Basic Authentication must be disabled.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-250334	SRG-APP-000148-AS-000101	IBMW-LS-000381	SV-250334r1051118_rule	2025-02-11	2

Description
Basic authentication does not use a centralized user store like LDAP. Not using a centralized user store complicates user management tasks and increases the risk that user accounts could remain on the system long after users have moved to their next deployment. Basic Auth also stores user credentials and passwords on the system and creates the potential for an attacker to circumvent strong authentication requirements like multi-factor or certificate based authentication. Allowing failover to Basic Auth allows the Liberty Server to fall back to basic authentication in the event certificate based authentication methods fail. Configuring the Liberty Server to fall back to basic authentication creates the potential for an attacker to circumvent strong authentication requirements and must be avoided.

Description

Basic authentication does not use a centralized user store like LDAP. Not using a centralized user store complicates user management tasks and increases the risk that user accounts could remain on the system long after users have moved to their next deployment. Basic Auth also stores user credentials and passwords on the system and creates the potential for an attacker to circumvent strong authentication requirements like multi-factor or certificate based authentication. Allowing failover to Basic Auth allows the Liberty Server to fall back to basic authentication in the event certificate based authentication methods fail. Configuring the Liberty Server to fall back to basic authentication creates the potential for an attacker to circumvent strong authentication requirements and must be avoided.

ℹ️ Check
As a privileged user with local file access to the ${server.config.dir}/server.xml file, search the server.xml for the basicRegistry setting. grep -i basicregistry server.xml SAMPLE: <basicRegistry id="basic" realm="BasicRealm"> <user name="employee0" password="emp0pwd" /> <user name="employee1" password="emp1pwd" /> <user name="manager0" password="mgr0pwd" /> <group name="employeeGroup"> <member name="employee0" /> <member name="employee1" /> </group> </basicRegistry> If <basicRegistry> settings are defined in server.xml, this is a finding.

ℹ️ Check

As a privileged user with local file access to the ${server.config.dir}/server.xml file, search the server.xml for the basicRegistry setting. grep -i basicregistry server.xml SAMPLE: <basicRegistry id="basic" realm="BasicRealm"> <user name="employee0" password="emp0pwd" /> <user name="employee1" password="emp1pwd" /> <user name="manager0" password="mgr0pwd" /> <group name="employeeGroup"> <member name="employee0" /> <member name="employee1" /> </group> </basicRegistry> If <basicRegistry> settings are defined in server.xml, this is a finding.

✔️ Fix
Delete basicRegistry settings and re-configure the server.xml file to use a centralized LDAP user store. SAMPLE: <featureManager> <feature>appSecurity-2.0</feature> <feature>ldapRegistry-3.0</feature> </featureManager> <ldapRegistry id="ldap" realm="SampleLdapRealm" host="${ldap.server.name}" port="${ldap.server.port}" ignoreCase="true" baseDN="${ldap.server.base.dn}" ldapType="${ldap.vendor.type}" searchTimeout="8m"> </ldapRegistry>

✔️ Fix

Delete basicRegistry settings and re-configure the server.xml file to use a centralized LDAP user store. SAMPLE: <featureManager> <feature>appSecurity-2.0</feature> <feature>ldapRegistry-3.0</feature> </featureManager> <ldapRegistry id="ldap" realm="SampleLdapRealm" host="${ldap.server.name}" port="${ldap.server.port}" ignoreCase="true" baseDN="${ldap.server.base.dn}" ldapType="${ldap.vendor.type}" searchTimeout="8m"> </ldapRegistry>