Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the system is on the SIPRNET, this requirement is NA. Examine the system 'deployment.properties' file for Java which is located by default at /usr/java/jre/lib/deployment.properties. If the 'deployment.security.askgrantdialog.notinca=false' key is not present, this is a finding. If the key 'deployment.security.askgrantdialog.notinca' exists and is set to true, this is a finding.
Disable the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties If the key does not exist, create the 'deployment.security.askgrantdialog.notinca' key and set the value to 'false'. If the key does exist. update the 'deployment.security.askgrantdialog.notinca' key to be a value of 'false'.
If the system is on the SIPRNET this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Review the file. If the 'deployment.security.askgrantdialog.notinca.locked' key is not present this is a finding.
Lock the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Edit the file and add the 'deployment.security.askgrantdialog.notinca.locked' key.
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. If the 'deployment.security.validation.crl' key is not present, this is a finding. If the 'deployment.security.validation.crl' key is present and set to 'false', this is a finding.
Enable the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Add or update the 'deployment.security.validation.crl' key. Set the value to 'true'.
If the system is on the SIPRNET, this requirement is NA. Navigate to the system 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. If the 'deployment.security.validation.crl.locked' key is not present within the deployment.properties file, this is a finding. If the 'deployment.security.validation.ocsp.locked' key is not present within the deployment.properties file, this is a finding.
Navigate to the system 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. Add the 'deployment.security.validation.crl.locked' key to the deployment.properties file. Add the 'deployment.security.validation.ocsp.locked' key to the deployment.properties file.
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Examine the deployment.properties file for the 'deployment.security.validation.ocsp' key. If the 'deployment.security.validation.ocsp' key is not present, this is a finding. If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding.
If the system is on the SIPRNET, this requirement is NA. Enable the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Add or update the key 'deployment.security.validation.ocsp' to be 'true'.
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties If the key 'deployment.security.validation.ocsp.locked' is not present, this is a finding.
If the system is on the SIPRNET, this requirement is NA. Lock the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Add the key 'deployment.security.validation.ocsp.locked'.
Navigate to the deployment.config file. /usr/java/jre/lib/deployment.config If the configuration file does not contain 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties', this is a finding. If the configuration file does not contain 'deployment.system.config.mandatory=false', this is a finding.
Specify the path to the deployment.properties file and set the mandatory configuration values. Navigate to the deployment.config file. /usr/java/jre/lib/deployment.properties Include the following keys in the configuration file: 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties' 'deployment.system.config.mandatory=false'.
Navigate to the lib directory: /usr/java/jre/lib/ If there is no configuration file entitled 'deployment.config', this is a finding.
Create a JRE deployment configuration file. Navigate to the lib directory: /usr/java/jre/lib/ Create a configuration file entitled 'deployment.config'.
Navigate to the lib directory: /usr/java/jre/lib/ If there is no properties file entitled 'deployment.properties', this is a finding.
Create the Java deployment properties file. Navigate to the lib directory: /usr/java/jre/lib/ Create a properties file entitled 'deployment.properties'.
Open a terminal window and type the command; "java -version" sans quotes. The return value should contain Java build information; "Java (TM) SE Runtime Environment (build x.x.x.x)" Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. http://www.oracle.com/technetwork/java/javase/downloads/index.html
Test applications to ensure operational compatability with new version of Java. Install latest version of Java JRE.
Oracle support for Java Runtime Environment (JRE) 7 for Unix ended 2015 April. If JRE 7 for Unix is installed on a system, this is a finding. If an extended support agreement providing security patches for the unsupported product is procured from the vendor, this finding may be downgraded to a CAT III.
Upgrade Java Runtime Environment (JRE) 7 for Unix software to a supported version.