Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the maxConnections setting is set according to organizational guidelines. Verify the maxThreads setting is set according to organizational guidelines. If the maxConnections setting is not set according to organizational guidelines or the maxThreads setting is not set according to organizational guidelines, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the maxConnections setting according to organizational guidelines. Set the maxThreads setting according to organizational guidelines. Restart the ISEC7 SPHERE Web service.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Validate the session timeout has been set to the correct value. Alternatively, allow the console to sit for 15 minutes and confirm the user is prompted to login again when attempting to navigate to a new screen. If the SPHERE Console timeout has not been set for 15 minutes or less, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the session timeout to the correct value of 15 minutes or less.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify "protocols" is set to +TLSv1.2, +TLSv1.3. If "protocols" is not set to +TLSv1.2 or higher, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Using the dropdown menu for protocols, select +TLSv1.2, +TLSv1.3. Click "Update". Restart the ISEC7 SPHERE Web service.
Log in to the ISEC7 SPHERE Console. Note if the appropriate Standard mandatory DOD Notice and Consent Banner is displayed. Alternatively, if already logged in to the ISEC7 SPHERE Console, navigate to Administration >> User Self Service >> Page Customizations. Verify that a Page Customization exists to display the Standard mandatory DOD Notice and Consent Banner. If a Page Customization does not exist, or it does not contain the required DOD banner, this is a finding.
Set the session timeout to the correct value of 15 minutes or less.
Log in to the ISEC7 SPHERE console. Navigate to Administration >> Configuration >> Access Permissions. Verify for each Role (Security Administrator, Site Administrator, and Help Desk User) that at least one user or AD group has been assigned. If for each Role (Security Administrator, Site Administrator, Help Desk User) there is not at least one user (or AD group) assigned, this is a finding.
Log in to the ISEC7 SPHERE console. Navigate to Administration >> Configuration >> Access Permissions. Assign at least one user or AD group to each of the following roles: Security Administrator, Site Administrator, and Help Desk User.
Log in to the ISEC7 SPHERE console. Navigate to Administration >> Configuration >> Notifications >> Recipient Lists. Select "Edit" next to the Systems Notifications. Verify the email address or distribution list has been added. If a recipient email address or distribution list has not been added to System Notifications, this is a finding.
Log in to the ISEC7 SPHERE console. Navigate to Administration >> Configuration >> Notifications >> Recipient Lists. Select "Edit" next to the Systems Notifications. Under Add recipient, select "Email" as the Type and enter the correct email address of recipients. Select "Add".
Open the central log repository and verify the ISEC7 logs have been written to the location of the log server. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify that the log directory path is set to the desired location. Alternatively: On the ISEC7 SPHERE server, browse to the install directory. Default is %Install Drive%/Program Files/ISEC7 SPHERE. Select the conf folder. Open config.properties and verify the logPath is set to the desired location. If ISEC7 SPHERE logs are not written to an audit log management server, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the log directory path to the desired location. Alternatively: On the ISEC7 SPHERE server, browse to the install directory. Default is %Install Drive%/Program Files/ISEC7 SPHERE. Select the conf folder. Open config.properties and set the logPath to the desired location of the log server.
Log in to the ISEC7 SPHERE console. Navigate to Administration >> Configuration >> Account Management >> Users. Select "Edit" next to the local account Admin. Verify "Log in disabled" has been selected. If "Log in disabled" has not been selected, this is a finding.
Log in to the ISEC7 SPHERE console. Navigate to Administration >> Configuration >> Account Management >> Users. Select "Edit" next to the local account Admin. Check "Log in disabled" for the account. Click "Save".
Log in to the server(s) hosting the ISEC7 SPHERE application. Open the Microsoft Management Console and add the Local Computer Certificates snap-in. Open the Trusted Root Certification Authorities >> Certificates. Verify the DOD Root PKI Certificates Authorities have been added to the server. If the DOD Root PKI Certificates Authorities have not been added to the server, this is a finding.
Log in to the server(s) hosting the ISEC7 SPHERE application. Open the Microsoft Management Console and add the Local Computer Certificates snap-in. Open the Trusted Root Certification Authorities >> Certificates. Install the DOD Root PKI Certificates Authorities to the server.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Settings. Verify the CAC login box has been checked. On the ISEC7 SPHERE server, browse to the install directory. Default is %Install Drive%/Program Files/ISEC7 SPHERE Select the conf folder. Open config.properties and confirm the following lines exist: cacUserUIDRegex=^CN=[^0-9]*\\.([0-9]+), cacUserUIDProperty=UserPrincipalName Browse to %Install Drive%/Program Files >> ISEC7 SPHERE >> Tomcat >> conf Confirm the server.xml file has clientAuth="required" under the Connection. If the required commands do not exist in config.properties or if clientAuth does not ="required" in the server.xml file, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> LDAP. Check "Also enable user certificate logins. e.g. from smart cards (CAC)". Check "Only allow certificates with extended key usage for smartcard logon (1.3.6.1.4.1.311.20.2.2)". Browse to %Install Drive%/Program Files >> ISEC7 SPHERE >> Tomcat >> conf. Open the server.xml file and add clientAuth="required" under the Connection.
Log in to the ISEC7 SPHERE Console. Confirm that the browser session is secured using a DOD issued certificate. Internet Explorer: Click the Padlock icon at the end of the url field. Select "View Certificates". Confirm that the Issued By is a valid DOD Certificate Authority. Google Chrome: Click the Padlock icon at the front of the url field. Select "Certificate". Confirm that the Issued By is a valid DOD Certificate Authority. Alternately, log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DOD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DOD Trusted Certificate Authority. If certificates used by the server are not DOD-issued certificates, this is a finding.
Submit a CSR for a DOD-issued certificate with the private key. Retrieve the approved certificate from the issuing Certificate Authority. Set the friendly name on the certificate to https. Windows-MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Import the certificate with Private key. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the Keystore Type to Windows-MY. Restart the ISEC7 SPHERE Web service. JavaKeystore: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE Suite keystore. Enter the Keystore password when prompted. Delete the self-signed certificate in the keystore. Import the DOD-issued certificate with the private key. Enter the key password when prompted. Enter the certificate alias as "https" when prompted. Save the keystore with the same keystore password. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the Keystore type is set to JavaKeystore PKCS12. Restart the ISEC7 SPHERE Web service.
Log in to the ISEC7 SPHERE Server. Navigate to %Install Drive%/Program Files/ISEC7 SPHERE/tomcat/bin. Run tomcat9w.bat and select the JAVA tab in the window that opens. Under "Java options" verify "-Djavax.net.ssl.trustStoreType=Windows-ROOT" is listed. If "-Djavax.net.ssl.trustStoreType=Windows-ROOT" is not listed, this is a finding.
Log in to the ISEC7 SPHERE Server. Navigate to %Install Drive%/Program Files/ISEC7 SPHERE/tomcat/bin. Run tomcat9w.bat and select the JAVA tab in the window that opens. Under "Java options" add "-Djavax.net.ssl.trustStoreType=Windows-ROOT" and select "OK". Restart the ISEC7 SPHERE Web service.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify protocols is set to +TLSv1.2, +TLSv1.3. If protocols is not set to +TLSv1.2 or higher, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Using the drop-down menu for protocols, select +TLSv1.2, +TLSv1.3. Click "Update". Restart the ISEC7 SPHERE Web service.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> LDAP. Verify that a LDAP entry has been configured to the enterprise. Select "Edit" and confirm the "Use for Login" check box has been selected. Navigate to Administration >> Configuration >> Settings. Verify that Log in using (Default) has been set to the enterprise connection. If a LDAP entry has not been configured to the enterprise or Log in using (Default) has not been set to the enterprise connection, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> LDAP. Select "Add new LDAP". Provide the connection information for the enterprise LDAP connection. Check the box "Use for Login". Navigate to Administration >> Configuration >> Settings. Set Log in using (Default) to the enterprise connection.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Validate the session timeout has been set to the correct value. Alternatively, allow the console to sit for 15 minutes and confirm that the user is prompted to log in once again when attempting to navigate to a new screen. If the SPHERE Console timeout has not been set for 15 minutes or less, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the session timeout to the correct value of 15 minutes or less.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify that the type of Keystore being used is: Windows-MY If the type of Keystore being used is not Windows-MY, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Select the type of Keystore to be used as: Windows-MY Restart the ISEC7 SPHERE Web service.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify protocols is set to +TLSv1.2, +TLSv1.3. If protocols is not set to +TLSv1.2 or higher, this is a finding.
Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Using the dropdown menu for protocols, select +TLSv1.2, +TLSv1.3. Click "Update". Restart the ISEC7 SPHERE Web service.
Log in to the ISEC7 SPHERE Console. Confirm that the browser session is secured using a DOD issued certificate. Alternately, log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DOD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DOD Trusted Certificate Authority. If certificates used by the server are not DOD issued certificates, this is a finding.
Submit a CSR for a DOD Issued Certificate with the private key. Retrieve the approved certificate from the issuing Certificate Authority. Set the friendly name on the certificate to https. Windows-MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Import the certificate with Private key. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the Keystore Type to Windows-MY. Restart the ISEC7 SPHERE Web service. JavaKeystore: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore. Enter the Keystore password when prompted. Delete the self-signed certificate in the keystore. Import the DOD issued certificate with the private key. Enter the key password when prompted. Enter the certificate alias as https when prompted. Save the keystore with the same keystore password. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the Keystore type is set to JavaKeystore PKCS12. Restart the ISEC7 SPHERE Web service.
Log in to the ISEC7 SPHERE Console. Confirm that the browser session is secured using a DOD issued certificate. Alternately, log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DOD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DOD Trusted Certificate Authority. If certificates used by the server are not DOD issued certificates, this is a finding.
Submit a CSR for a DOD Issued Certificate with the private key. Retrieve the approved certificate from the issuing Certificate Authority. Set the friendly name on the certificate to https. Windows-MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Import the certificate with Private key. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the Keystore Type to Windows-MY. Restart the ISEC7 SPHERE Web service. JavaKeystore: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore. Enter the Keystore password when prompted. Delete the self-signed certificate in the keystore. Import the DOD-issued certificate with the private key. Enter the key password when prompted. Enter the certificate alias as https when prompted. Save the keystore with the same keystore password. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the Keystore type is set to JavaKeystore PKCS12. Restart the ISEC7 SPHERE Web service.
Log in to the ISEC7 SPHERE Console. Confirm that the browser session is secured using a DOD issued certificate. Alternately, log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Identify which type of Keystore is being used. Windows MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Verify the certificate is issued by a DOD Trusted Certificate Authority. JavaKeystore PKCS12: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore. Enter the Keystore password when prompted. Open the installed certificate and verify it was issued by a DOD Trusted Certificate Authority. If certificates used by the server are not DOD issued certificates, this is a finding.
Submit a CSR for a DOD Issued Certificate with the private key. Retrieve the approved certificate from the issuing Certificate Authority. Set the friendly name on the certificate to https. Windows-MY: Open the Microsoft Management Console. Add the Certificates Snap-In for the ISEC7 Service Account. Navigate to the Personal Certificates Store. Import the certificate with Private key. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Set the Keystore Type to Windows-MY. Restart the ISEC7 SPHERE Web service. JavaKeystore: Using a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore. Enter the Keystore password when prompted. Delete the self-signed certificate in the keystore. Import the DOD issued certificate with the private key. Enter the key password when prompted. Enter the certificate alias as https when prompted. Save the keystore with the same keystore password. Log in to the ISEC7 SPHERE Console. Navigate to Administration >> Configuration >> Apache Tomcat Settings. Verify the Keystore type is set to JavaKeystore PKCS12. Restart the ISEC7 SPHERE Web service.
Verify the Apache Tomcat Manager Web app password is hashed using SHA-256 (or SHA-512). Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\ Open tomcat-users.xml and verify the user password has been hashed with an obfuscated password. ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/> Open <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\server.xml with Notepad.exe. Select Edit >> Find and search for CredentialHandler. Confirm the text: <CredentialHandler algorithm="PBKDF2WithHmacSHA512" keyLength="256" /> Close the file. If the Apache Tomcat Manager Web app password is not hashed using SHA-256 (or SHA-512), this is a finding.
To encrypt the Tomcat Manager Web app password, run the ISEC7 integrated installer or use the following manual procedure. Note: The ISEC7 integrated installer will configure SHA-512 as the hash algorithm, which is not available with the manual procedure. The manual procedure will configure SHA-256. Both are DOD approved. Log in to the ISEC7 SPHERE server. Browse to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf and open Tomcat-Users.xml Open the Command Prompt and CD to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\bin Execute the following command: digest -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler * * Where password is the 15 character password designated for the account. Copy the output, which is the SHA-256 hashed digest password. In Tomcat-Users.xml, add in the password for the user with the obfuscated output. ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/> Save the file. Open <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\server.xml with Notepad.exe. Select Edit >> Find and search for CredentialHandler. Replace the text with: <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" /> Save the file. Restart the ISEC7 SPHERE Web service.
Verify CATALINA_HOME/webapps Tomcat administrative tool has been configured to remove all Web applications that are not required. Log in to the ISEC7 SPHERE server. Browse to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\webapps\ Confirm all folders in the directory with the exception of Manager and Host-Manager have been removed. If the CATALINA_HOME/webapps Tomcat administrative tool has not been configured to remove all Web applications that are not required, this is a finding.
To configure the CATALINA_HOME/webapps Tomcat administrative tool to remove all Web applications that are not required, run the ISEC7 integrated installer or use the following manual procedure: Log in to the ISEC7 SPHERE server. Browse to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\webapps\ Remove all folders in the directory with the exception of Manager and Host-Manager.
Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\Isec7 SPHERE\Tomcat\Config Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Confirm the following line is in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm"> If it is not found or has been commented out, this is a finding. If the LockOutRealm has been removed and cannot be used, this is a finding.
Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\Isec7 SPHERE\Tomcat\Config Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Add the following line is in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm"> Restart the ISEC7 SPHERE Web service in the services.msc.
Verify the failureCount parameter is set to 3 in the LockOutRealm configuration. Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\Isec7 SPHERE\Tomcat\Config. Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Verify the failureCount parameter is set to 3 in the following file: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="900" > If the failureCount parameter is not set to 3 in the LockOutRealm configuration, this is a finding.
Add failureCount parameter to the LockOutRealm configuration: Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\Isec7 SPHERE\Tomcat\Config. Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Add the following line is in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="900" > Restart the ISEC7 SPHERE Web service in the services.msc.
Verify the lockOutTime parameter is set to 900 in the LockOutRealm configuration. Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\Isec7 SPHERE\Tomcat\Config. Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Verify the lockOutTime parameter is set to 900 in the following file: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="900" > If the lockOutTime parameter is not set to 900 in the LockOutRealm configuration, this is a finding.
Add lockOutTime parameter to the LockOutRealm configuration: Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\Isec7 SPHERE\Tomcat\Config. Open the server.xml file with Notepad. Select Edit>Find and search for LockOutRealm. Add the following line in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="900" > Restart the ISEC7 SPHERE Web service in the services.msc.
Verify the Manager Web app password has been configured as follows: -15 or more characters. -at least one lower case letter. -at least one upper case letter. -at least one number. -at least one special character. Log in to the ISEC7 SPHERE server. Open a Web browser and go to https://localhost/manager/html. Log in with the custom administrator login and password. Verify password entered meets complexity requirements. If the Manager Web app password has not been configured as required, this is a finding.
To set a strong password on the Manager Web app, run the ISEC7 integrated installer or use the following manual procedure: Log in to the ISEC7 SPHERE server. Browse to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf and open Tomcat-Users.xml. Open the Command Prompt and CD to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\bin. Execute the following using sha command: digest –a sha password* *Where password is the 15 character password designated for the account. Copy the output, which is the hashed digest password. In Tomcat-Users.xml, add in the password for the user with the obfuscated output at <user password="**", where ** is the obfuscated password. example: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/> Save the file. Open <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\server.xml with Notepad.exe. Enter: <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest=”sha”/> Save the file. Restart the ISEC7 SPHERE Web service using the services.msc. Note: the password must meet the following complexity requirements: -15 or more characters. -at least one lower case letter. -at least one upper case letter. -at least one number. -at least one special character.
Verify Enable HTTPS has been configured to use HTTP over SSL: Open a web browser that is able to reach the ISEC7 SPHERE console. Verify that the address used has a prefix of "https://". Alternately: Log in to the ISEC7 SPHERE server. Open the server.xml file located at <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf with Notepad.exe. Select Edit >> Find and search for port="443". Confirm the connector is present and not commented out: If Enable HTTPS has not been configured to use HTTP over SSL, this is a finding.
To enable HTTPS to use HTTP over SSL, run the ISEC7 integrated installer or use the following manual procedure: Log in to the ISEC7 SPHERE server. Open the server.xml file located at <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf with Notepad.exe. Select Edit >> Find and search for port="443". If the connector is not present add: ex: <Connector SSLEnabled="true" maxParameterCount="1000" maxThreads="200" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> <SSLHostConfig certificateVerification="false" ciphers="HIGH:!aNULL:!MD5:!3DES:!ARIA:!SHA:!CAMELLIA:!AES128-CCM8:!AES128-CCM:!AES256-CCM8:!AES256-CCM:!DHE" honorCipherOrder="true" protocols="+TLSv1.2,+TLSv1.3"> <Certificate certificateKeyAlias="https" certificateKeystoreFile="" certificateKeystoreType="Windows-MY"/> </SSLHostConfig> </Connector> Modifying the certificateKeystoreFile path and certificateKeystorePassword as needed or leveraging the Windows-MY certificateKeystoreType instead. If the connector has been commented out, remove the comment characters. Save the file. Restart the ISEC7 SPHERE Web service.
Verify stack tracing has been disabled in Apache Tomcat. Navigate to the ISEC7 SPHERE installation directory: <Drive>:\Program Files\ISEC7 SPHERE\web\WEB-INF. Open web.xml with Notepad.exe. Scroll to the end of the file. Confirm there are no comment tags <!--" and "--> and the following exists without comment tags: <error-page> <exception-type>java.lang.Exception</exception-type> <location>/exception.jsp</location> </error-page> If stack tracing has not been disabled in Apache Tomcat, this is a finding.
Remove the default error page by updating the web application web.xml file. Navigate to the ISEC7 SPHERE installation directory: <Drive>:\Program Files\ISEC7 SPHERE\web\WEB-INF. Open web.xml with Notepad.exe. Scroll to the end of the file. Remove the comment tags <!--" and "-->. <!-- <error-page> <exception-type>java.lang.Exception</exception-type> <location>/exception.jsp</location> </error-page> --> Save the changes. This will acknowledge to the user that an exception occurred without showing any trace or source information.
Verify the shutdown port is disabled. Log in to the SPHERE server. Browse to Program Files\Isec7 SPHERE\Tomcat\Conf. Open the server.xml with Notepad.exe. Select Edit >> Find, and then search for "Shutdown". Verify that the shutdown port has been disabled with entry below: shutdown="-1" If the shutdown port has not been disabled, this is a finding.
Log in to the SPHERE server. Browse to Program Files\Isec7 SPHERE\Tomcat\Conf. Open the server.xml with Notepad.exe. Select Edit >> Find, and then search for "Shutdown". Change the shutdown to "-1". example: shutdown=-1 Save the file and restart the Isec7 SPHERE Web service with the services.msc.
Verify unnecessary users or groups that have permissions to the Server.xml file in Apache Tomcat have been removed. Browse to ProgramFiles\Isec7 SPHERE\Tomcat\Conf and select "Server.xml". Right-click and select "Properties". Select the security tab and verify no unnecessary account or groups have been granted permissions to the file. Verify no unnecessary users or groups have permissions to the file. If unnecessary users or groups that have permissions to the Server.xml file in Apache Tomcat have not been removed, this is a finding.
Log in to the ISEC7 SPHERE server. Browse to ProgramFiles\Isec7 SPHERE\Tomcat\Conf and select Server.xml. Right-click and select "Properties". Select the security tab and remove unnecessary accounts or groups that have been granted permissions to the Server.xml file.
Verify a manager role has been assigned to the Apache Tomcat Web apps (Manager, Host-Manager). Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\. Confirm a user with the manager role to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\tomcat-users.xml exists. example: <user username="admin" roles="manager-gui,manager-script" ..../> If a manager role has not been assigned to the Apache Tomcat Web apps, this is a finding.
To add a manager role to the Apache Tomcat Web apps (Manager, Host-Manager), run the ISEC7 integrated installer or use the following manual procedure: By default there are no users with the manager role assigned. To make use of the manager webapp, add a new role and user into the <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\tomcat-users.xml file. Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\. Add a user with the manager role to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\tomcat-users.xml. example: <user username="admin" roles="manager-gui,manager-script" ..../> Save the file.
To configure SSL support on Tomcat, run the ISEC7 integrated installer or use the following manual procedure: Log in to the ISEC7 SPHERE server. Open the server.xml file located at <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf with Notepad.exe. Select Edit >> Find and search for port="443". If the connector is not present add: ex: <Connector SSLEnabled="true" maxParameterCount="1000" maxThreads="200" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> <SSLHostConfig certificateVerification="false" ciphers="HIGH:!aNULL:!MD5:!3DES:!ARIA:!SHA:!CAMELLIA:!AES128-CCM8:!AES128-CCM:!AES256-CCM8:!AES256-CCM:!DHE" honorCipherOrder="true" protocols="+TLSv1.2,+TLSv1.3"> <Certificate certificateKeyAlias="https" certificateKeystoreFile="" certificateKeystoreType="Windows-MY"/> </SSLHostConfig> </Connector> Modifying the certificateKeystoreFile path and certificateKeystorePassword as needed or leveraging the Windows-MY certificateKeystoreType instead. If the connector has been commented out, remove the comment characters. Save the file. Restart the ISEC7 SPHERE Web service.
To configure SSL support on Tomcat, run the ISEC7 integrated installer or use the following manual procedure: Log in to the ISEC7 SPHERE server. Open the server.xml file located at <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf with Notepad.exe. Select Edit >> Find and search for port="443". If the connector is not present add: ex: <Connector SSLEnabled="true" maxParameterCount="1000" maxThreads="200" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> <SSLHostConfig certificateVerification="false" ciphers="HIGH:!aNULL:!MD5:!3DES:!ARIA:!SHA:!CAMELLIA:!AES128-CCM8:!AES128-CCM:!AES256-CCM8:!AES256-CCM:!DHE" honorCipherOrder="true" protocols="+TLSv1.2,+TLSv1.3"> <Certificate certificateKeyAlias="https" certificateKeystoreFile="" certificateKeystoreType="Windows-MY"/> </SSLHostConfig> </Connector> Modifying the certificateKeystoreFile path and certificateKeystorePassword as needed or leveraging the Windows-MY certificateKeystoreType instead. If the connector has been commented out, remove the comment characters. Save the file. Restart the ISEC7 SPHERE Web service.
Verify Tomcat SSL is restricted to only ISEC7 SPHERE tasks. Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\ProgramFiles\ISEC7 SPHERE\Tomcat\conf\. Edit the web.xml file with Notepad.exe. Verify the following entries are present: <security-constraint> <web-resource-collection> <web-resource-name>Unsecure</web-resource-name> <!-- Agent --> <url-pattern>/BNator/agent/*</url-pattern> <url-pattern>/app/agent/*</url-pattern> <url-pattern>/app/admin/agentinstaller.jnlp</url-pattern> <!-- Client --> <url-pattern>/app/clients/*</url-pattern> <url-pattern>/app/data/*</url-pattern> <!-- Remote Control --> <url-pattern>/rc/*</url-pattern> <!-- Traffic Push --> <url-pattern>/BNator/uss/trafficinfo/*</url-pattern> <url-pattern>/BNator/data/mds/trafficpush</url-pattern> <url-pattern>/BNator/favorites/*</url-pattern> <url-pattern>/app/resource/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secure</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> If Tomcat SSL is not restricted to only ISEC7 SPHERE tasks, this is a finding.
To restrict Tomcat SSL to only ISEC7 SPHERE tasks, run the ISEC7 integrated installer or use the following manual procedure: To restrict SSL for all users except for agent task, the user needs to add a security constraint tag to <Drive>:\ProgramFiles\ISEC7 SPHERE\Tomcat\conf\web.xml. Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\ProgramFiles\ISEC7 SPHERE\Tomcat\conf\. Edit the web.xml file with Notepad.exe. Add the following entry: <security-constraint> <web-resource-collection> <web-resource-name>Unsecure</web-resource-name> <!-- Agent --> <url-pattern>/BNator/agent/*</url-pattern> <url-pattern>/app/agent/*</url-pattern> <url-pattern>/app/admin/agentinstaller.jnlp</url-pattern> <!-- Client --> <url-pattern>/app/clients/*</url-pattern> <url-pattern>/app/data/*</url-pattern> <!-- Remote Control --> <url-pattern>/rc/*</url-pattern> <!-- Traffic Push --> <url-pattern>/BNator/uss/trafficinfo/*</url-pattern> <url-pattern>/BNator/data/mds/trafficpush</url-pattern> <url-pattern>/BNator/favorites/*</url-pattern> <url-pattern>/app/resource/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secure</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Review the ISEC7 Sphere server version after logging into the console. Correlate the version with the latest supported version of ISEC7 Sphere server. If the installed version of ISEC7 Sphere server is not a supported version, this is a finding.
The administrator must check https://www.isec7-us.com/emm-suite-mobile-monitoring for the latest supported and unsupported versions of software. Once confirmed, the administrator must update ISEC7 Sphere server to the latest supported version.