Application security must be enabled on the WebSphere Liberty Server.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-250341 | SRG-APP-000315-AS-000094 | IBMW-LS-000770 | SV-250341r1015252_rule | 2025-02-11 | 2 |
| Description |
|---|
| Application security enables security for the applications in the environment. This type of security provides application isolation and requirements for authenticating application users. When a user enables security, both administrative and application security is enabled. Application security is in effect only when administrative security is enabled via the security feature. If the application server is to be used for only web applications, only the servlet-3.1 feature needs to be defined. If the application server is to be used for only ejb applications, only the ejbLite-3.1 feature needs to be defined. If both web and ejb applications are to be deployed on the application server, then both the servlet-3.1 and ejbLite-3.1 features need to be defined. The check and fix assumes that the application server will have both web and ejb applications deployed. Satisfies: SRG-APP-000315-AS-000094, SRG-APP-000014-AS-000009 |
| ℹ️ Check |
|---|
| As a user with local file access to ${server.config.dir}/server.xml file, verify application security is enabled. If the appSecurity-2.0 feature is not defined within server.xml, this is a finding. <featureManager> <feature>appSecurity-2.0</feature> </featureManager> |
| ✔️ Fix |
|---|
| Configure the ${server.config.dir}/server.xml file and add the appSecurity-2.0 feature. <featureManager> <feature>appSecurity-2.0</feature> </featureManager> Review ${server.config.dir}/logs/messages.log Validate log entry that indicates "Security service is ready". |