STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM WebSphere Traditional V9.x Security Technical Implementation Guide

V-255866

CAT II (Medium)

The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.

Rule ID

SV-255866r960993_rule

STIG

IBM WebSphere Traditional V9.x Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-001941

Discussion

Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service which is a repeatable process used to make data available to remote clients, should not be confused with a web server. Many web services utilize SOAP, which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The WS_Security suite is a widely used and acceptable SOAP security extension.

Check Content

Review System Security Plan documentation.

Interview the system administrator.

Identify any application web service providers and the secure authentication requirements for each service provider. 

From admin console, navigate to Applications >> All applications.

Click on each application that is a web service provider where the security plan specifies security extensions are to be applied. 

Navigate to "Service provider policy sets and bindings".

Verify that any web service providers that are required to have security extensions applied as per the security plan have a policy attached.

If "Attached policy set" column displays none, but the System Security Plan specifies security extensions as required, this is a finding.

Fix Text

To attach policy sets for your service providers: 
From admin console, navigate to Applications >> All applications >> [application]. 

For each application that is a web service provider and requires secure authentication, click on "Service provider policy sets and bindings."

Click button on the "Select" column to select a resource. 

Click on "Attach Policy Set" drop down.

Select policy set that best matches the provider environment.

Click button on the "Select" column to select the same resource.

Click on the "Assign binding" drop down.

Select a binding that best matches the environment.

Click "Save".

Restart DMGR and resync the JVMs.