STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

IBM WebSphere Liberty Server Security Technical Implementation Guide

Version

V2R4

Release Date

Feb 26, 2026

SCAP Benchmark ID

IBM_WebSphere_Liberty_Server_STIG

Total Checks

30

Tags

other
CAT I: 7CAT II: 23CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (30)

V-250322MEDIUMMaximum in-memory session count must be set according to application requirements.V-250323MEDIUMThe WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.V-250324MEDIUMSecurity cookies must be set to HTTPOnly.V-250325MEDIUMThe WebSphere Liberty Server must log remote session and security activity.V-250326HIGHUsers in the REST API admin role must be authorized.V-250327MEDIUMThe WebSphere Liberty Server must be configured to offload logs to a centralized system.V-250328MEDIUMThe WebSphere Liberty Server must protect log information from unauthorized access or changes.V-250329MEDIUMThe WebSphere Liberty Server must protect log tools from unauthorized access.V-250330MEDIUMThe WebSphere Liberty Server must be configured to encrypt log information.V-250331MEDIUMThe WebSphere Liberty Server must protect software libraries from unauthorized access.V-250332MEDIUMThe WebSphere Liberty Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.V-250333MEDIUMThe WebSphere Liberty Server must use an LDAP user registry.V-250334MEDIUMBasic Authentication must be disabled.V-250335HIGHMultifactor authentication for network access to privileged accounts must be used.V-250336HIGHThe WebSphere Liberty Server must store only encrypted representations of user passwords.V-250337HIGHThe WebSphere Liberty Server must use TLS-enabled LDAP.V-250338MEDIUMThe WebSphere Liberty Server must use DoD-issued/signed certificates.V-250339HIGHThe WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.V-250340MEDIUMHTTP session timeout must be configured.V-250341HIGHApplication security must be enabled on the WebSphere Liberty Server.V-250342MEDIUMUsers in a reader-role must be authorized.V-250343MEDIUMThe WebSphere Liberty Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements.V-250344MEDIUMThe server.xml file must be protected from unauthorized modification.V-250345MEDIUMThe WebSphere Liberty Server must prohibit the use of cached authenticators after an organization-defined time period.V-250346MEDIUMThe WebSphere Liberty Server LTPA keys password must be changed.V-250347MEDIUMThe WebSphere Liberty Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.V-250348MEDIUMThe WebSphere Liberty Server must be configured to use HTTPS only.V-250349MEDIUMThe WebSphere Liberty Server must install security-relevant software updates within the time period directed by an authoritative source.V-250350MEDIUMThe WebSphere Liberty Server must generate log records for authentication and authorization events.V-283668HIGHThe WebSphere Liberty Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.