The WebSphere Liberty Server must use DoD-issued/signed certificates.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-250338	SRG-APP-000177-AS-000126	IBMW-LS-000500	SV-250338r961044_rule	2025-02-11	2

Description
The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information, but the key can be mapped to a user. Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. Satisfies: SRG-APP-000177-AS-000126, SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137

Description

The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information, but the key can be mapped to a user. Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. Satisfies: SRG-APP-000177-AS-000126, SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137

ℹ️ Check
As a privileged user with access to the ${server.config.dir}/server.xml file; search for SSLDefault in order to identify the default SSL configuration. grep -i ssldefault server.xml Identify the default ssl configuration by examining the sslRef flag. SAMPLE: <sslDefault sslRef="DefaultTLSSettings" /> Review the default ssl configuration to identify the default truststore. SAMPLE: <ssl id="DefaultTLSSettings" keyStoreRef="defaultKeyStore" /> <keyStore id="LDAPTrustStore" location="${server.config.dir}/liberty.ks" type="JKS" password="xxxxxxx" /> Use the java keytool or ikeyman utilities to open and examine the certificates stored in the truststore. If the certificates are self signed or not signed by a DoD approved CA, this is a finding.

ℹ️ Check

As a privileged user with access to the ${server.config.dir}/server.xml file; search for SSLDefault in order to identify the default SSL configuration. grep -i ssldefault server.xml Identify the default ssl configuration by examining the sslRef flag. SAMPLE: <sslDefault sslRef="DefaultTLSSettings" /> Review the default ssl configuration to identify the default truststore. SAMPLE: <ssl id="DefaultTLSSettings" keyStoreRef="defaultKeyStore" /> <keyStore id="LDAPTrustStore" location="${server.config.dir}/liberty.ks" type="JKS" password="xxxxxxx" /> Use the java keytool or ikeyman utilities to open and examine the certificates stored in the truststore. If the certificates are self signed or not signed by a DoD approved CA, this is a finding.

✔️ Fix
Do not use self-signed certificates in a production environment. Only import certificates signed by an authorized DoD CA or authorized for DoD use. Obtain the signer certificate either as a Base 64-encoded ASCII file or as binary DER data. Using the JDK’s ikeyman or keytool utility, open the default trusted keystore specified in the ${server.config.dir}/server.xml. Click on signer certificates and import the file that contains the DoD signed certificate.

✔️ Fix

Do not use self-signed certificates in a production environment. Only import certificates signed by an authorized DoD CA or authorized for DoD use. Obtain the signer certificate either as a Base 64-encoded ASCII file or as binary DER data. Using the JDK’s ikeyman or keytool utility, open the default trusted keystore specified in the ${server.config.dir}/server.xml. Click on signer certificates and import the file that contains the DoD signed certificate.