STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM WebSphere Liberty Server Security Technical Implementation Guide

V-250348

CAT II (Medium)

The WebSphere Liberty Server must be configured to use HTTPS only.

Rule ID

SV-250348r1137581_rule

STIG

IBM WebSphere Liberty Server Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-002421

Discussion

Transmission of data can take place between the application server and a large number of devices/applications external to the application server. Examples are a web client used by a user, a backend database, a log server, or other application servers in an application server cluster.

Check Content

Review the ${server.config.dir}/server.xml file and check the ssl-1.0 feature and httpEndpoint settings. 

If the ssl-1.0 feature is not defined, this is a finding. 

If the httpEndpoint settings do not include ssloptions, this is a finding.

<featureManager>
<feature>servlet-3.0</feature>
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>

<httpEndpoint id="defaultHttpEndpoint"
          host="localhost"
          httpPort="${bvt.prop.HTTP_default}"
          httpsPort="${bvt.prop.HTTP_default.secure}" >
          <tcpOptions soReuseAddr="true" />
          <sslOptions sslRef="testSSLConfig" />
</httpEndpoint>

Fix Text

Modify the server.xml file. Enable the ssl-1.0 feature and configure the httpEndpoint settings. The keystores and truststores must also be configured.

<featureManager>
<feature>servlet-3.0</feature>
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
    
    <httpEndpoint id="defaultHttpEndpoint"
          host="localhost"
          httpPort="${bvt.prop.HTTP_default}"
          httpsPort="${bvt.prop.HTTP_default.secure}" >
          <tcpOptions soReuseAddr="true" />
          <sslOptions sslRef="testSSLConfig" />
</httpEndpoint> 

     <ssl id="defaultSSLConfig"
      keyStoreRef="defaultKeyStore"
      trustStoreRef="defaultKeyStore"
      serverKeyAlias="default" />

     <ssl id="testSSLConfig"
      keyStoreRef="defaultKeyStore"
      trustStoreRef="alternateTrustStore"
      serverKeyAlias="alternateCert"
      enabledCiphers="AES256-SHA AES128-SHA" />

<!-- inbound (HTTPS) keystore -->
<keyStore id="defaultKeyStore" password="Liberty"
           location="${server.config.dir}/resources/security/sslOptions.jks" />

<keyStore id="defaultTrustStore" password="Liberty"
           location="${server.config.dir}/resources/security/trust.jks" />
           
<keyStore id="alternateTrustStore" password="Liberty"
           location="${server.config.dir}/resources/security/optionsTrust.jks" />

    <application type="war" id="basicauth" name="basicauth"
             location="${server.config.dir}/apps/basicauth.war" />