The WebSphere Liberty Server must be configured to use HTTPS only.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-250348	SRG-APP-000440-AS-000167	IBMW-LS-001120	SV-250348r961635_rule	2025-02-11	2

Description
Transmission of data can take place between the application server and a large number of devices/applications external to the application server. Examples are a web client used by a user, a backend database, a log server, or other application servers in an application server cluster.

ℹ️ Check
Review the ${server.config.dir}/server.xml file and check the ssl-1.0 feature and httpEndpoint settings. If the ssl-1.0 feature is not defined, this is a finding. If the httpEndpoint settings do not include ssloptions, this is a finding. <featureManager> <feature>servlet-3.0</feature> <feature>ssl-1.0</feature> <feature>appSecurity-2.0</feature> </featureManager> <httpEndpoint id="defaultHttpEndpoint" host="localhost" httpPort="${bvt.prop.HTTP_default}" httpsPort="${bvt.prop.HTTP_default.secure}" > <tcpOptions soReuseAddr="true" /> <sslOptions sslRef="testSSLConfig" /> </httpEndpoint>

ℹ️ Check

Review the ${server.config.dir}/server.xml file and check the ssl-1.0 feature and httpEndpoint settings. If the ssl-1.0 feature is not defined, this is a finding. If the httpEndpoint settings do not include ssloptions, this is a finding. <featureManager> <feature>servlet-3.0</feature> <feature>ssl-1.0</feature> <feature>appSecurity-2.0</feature> </featureManager> <httpEndpoint id="defaultHttpEndpoint" host="localhost" httpPort="${bvt.prop.HTTP_default}" httpsPort="${bvt.prop.HTTP_default.secure}" > <tcpOptions soReuseAddr="true" /> <sslOptions sslRef="testSSLConfig" /> </httpEndpoint>

✔️ Fix
Modify the server.xml file. Enable the ssl-1.0 feature and configure the httpEndpoint settings. The keystores and truststores must also be configured. <featureManager> <feature>servlet-3.0</feature> <feature>ssl-1.0</feature> <feature>appSecurity-2.0</feature> </featureManager> <httpEndpoint id="defaultHttpEndpoint" host="localhost" httpPort="${bvt.prop.HTTP_default}" httpsPort="${bvt.prop.HTTP_default.secure}" > <tcpOptions soReuseAddr="true" /> <sslOptions sslRef="testSSLConfig" /> </httpEndpoint> <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultKeyStore" serverKeyAlias="default" /> <ssl id="testSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="alternateTrustStore" serverKeyAlias="alternateCert" enabledCiphers="AES256-SHA AES128-SHA" /> <!-- inbound (HTTPS) keystore --> <keyStore id="defaultKeyStore" password="Liberty" location="${server.config.dir}/resources/security/sslOptions.jks" /> <keyStore id="defaultTrustStore" password="Liberty" location="${server.config.dir}/resources/security/trust.jks" /> <keyStore id="alternateTrustStore" password="Liberty" location="${server.config.dir}/resources/security/optionsTrust.jks" /> <application type="war" id="basicauth" name="basicauth" location="${server.config.dir}/apps/basicauth.war" />

✔️ Fix

Modify the server.xml file. Enable the ssl-1.0 feature and configure the httpEndpoint settings. The keystores and truststores must also be configured. <featureManager> <feature>servlet-3.0</feature> <feature>ssl-1.0</feature> <feature>appSecurity-2.0</feature> </featureManager> <httpEndpoint id="defaultHttpEndpoint" host="localhost" httpPort="${bvt.prop.HTTP_default}" httpsPort="${bvt.prop.HTTP_default.secure}" > <tcpOptions soReuseAddr="true" /> <sslOptions sslRef="testSSLConfig" /> </httpEndpoint> <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultKeyStore" serverKeyAlias="default" /> <ssl id="testSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="alternateTrustStore" serverKeyAlias="alternateCert" enabledCiphers="AES256-SHA AES128-SHA" />  <keyStore id="defaultKeyStore" password="Liberty" location="${server.config.dir}/resources/security/sslOptions.jks" /> <keyStore id="defaultTrustStore" password="Liberty" location="${server.config.dir}/resources/security/trust.jks" /> <keyStore id="alternateTrustStore" password="Liberty" location="${server.config.dir}/resources/security/optionsTrust.jks" /> <application type="war" id="basicauth" name="basicauth" location="${server.config.dir}/apps/basicauth.war" />