Click button on the "Select" column to select the same resource. Click on the "Assign binding" drop down. Select a binding that best matches the environment. Click "Save". Restart DMGR and resync the JVMs.
Review System Security Plan documentation. Interview the system administrator. Identify any application web service clients. Identify the secure authentication requirements for each client. From admin console, navigate to Applications >> All applications. Click on each application that is a web service client where the security plan specifies security extensions are to be applied. Navigate to "Service client policy sets and bindings". Verify that any web service clients that are required to have security extensions applied as per the security plan have a policy attached. If "Attached policy set" column displays none, but the System Security Plan specifies security extensions as required, this is a finding.
To attach policy sets for your service clients: From admin console, navigate to Applications >> All applications >> [application]. For each application that is a web service client and requires secure authentication, click on "Service client policy sets and bindings." Click button on the "Select" column to select a resource. Click on "Attach Client Policy Set" drop down. Select policy set that best matches the environment. Click button on the "Select" column to select the same resource. Click on the "Assign binding" drop down. Select a binding that best matches the environment. Click "Save". Restart DMGR and resync the JVMs.
Review System Security Plan documentation. Identify mutual authentication connection requirements. From the admin console, navigate to Security >> SSL Certificate and Key Management >> SSL Configuration. Select each [NodeDefaultSSLSettings] then go to Quality of Protection (QoP) Settings. If "Client authentication" is not set according to the security plan, this is a finding.
From the admin console, navigate to Security >> SSL Certificate and Key Management >> SSL Configuration. For each [NodeDefaultSSLSettings] select Quality of Protection (QoP) Settings. Set "Client authentication" according to the security plan.
Review System Security Plan documentation. Identify mutual authentication connection requirements. From the admin console, navigate to Security >> SSL Certificate and Key Management >> SSL Configuration. Select each [NodeDefaultSSLSettings] then go to Quality of Protection (QoP) Settings. If "Client authentication" is not set according to the security plan, this is a finding. Note: with LDAP registry, the entire DN in the certificate is used to look up LDAP. Filters may be configured. With other registries, only the first attribute after the first "=", e.g., CN=<user> is used.
From the admin console, navigate to Security >> SSL Certificate and Key Management >> SSL Configuration. For each [NodeDefaultSSLSettings] select Quality of Protection (QoP) Settings. Set "Client authentication" according to the security plan.
Review System Security Plan documentation. Identify any publicly available applications. These are applications available to the public that do not require authentication to access (e.g., recruiting websites). If such applications exist on the system and are specifically allowed according to the security plan, this requirement is NA for those applications only. Navigate to security >> security domains. Click through each security domain. If "Customize for this domain" is checked for Application Security under the Security Attributes, but "Enable application security" is not checked, this is a finding.
Navigate to security >> security domains. Click through each security domain. If "Customize for this domain" is checked for Application Security under the Security Attributes, but "Enable application security" is not checked, check "Enable application security". Expand "show" to find all affected nodes and servers. Click "OK". Click "Save". Synchronize the changes. Restart all affected nodes and servers.
In the administrative console, click Security >> Global security. Under "User account repository", click "Configure" for the "Standalone LDAP registry", on "Standalone LDAP registry" panel. If the "SSL" flag is not enabled, this is a finding.
In the administrative console, click Security >> Global security. Under User account repository, click the "Available realm definitions" drop-down list. Select Standalone LDAP registry. Click "Configure". Click "SSL enabled". Click "OK". On Global security panel, click "Set as current". Click "Apply". Click "Save". To ensure an error-free operation for this step, you need to first extract to a file the Signer certificate of the LDAP and send that file to the WebSphere Application Server machine. You can then add the certificate to the trust store being defined for the LDAP. In this way, you are assured that the remaining actions for this step will be successful.
Review System Security Plan documentation. Identify the cache timeout parameters for authentication. Standard value for admin timeout is 10 minutes; however, the ISSO may allow a case by case exception based on operational requirements. From the admin console, navigate to Security >> Global Security >> Authentication cache settings. If "Enable authentication cache" check box is set and "Cache timeout" is larger than the parameters specified in the security plan, this is a finding.
From the admin console, navigate to Security >> Global Security >> Authentication. Click on "Authentication cache" settings. Enter the settings for "Cache timeout" in accordance with the parameters defined in the Systems Security Plan.
Review System Security Plan documentation. Interview the system administrator. Identify installation folders and DMGR info. Access the DMGR system via the OS. Stop the DMGR processes. This will shut down the application server so plan outages accordingly. The default file paths and DefaultMgr installation names are provided below, adjust paths, and dmgr name if your installation differs from the default. For UNIX systems: cd /opt/IBM/Websphere/Profiles/<DefaultDmgr01>/logs/dmgr/ -stopManager.sh -user [admin user name] - password [admin user password] -archive the SystemOut*.log files. (Copy to another location) -startManager.sh -grep -i cwpki0041w SystemOut.log For Windows: cd C:\program files\IBM\Websphere\Profiles\<DefaultDmgr01>\logs\dmgr\ -stopManager.exe -user [admin user name] - password [admin user password] -archive the SystemOut*.log files. (Copy to another location) -startManager.exe -findstr -I cwpki0041w systemout.log If the results include: "CWPKI0041W: One or more keystores are using the default password", this is a finding.
Navigate to Security >> SSL Certificate and Key Management >> Key stores and certificates. Select a keystore from the list. Click "Change Password". Enter the new password and password confirmation. Click "OK". Repeat for every keystore in the list. Synchronize changes to all nodes.
Navigate to Security >> SSl certificate and key management >> SSL Configurations >> CellDefaultSSLSettings >> KeyStores and certificates. Click on cell default trust store. Click on "Signer Certificates". If no DoD root or intermediate certificates are present, this is a finding.
Obtain the signer certificate either as Base 64 encoded ASCII file, or as binary DER data. Navigate to Security >> SSl certificate and key management >> SSL Configurations >> CellDefaultSSLSettings >> key stores and certificates. Click on cell default trust store. Click on "Signer Certificates". Click "Add". Enter a new alias for the signer, and the location of the file that stores signer certificate. For "Data type", choose the type appropriate for the file, either Base64-encoded ASCII data file, or binary DER data. Click "OK".
From administrative console, click Security >> SSL certificate and key management >> Manage FIPS. If "Enable FIPS 140-2" is not selected, this is a finding.
From administrative console, click Security >> SSL certificate and key management >> Manage FIPS. Check "Enable FIPS 140-2". Click "Save". Synchronize with the nodes. Restart all the JVMs.
Check that the admin console is enabled for client certificate logon. In the Deployment Manager, check the file on: <WAS_INSTALL>/profiles/<profileName>/config/cells/<cellName>/applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/web.xml. If the XML element "<auth-method>FORM</auth-method>" is present, this is a finding.
From the admin console, select System Administration >> Deployment Manager >> Java and Process Management >> Process definition >> Java Virtual Machine >> Custom Properties. Select "New". Insert the following case sensitive value into the "Name" field: "adminconsole.certLogin" Select "Value". Enter "true". Click "Apply". Click "Save". Select Security >> SSL Certificate and Key management >> SSL Configurations >> Select CellDefaultSSLSettings >> Quality of Protection (QOP) settings. In the "Client Authentication" drop box, make sure "Supported" or "Required" is selected. Click "Apply". Click "Save". Save a backup copy and edit the Web.xml file as follows: <WAS_INSTALL>/profiles/<profileName>/config/cells/<cellName>/applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/web.xml: --- Change: < security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/</url-pattern> --- So it becomes: < security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/</url-pattern> <url-pattern>/logon.jsp</url-pattern> <url-pattern>/logonError.jsp</url-pattern> --- Add these security constraints if not already present: <security-constraint> <web-resource-collection> <web-resource-name>free pages</web-resource-name> <url-pattern>/*.jsp</url-pattern> <url-pattern>/css/*</url-pattern> <url-pattern>/images/*</url-pattern> <url-pattern>/j_security_check</url-pattern> </web-resource-collection> </security-constraint> --- Change: <auth-method>FORM</auth-method> to <auth-method>CLIENT-CERT</auth-method> Save the "web.xml" file. Stop and restart the Deployment Manager. Log on to the admin console using your certificate.
From administrative console, navigate to Security >> SSL Certificates and Key Management >> KeyStores and Certificates. For each keystore, click on "Signer Certificates". If any of the certificates are not issued by an approved DoD CA, this is a finding.
Utilize DoD certificates that have been issued by a DoD PKI CA. To replace a non-DoD PKI-established certificate: From the administrative console, navigate to Security >> SSL Certificates and Key Management >> KeyStores and Certificates. For each keystore that requires the change: Import a new certificate by clicking "Import". Click "keystore" file. Enter the location of the new certificate. Specify the type of keystore and keystore password. Specify alias information. Click "Apply". After the certificate is imported, click on "Replace" to replace the original certificate with the new certificate.
Review System Security Plan and system architecture documentation. Interview the system administrator. Identify any DMZ networks. If there are no DMZ networks in the application server's architecture, this requirement is NA. In the administrative console, click Servers >> Server Types >> WebSphere application servers. For each application server, review the "hostname" field and determine if the application server has a DMZ network IP address. If any application server is hosted in the DMZ network, this is a finding.
If any application server host is installed in the DMZ, reassign IP address to a secured network and reconfigure the application server.
Review System Security Plan documentation for location of the trust store used to store the signers of the administrators certificates. By default this is "cellDefaultTrustStore". Navigate to Security >> SSL certificate and key management >> Keystore and certificates. Click on the trust store used to store the signers of the administrators' certificates (root CA). (The default is cellDefaultTrustStore). Click on "Signer Certificates". If there are no DoD signer certificates, this is a finding.
Navigate to Security >> SSL certificate and key management >> Keystore and certificates. Click on the trust store used to store the signers of the administrators' certificates. (The default is cellDefaultTrustStore). Click on "Signer Certificates". Click "Add". Follow the instructions to import the signer from a file. Click "OK".
Review System Security Plan documentation for a list of DoD-approved CAs. From administrative console, navigate to Security >> SSL Certificates and Key Management >> KeyStores and Certificates. For each keystore, click on "Personal Certificates". If any of the certificates are not issued by an approved DoD CA, this is a finding.
Utilize DoD certificates that have been issued by an approved DoD PKI CA. To replace a non-DoD PKI-established certificate: From the administrative console, navigate to Security >> SSL Certificates and Key Management >> KeyStores and Certificates. For each keystores that requires the change: Import a new certificate by clicking "Import". Click "keystore" file. Enter the location of the new certificate. Specify the type of keystore and keystore password. Specify alias information. Click "Apply". After the certificate is imported, click on "Replace" to replace the original certificate with the new certificate.
Review System Security Plan documentation to determine if the server is configured to use A/B clusters. If the System Security Plan does not specify utilizing A/B clusters, the requirement is NA. From the administration console, select WebSphere application server clusters. Select each cluster name. Select cluster members. If the weight of any cluster member is "0", this is a finding.
From the administration console, select WebSphere application server clusters. Select each cluster name. Select cluster members >> Details. Set all cluster members configured weight to a non-zero value.
Review Systems Security Plan and identify system categorization. If the system is not categorized as HIGH, this requirement is NA. In the administrative console, click Servers >> Clusters >> WebSphere application server clusters. Ensure you have a cluster defined, if not this is a finding.
In the administrative console, click Servers >> Clusters >> WebSphere application server clusters >> New. Specify a name for the cluster. Click "Next". Specify the name of the first cluster member. Select the node on which you want this cluster member to reside, leave remaining fields as default. Click "Next". Create additional cluster members as needed (give unique name for each member and click "Add Member"), when finished adding members click "Next". Click "Finish" to create the cluster. Click "Save". Refer to vendor documentation that provides direction on the creation of clusters for specific details. Restart DMGR and sync all JVMs.
If LTPA is not utilized, this is not applicable. Request the documented process to manually regenerate the LTPA keys. The time period for regeneration must be defined, documented, and accepted by the ISSO but must be performed at least annually. Navigate to Security >> SSL Certificate and Key Management >> Key set groups >> Cell LTPAKeySetGroup. If automatically generate keys is checked, this is a finding.
Navigate to Security >> SSL Certificate and Key Management >> Key set groups >> Cell LTPAKeySetGroup. Uncheck automatically generate keys. Click "OK". Click "Save". Restart the "Deployment Manager".
If LTPA is not utilized, this is not applicable. Request the documented process to manually regenerate the LTPA keys. The time period for regeneration must be defined, documented and accepted by the ISSO but must be performed at least annually. Review documented process for LTPA key regeneration. If there is no process to regenerate LTPA keys periodically, this is a finding.
These steps must be documented and then executed during the down time scheduled for periodic LTPA key regeneration. The time period must be defined, documented and accepted by the ISSO but must be performed at least annually. Navigate to Security >> SSL Certificate and Key Management >> Key set groups. Check "CellLTPAKeySetGroup". Click "Generate Keys". Click "Save". Then synchronize the changes to all nodes.
Review Systems Security Plan and identify system categorization. If the system is not categorized as HIGH, this requirement is NA. Identify HA applications installed on the server. Verify applications defined as requiring HA protections are running on a cluster. From the admin console, navigate to Application >> All Applications >> [application name] >> Target specific application status. If the target application has been designated as an HA application but is not running on a cluster, this is a finding.
To create a cluster, navigate to Servers >> Clusters >> WebSphere Application Server Clusters >> New and follow the wizard. After cluster creation, re-install your application to the cluster. Refer to product documentation for specific details on how to create and manage WebSphere clusters.
Review System Security Plan documentation. Identify the application load requirements defined by system owner. Regular application user session timeout values are defined at the DoD level at 20 minutes. An ISSO risk acceptance is required to deviate from that value. If session timeout values are not set to "20" and an ISSO risk acceptance is provided, this is not a finding. From the admin console, navigate to Servers >> all servers >> [web application server] >> Session management. For every [web application server], verify maximum in-memory session count. Verify "allow overflow" and "session timeout" are set according to application load requirements. If they are not set according to application load requirements, this is a finding.
From the admin console navigate to Servers >> all servers >> [web application server] >> Session management. For every [web application server], set the "Maximum in-memory session count", "allow overflow", and "session timeout" values according to your organizational requirements.
Review System Security Plan documentation. Identify the application thread pool size requirements defined by system owner. From the admin console navigate to Servers >> all servers >> [server name] >> ThreadPools. Verify thread pool size according to specifications in documentation. If the maximum size for each threadpool is set too large, and not set according to application requirements, this is a finding.
Perform loading for your application to determine the required thread pool sizes. To set thread pool size: From the admin console >> Servers >> all servers >> [server name] >> Additional Properties >> Select Thread Pools. Set the thread pool size for each threadpool.
From the administrative console, navigate to Security >> SSL certificate and key management >> SSL configurations >> [Name] >> for each SSL Configuration Select "Quality of protection (QoP) settings". Under "Cipher suite" settings, if any of the ciphers contained in the "Selected ciphers" box" contain "EXPORT" in their name, this is a finding.
From the administrative console, navigate to Security >> SSL certificate and key management >> SSL configurations >> [Name] >> for each SSL configuration Select "Quality of protection (QoP) settings" under "Cipher suite" settings. Identify any ciphers that include "EXPORT" in their name. Remove the cipher by selecting the cipher. Click "Remove" button. Click "OK". Recycle the DMGR and sync the JVMs.
From the admin console navigate to Servers >> Core groups. For every Core Group listed, select the Core Group [CoreGroup Name]. Under "Transport Type", select the "Channel Framework" button. If the "transport chain" drop down box is not set to "DCS-Secure", this is a finding.
From the admin console navigate to Core groups >> for every Core Group listed. Select the [Core Group Name]. Under "Transport" type, select "CHANNEL_FRAMEWORK" button. In the "Transport chain" drop down box set to "DCS-SECURE". Click "Save". Sync the configuration.
From the admin console, navigate to Servers >> Server Types >> WebSphere Application Servers >> select each server (server name) >> Web Container Settings >> Web container transport chains. Verify both "WCInboundDefault" and the "HttpQueueInboundDefault" transport chains are disabled. If they are not disabled, this is a finding.
From the admin console, navigate to Servers >> Server Types >> WebSphere Application Servers >> select each server (server name) >> Web Container Settings >> Web container transport chains. Select the "WCInboundDefault" and the "HttpQueueInboundDefault" transport chains and disable them. Click "Apply". Click "Save". Restart the DMGR and resynch the JVMs.
Review System Security Plan and system documentation to locate the "IBM InstallationManager" folder. Default locations are: UNIX: /opt/InstallationManager Windows: C:\Program Files\InstallationManager UNIX: <IMHOME>/eclipse/tools/imcl -c Select "P" preferences. Select "3" Files for rollback. Windows: <IMHOME>\eclipse\tools\imcl.exe -c Select "P" preferences. Select "3" Files for rollback. If "Save files for rollback" is checked, this is a finding.
Review System Security Plan and system documentation to locate the "IBM InstallationManager" folder. Default locations are: UNIX: /opt/InstallationManager Windows: C:\Program Files\InstallationManager UNIX: <IMHOME>/eclipse/tools/imcl -c Select "P" preferences. Select "3" Files for rollback. Enter "1" to deselect. Enter "A" for apply. Enter "R" to return to Main Menu. Windows: <IMHOME>\eclipse\tools\imcl.exe -c Select "P" preferences. Select "3" Files for rollback. Enter "1" to deselect. Enter "A" for apply. Enter "R" to return to Main Menu.
Use the admin console to determine the WebSphere version. Review patch level and fix pack. If the most recent patches/fix packs have not been applied, this is a finding.
Obtain WebSphere product security and patch support. Test and apply the latest applicable WebSphere security fixes.
From the admin console, click on "welcome". Under Suite Name, locate "WebSphere Application Server". View the "version". Access IBM support website: https://www.ibm.com/support Identify the most recent patch/fix version available for the WebSphere Traditional Application Server (not the Liberty version). If the most recent patches/fix packs have not been applied, this is a finding.
Sign up to receive WebSphere security bulletins at the IBM website. Monitor IAVMs, CTOs, and DTMs for update notices affecting WebSphere. Obtain WebSphere product security and patch support. Test and apply the latest applicable WebSphere security fixes.