Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Log in to the ISEC7 EMM Suite console. Navigate to Administration >> Configuration >> Account Management >> Users. Select Edit next to the local account Admin. Verify Login disabled has been selected. If Login disabled has not been selected, this is a finding.
Log in to the ISEC7 EMM Suite console. Navigate to Administration >> Configuration >> Account Management >> Users. Select Edit next to the local account Admin. Check Login disabled for the account. Click Save.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> LDAP. Verify that a LDAP entry has been configured to the enterprise. Select Edit and confirm the Use for Login check box has been selected. Navigate to Administration >> Configuration >> Settings. Verify that Log in using (Default) has been set to the enterprise connection. If a LDAP entry has not been configured to the enterprise or Log in using (Default) has not been set to the enterprise connection, this is a finding.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> LDAP. Select Add new LDAP . Provide the connection information for the enterprise LDAP connection. Check the box Use for Login. Navigate to Administration >> Configuration >> Settings. Set Log in using (Default) to the enterprise connection.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat. Validate the session timeout has been set to the correct value. Alternatively, allow the console to sit for 15 minutes and confirm that you are prompted to login once again when attempting to navigate to a new screen. If the EMM Console timeout has not been set for 15 minutes or less, this is a finding.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat. Set the session timeout to the correct value of 15 minutes or less.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify that the type of Keystore being used is: Windows-MY If the type of Keystore being used is not Windows-MY, this is a finding.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Select the type of Keystore to be used as: Windows-MY
Verify the Apache Tomcat Manager Web app password is hashed using SHA-256 (or SHA-512). Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\ Open tomcat-users.xml and verify the user password has been hashed with an obfuscated password. ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/> Open <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe Select Edit >> Find and search for CredentialHandler. Confirm the text: <CredentialHandler algorithm="PBKDF2WithHmacSHA512" keyLength="256" /> Close the file. If the Apache Tomcat Manager Web app password is not hashed using SHA-256 (or SHA-512), this is a finding.
To encrypt the Tomcat Manager Web app password, run the ISEC7 integrated installer or use the following manual procedure. Note: The ISEC7 integrated installer will configure SHA-512 as the hash algorithm, which is not available with the manual procedure. The manual procedure will configure SHA-256. Both are DoD approved. Login to the ISEC7 EMM Suite server. Browse to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf and open Tomcat-Users.xml Open the Command Prompt and CD to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\bin Execute the following command: digest -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler * *where password is the 15 character password designated for the account Copy the output, which is the SHA-256 hashed digest password. In Tomcat-Users.xml, add in the password for the user with the obfuscated output. ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/> Save the file. Open <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe Select Edit >> Find and search for CredentialHandler. Replace the text with: <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" /> Save the file. Restart the ISEC7 EMM Suite Web service using the services.msc
Verify CATALINA_HOME/webapps Tomcat administrative tool has been configured to remove all Web applications that are not required. Log in to the ISEC7 EMM Suite server. Browse to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\webapps\ Confirm all folders in the directory with the exception of Manager and Host-Manager have been removed. If the CATALINA_HOME/webapps Tomcat administrative tool has not been configured to remove all Web applications that are not required, this is a finding.
To configure the CATALINA_HOME/webapps Tomcat administrative tool to remove all Web applications that are not required, run the ISEC7 integrated installer or use the following manual procedure: Login to the ISEC7 EMM Suite server. Browse to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\webapps\ Remove all folders in the directory with the exception of Manager and Host-Manager.
Log in to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\Isec7 EMM Suite\Tomcat\Config Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Confirm the following line is in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm"> If it is not found or has been commented out, this is a finding. If the LockOutRealm has been removed and can't be used, this is a finding.
Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\Isec7 EMM Suite\Tomcat\Config Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Add the following line is in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm"> Restart the ISEC7 EMM Suite Web service in the services.msc
Verify the failureCount parameter is set to 3 in the LockOutRealm configuration. Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\Isec7 EMM Suite\Tomcat\Config Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Verify the failureCount parameter is set to 3 in the following file: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="900" > If the failureCount parameter is not set to 3 in the LockOutRealm configuration, this is a finding.
Add failureCount parameter to the LockOutRealm configuration: Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\Isec7 EMM Suite\Tomcat\Config Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Add the following line is in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="900" > Restart the ISEC7 EMM Suite Web service in the services.msc
Verify the lockOutTime parameter is set to 900 in the LockOutRealm configuration. Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\Isec7 EMM Suite\Tomcat\Config Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Verify the lockOutTime parameter is set to 900 in the following file: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="900" > If the lockOutTime parameter is not set to 900 in the LockOutRealm configuration, this is a finding.
Add lockOutTime parameter to the LockOutRealm configuration: Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\Isec7 EMM Suite\Tomcat\Config Open the server.xml file with Notepad. Select Edit>Find and search for LockOutRealm. Add the following line is in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="900" > Restart the ISEC7 EMM Suite Web service in the services.msc
Verify Enable HTTPS has been configured to use HTTP over SSL: Open a web browser that is able to reach the ISEC7 EMM Suite console. Verify that the address used has a prefix of https:// Alternately: Log in to the ISEC7 EMM Suite server. Open the server.xml file located at <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf with Notepad.exe Select Edit >> Find and search for Connector port="443" Confirm the connector is present and not commented out: <Connector port="443" useServerCipherSuitesOrder="true" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" secure="true" scheme="https" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="200" keystoreType="Windows-MY" keystoreFile="" keyAlias="https" clientAuth="none" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" SSLEnabled="true"/> If Enable HTTPS has not been configured to use HTTP over SSL, this is a finding.
To enable HTTPS to use HTTP over SSL, run the ISEC7 integrated installer or use the following manual procedure: Log in to the ISEC7 EMM Suite server. Open the server.xml file located at <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf with Notepad.exe Select Edit >> Find and search for Connector port="443" If the connector is not present add: <Connector port="443" useServerCipherSuitesOrder="true" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" secure="true" scheme="https" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="200" keystoreType="Windows-MY" keystoreFile="" keyAlias="https" clientAuth="none" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" SSLEnabled="true"/> If the connector has been commented out, remove the comment characters. Save the file. Restart the ISEC7EMM Suite Web service in the services.msc
Verify the version number of Apache Tomcat has been removed from the CATALINA_HOME/lib/catalina.jar file. Open a CMD prompt. cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib Copy to desktop and rename catalina.jar to catalina.zip Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.properties Open ‘ServerInfo.properties’ with WordPad. Confirm the server version information has been removed. … server.info=Apache Tomcat server.number= server.built= If the version number of Apache Tomcat has not been removed from the CATALINA_HOME/lib/catalina.jar file, this is a finding.
Remove the version string from HTTP error pages by unpacking ServerInfo.properties from CATALINA_HOME\lib\catalina.jar and updating the server version information: Open a CMD prompt. cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib Copy to desktop and rename catalina.jar to catalina.zip Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.properties Open ‘ServerInfo.properties’ with WordPad. Edit the server version information and save. … server.info=Apache Tomcat server.number= server.built= Save file, rename to catalina.jar, and copy back to directory, replacing existing file.
Verify stack tracing has been disabled in Apache Tomcat. Navigate to the ISEC7 EMM Suite installation directory: <Drive>:\Program Files\ISEC7 EMM Suite\web\WEB-INF Open web.xml with Notepad.exe Scroll to the end of the file. Confirm there are no comment tags <!--" and "--> and the following exists without comment tags: <error-page> <exception-type>java.lang.Exception</exception-type> <location>/exception.jsp</location> </error-page> If stack tracing has not been disabled in Apache Tomcat, this is a finding.
Remove the default error page by updating the web application web.xml file. Navigate to the ISEC7 EMM Suite installation directory: <Drive>:\Program Files\ISEC7 EMM Suite\web\WEB-INF Open web.xml with Notepad.exe Scroll to the end of the file. Remove the comment tags <!--" and "--> <!-- <error-page> <exception-type>java.lang.Exception</exception-type> <location>/exception.jsp</location> </error-page> --> Save the changes. This will acknowledge to the user that an exception occurred without showing any trace or source information.
Verify the shutdown port is disabled. Log in to the EMM Suite server. Browse to Program Files\Isec7 EMM Suite\Tomcat\Conf Open the server.xml with Notepad.exe Select Edit >> Find and search for Shutdown. Verify that the shutdown port has been disabled with below entry: shutdown="-1" If the shutdown port has not been disabled, this is a finding.
Log in to the EMM Suite server. Browse to Program Files\Isec7 EMM Suite\Tomcat\Conf Open the server.xml with Notepad.exe Select Edit >> Find and search for Shutdown. Change the shutdown to -1 example: shutdown=-1 Save the file and restart the Isec7 EMM Suite Web service with the services.msc
Verify unnecessaryusers or groups that have permissions to the Server.xml file in Apache Tomcat have been removed. Browse to ProgramFiles\Isec7 EMM Suite\Tomcat\Conf and select Server.xml Right click and select Properties. Select the security tab and verify no unnecessaryaccount or groups have been granted permissions to the file. Verify no unnecessaryusers or groups have permissions to the file. If unnecessaryusers or groups that have permissions to the Server.xml file in Apache Tomcat have not been removed, this is a finding.
Log in to the ISEC7 EMM Suite server. Browse to ProgramFiles\Isec7 EMM Suite\Tomcat\Conf and select Server.xml Right click and select Properties. Select the security tab and remove unnecessaryaccounts or groups that have been granted permissions to the Server.xml file.
Verify a manager role has been assigned to the Apache Tomcat Web apps (Manager, Host-Manager). Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\ Confirm a user with the manager role to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\tomcat-users.xml exists. example: <user username="admin" roles="manager-gui,manager-script" ..../> If a manager role has not been assigned to the Apache Tomcat Web apps, this is a finding.
To add a manager role to the Apache Tomcat Web apps (Manager, Host-Manager), run the ISEC7 integrated installer or use the following manual procedure: By default there are no users with the manager role assigned. To make use of the manager webapp you need to add a new role and user into the <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\tomcat-users.xml file. Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\ Add a user with the manager role to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\tomcat-users.xml example: <user username="admin" roles="manager-gui,manager-script" ..../> Save the file.
Verify SSL is enabled on Apache Tomcat. Verify Enable HTTPS has been configured to use HTTP over SSL: Open a web browser that is able to reach the ISEC7 EMM Suite console. Verify that the address used has a prefix of https:// Alternately: Login to the ISEC7 EMM Suite server. Open the server.xml file located at <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf with Notepad.exe Select Edit >> Find and search for Connector port="443" Confirm the connector is present and not commented out. If SSL is not enabled on Apache Tomcat, this is a finding.
To configure SSL support on Tomcat, run the ISEC7 integrated installer or use the following manual procedure: To configure SSL support on Tomcat, you need to change the connector type in <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml Log in to the ISEC7 EMM Suite server. Browse to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\ Edit the server.xml with Notepad.exe Select Edit >> Find and search for connector port=443 Replace the existing connection with the connection below, modifying the keystoreFile path and password as needed. <Connector port="443" useServerCipherSuitesOrder="true" secure="true" scheme="https" protocol="com.isec7.bnator.utils.common.Http11NioProtocol" maxThreads="200" keystoreType="PKCS12" keystorePass="" keystoreFile="C:\Program Files\ISEC7 EMM Suite_nmci\conf\https.pfx" keyAlias="https" clientAuth="none" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" SSLEnabled="true"/> Remark: The user should not uncomment the connector tag for port 80/8080. It is recommended to keep this for the automated ISEC7 EMM Suite Agent update from the ISEC7 EMM Suite Tomcat portal (see 2.2.3). If you decline port 80/8080, the user has to enable J2SE SSL as described in section 2.2.1 with the same keystore file for very ISEC7 EMM Suite Agent host. Then the user can click on OK and restart the Apache Tomcat service to put the new configuration into effect. One can find further information at https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html Alternatively, you can use the Windows certificate store instead of a local keystore file. <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" secure="true" scheme="https" maxThreads="200" SSLEnabled="true"><SSLHostConfig honorCipherOrder="true" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" certificateVerification="none"><Certificate certificateKeystoreType="Windows-MY" certificateKeystoreFile="" certificateKeyAlias="https"/></SSLHostConfig> </Connector> The SSL certificate needs to be imported into the My user account – Personal using mmc certificate snap-in. Make sure that the cert has a friendly name, it can be verified in mmc under cert properties. The friendly name is case sensitive.
Verify Tomcat SSL is restricted to only ISEC7 EMM Suite tasks. Log in to the ISEC7 EMM Suite server. Navigate to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\ Edit the web.xml file with Notepad.exe Verify the following entries are present: <security-constraint> <web-resource-collection> <web-resource-name>Unsecure</web-resource-name> <!-- Agent --> <url-pattern>/BNator/agent/*</url-pattern> <url-pattern>/app/agent/*</url-pattern> <url-pattern>/app/admin/agentinstaller.jnlp</url-pattern> <!-- Client --> <url-pattern>/app/clients/*</url-pattern> <url-pattern>/app/data/*</url-pattern> <!-- Remote Control --> <url-pattern>/rc/*</url-pattern> <!-- Traffic Push --> <url-pattern>/BNator/uss/trafficinfo/*</url-pattern> <url-pattern>/BNator/data/mds/trafficpush</url-pattern> <url-pattern>/BNator/favorites/*</url-pattern> <url-pattern>/app/resource/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secure</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> If Tomcat SSL is not restricted to only ISEC7 EMM Suite tasks, this is a finding.
To restrict Tomcat SSL to only ISEC7 EMM Suite tasks, run the ISEC7 integrated installer or use the following manual procedure: To restrict SSL for all users except for agent task, the user needs to add a security constraint tag to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\web.xml Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\ Edit the web.xml file with Notepad.exe Add the following entry: <security-constraint> <web-resource-collection> <web-resource-name>Unsecure</web-resource-name> <!-- Agent --> <url-pattern>/BNator/agent/*</url-pattern> <url-pattern>/app/agent/*</url-pattern> <url-pattern>/app/admin/agentinstaller.jnlp</url-pattern> <!-- Client --> <url-pattern>/app/clients/*</url-pattern> <url-pattern>/app/data/*</url-pattern> <!-- Remote Control --> <url-pattern>/rc/*</url-pattern> <!-- Traffic Push --> <url-pattern>/BNator/uss/trafficinfo/*</url-pattern> <url-pattern>/BNator/data/mds/trafficpush</url-pattern> <url-pattern>/BNator/favorites/*</url-pattern> <url-pattern>/app/resource/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secure</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the maxConnections setting is set according to organizational guidelines. Verify the maxThreads setting is set according to organizational guidelines. If the maxConnections setting is not set according to organizational guidelines or the maxThreads setting is not set according to organizational guidelines, this is a finding.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the maxConnections setting according to organizational guidelines. Set the maxThreads setting according to organizational guidelines. Restart the ISEC7 EMM Suite Web service.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat. Validate the session timeout has been set to the correct value. Alternatively, allow the console to sit for 15 minutes and confirm that you are prompted to login once again when attempting to navigate to a new screen. If the EMM Console timeout has not been set for 15 minutes or less, this is a finding.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat. Set the session timeout to the correct value of 15 minutes or less.
Login to the EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify sslProtocol is set to TLSv1.2. If the sslProtocol is not set to TLSv1.2, this is a finding.
Login to the EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Using the dropdown menu for sslProtocol, select TLSv1.2. Click Update. Restart the ISEC7 EMM Suite Web service.
Log in to the ISEC7 EMM Console. Note if the appropriate Standard mandatory DoD Notice and Consent Banner is displayed. Alternatively, if already logged into the ISEC7 EMM Console, navigate to Administration >> User Self Service >> Page Customizations. Verify that a Page Customization exists to display the Standard mandatory DoD Notice and Consent Banner. If a Page Customization does not exist or it does not contain the required DoD banner, this is a finding.
Login to the ISEC7 EMM Suite console. Navigate to Administration >> User Self Service >> Page Customizations. Enter a name for the banner page customization and select Add. In the new window, select Edit for the English Disclaimer and paste the DoD Standard Disclaimer Warning text. Select Confirm.
Login to the ISEC7 EMM Suite console. Navigate to Administration >> Configuration >> Global Permissions. Verify for each Role (Security Administrator, Site Administrator, Help Desk User) that at least one user or AD group has been assigned. If for each Role (Security Administrator, Site Administrator, Help Desk User) there is not at least one user (or AD group) assigned, this is a finding.
Login to the ISEC7 EMM Suite console. Navigate to Administration >> Configuration >> Global Permissions. Assign at least one user or AD group to each of the following roles, Security Administrator, Site Administrator, Help Desk User.
Login to the ISEC7 EMM Suite console. Navigate to Administration >> Configuration >> Notifications >> Recipient Lists. Select Edit next to the Systems Notifications. Verify the email address or distribution list has been added. If a recipient email address or distribution list has not been added to System Notifications, this is a finding.
Login to the ISEC7 EMM Suite console. Navigate to Administration >> Configuration >> Notifications >> Recipient Lists. Select Edit next to the Systems Notifications. Under Add recipient, select Email as the Type and enter the correct email address of recipients. Select Add.
Login to the server(s) hosting the ISEC7 EMM Suite application. Open the Microsoft Management Console and add the Local Computer Certificates snap-in. Open the Trusted Root Certification Authorities >> Certificates. Verify the DoD Root PKI Certificates Authorities have been added to the server. If the DoD Root PKI Certificates Authorities have not been added to the server, this is a finding.
Login to the server(s) hosting the ISEC7 EMM Suite application. Open the Microsoft Management Console and add the Local Computer Certificates snap-in. Open the Trusted Root Certification Authorities >> Certificates. Install the DoD Root PKI Certificates Authorities to the server.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Settings. Verify the CAC login box has been checked. On the ISEC7 EMM Suite server, browse to the install directory. Default is %Install Drive%/Program Files/ISEC7 EMM Suite Select the conf folder. Open config.properties and confirm the following lines exist: cacUserUIDRegex=^CN=[^0-9]*\\.([0-9]+), cacUserUIDProperty=UserPrincipalName Browse to %Install Drive%/Program Files >> ISEC7 EMM Suite >> Tomcat >> conf Confirm the server.xml file has clientAuth="required" under the Connection. If the required commends do not exist in config.properties or if clientAuth does not ="required" in the server.xml file, this is a finding.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Settings. Check the CAC login box. On the ISEC7 EMM Suite server, browse to the install directory. Default is %Install Drive%/Program Files/ISEC7 EMM Suite. Select the conf folder. Open config.properties and add the following lines: cacUserUIDRegex=^CN=[^0-9]*\\.([0-9]+), cacUserUIDProperty=UserPrincipalName Browse to %Install Drive%/Program Files >> ISEC7 EMM Suite >> Tomcat >> conf Open the server.xml file and add clientAuth="required" under the Connection.
Log in to the ISEC7 EMM Console. Confirm that the browser session is secured using a DoD issued certificate. Internet Explorer: Click on the Padlock icon at the end of the url field. Select View Certificates. Confirm that the Issued By is a valid DoD Certificate Authority. Google Chrome: Click on the Padlock icon at the front of the url field. Select Certificate. Confirm that the Issued By is a valid DoD Certificate Authority. Alternately, Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DoD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 EMM Suite keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DoD Trusted Certificate Authority. If certificates used by the server are not DoD issued certificates, this is a finding.
Submit a CSR for a DoD Issued Certificate with the private key. Retrieve the approved certificate from the issuing Certificate Authority. Set the friendly name on the certificate to https. Windows-MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Import the certificate with Private key. Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the Keystore Type to Windows-MY. JavaKeystore: Using a Keystore browser such as Portecle, open the ISEC7 EMM Suite keystore. Enter the Keystore password when prompted. Delete the self-signed certificate in the keystore. Import the DoD issued certificate with the private key. Enter the key password when prompted. Enter the certificate alias as https when prompted. Save the keystore with the same keystore password. Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the Keystore type is set to JavaKeystore PKCS12. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Using the dropdown menu for "sslProtocol", select TLSv1.2. Select Update at the bottom of the page. Restart the ISEC7 EMM Suite Web service.
Log in to the ISEC7 EMM Console. Confirm that the browser session is secured using a DoD issued certificate. Internet Explorer: Click on the Padlock icon at the end of the url field. Select View Certificates. Confirm that the Issued By is a valid DoD Certificate Authority. Google Chrome: Click on the Padlock icon at the front of the url field. Select Certificate. Confirm that the Issued By is a valid DoD Certificate Authority. Alternately, Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DoD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 EMM Suite keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DoD Trusted Certificate Authority. If certificates used by the server are not DoD issued certificates, this is a finding.
Submit a CSR for a DoD Issued Certificate with the private key. Retrieve the approved certificate from the issuing Certificate Authority. Set the friendly name on the certificate to https. Windows-MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Import the certificate with Private key. Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the Keystore Type to Windows-MY. JavaKeystore: Using a Keystore browser such as Portecle, open the ISEC7 EMM Suite keystore. Enter the Keystore password when prompted. Delete the self-signed certificate in the keystore. Import the DoD issued certificate with the private key. Enter the key password when prompted. Enter the certificate alias as https when prompted. Save the keystore with the same keystore password. Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the Keystore type is set to JavaKeystore PKCS12.
Log in to the ISEC7 EMM Console. Confirm that the browser session is secured using a DoD issued certificate. Alternately, Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DoD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 EMM Suite keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DoD Trusted Certificate Authority. If certificates used by the server are not DoD issued certificates, this is a finding.
Submit a CSR for a DoD Issued Certificate with the private key. Retrieve the approved certificate from the issuing Certificate Authority. Set the friendly name on the certificate to https. Windows-MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Import the certificate with Private key. Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the Keystore Type to Windows-MY. JavaKeystore: Using a Keystore browser such as Portecle, open the ISEC7 EMM Suite keystore. Enter the Keystore password when prompted. Delete the self-signed certificate in the keystore. Import the DoD issued certificate with the private key. Enter the key password when prompted. Enter the certificate alias as https when prompted. Save the keystore with the same keystore password. Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the Keystore type is set to JavaKeystore PKCS12.
Log in to the ISEC7 EMM Console. Confirm that the browser session is secured using a DoD issued certificate. Alternately, Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DoD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 EMM Suite keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DoD Trusted Certificate Authority. If certificates used by the server are not DoD issued certificates, this is a finding.
Login to the ISEC7 EMM Suite Monitor server. Browse to the Java Install\Lib\Security. Edit the Java.Security file. Add the following entries in bold to the Java.Security file: security.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=sun.security.provider.Sun security.provider.3=sun.security.rsa.SunRsaSign security.provider.4=sun.security.ec.SunEC security.provider.5=com.sun.net.ssl.internal.ssl.Provider JsafeJCE security.provider.6=com.sun.crypto.provider.SunJCE security.provider.7=sun.security.jgss.SunProvider security.provider.8=com.sun.security.sasl.Provider security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.10=sun.security.smartcardio.SunPCSC security.provider.11=sun.security.mscapi.SunMSCAPI com.rsa.cryptoj.jce.kat.strategy=on.load com.rsa.cryptoj.jce.fips140initialmode=FIPS140_SSL
Open the central log repository and verify the ISEC7 logs have been written to the location of the log server. Alternatively: Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify that the log directory path is set to the desired location. On the ISEC7 EMM Suite server, browse to the install directory. Default is %Install Drive%/Program Files/ISEC7 EMM Suite. Select the conf folder. Open config.properties and verify the logPath is set to the desired location. If ISEC7 EMM logs are not written to an audit log management server, this is a finding.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the log directory path to the desired location. On the ISEC7 EMM Suite server, browse to the install directory. Default is %Install Drive%/Program Files/ISEC7 EMM Suite. Select the conf folder. Open config.properties and set the logPath to the desired location of the log server.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify that sslProtocol is set to TLS1.2. If the sslProtocol is not set to TLS1.2, this is a finding.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify that sslProtocol is set to TLS1.2.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify that sslProtocol is set to TLS1.2. If the sslProtocol is not set to TLS1.2, this is a finding.
Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify that sslProtocol is set to TLS1.2.
Log in to the ISEC7 EMM Console. Confirm that the browser session is secured using a DoD issued certificate. Alternately, Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DoD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 EMM Suite keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DoD Trusted Certificate Authority. If certificates used by the server are not DoD issued certificates, this is a finding.
Submit a CSR for a DoD Issued Certificate with the private key. Retrieve the approved certificate from the issuing Certificate Authority. Set the friendly name on the certificate to https. Windows-MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Import the certificate with Private key. Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the Keystore Type to Windows-MY. JavaKeystore: Using a Keystore browser such as Portecle, open the ISEC7 EMM Suite keystore. Enter the Keystore password when prompted. Delete the self-signed certificate in the keystore. Import the DoD issued certificate with the private key. Enter the key password when prompted. Enter the certificate alias as https when prompted. Save the keystore with the same keystore password. Log in to the ISEC7 EMM Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the Keystore type is set to JavaKeystore PKCS12.
Verify the Manager Web app password has been configured as follows: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character Login to the ISEC7 EMM Suite server. Open a Web browser and go to https://localhost/manager/html Login with the custom administrator login and password. Verify password entered meets complexity requirements. If the Manager Web app password has not been configured as required, this is a finding.
To set a strong password on the Manager Web app, run the ISEC7 integrated installer or use the following manual procedure: Login to the ISEC7 EMM Suite server. Browse to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf and open Tomcat-Users.xml Open the Command Prompt and CD to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\bin Execute the following using 'sha' command: digest –a sha password* *where password is the 15 character password designated for the account Copy the output, which is the hashed digest password. In Tomcat-Users.xml, add in the password for the user with the obfuscated output at <user password="**", where ** is the obfuscated password. example: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/> Save the file. Open <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe Enter: <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest=”sha”/> Save the file. Restart the ISEC7 EMM Suite Web service using the services.msc Note: the password must meet the following complexity requirements: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character