Details

The ENCRYPT protocol uses a keystore in order to encrypt the communication layer of all the other protocols below it.

Before configuring the AS, you must create another keystore to use specifically in JGroups.

Unfortunately, JGroups does not support the keystores generated with the standard JDK keytool. You must create your custom keystore with a java file called KeyStoreGenerator which is included in the demo package of JGroups.

java -cp /your/path/to/jboss/modules/system/layers/base/org/jgroups/main/JGroups-version.jar org.jgroups.demos.KeyStoreGenerator –alg AES –size 128 –storeName FILENAME –storePass PASSWORD –alias MyKey

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Include the ENCRYPT protocol in the standalone-full-ha of your JBoss AS instance:

….
true 128 AES/ECB/PKCS5Padding 512 RSA YOURKEYSTOREPASSWORD path/to/keystore MyKey YOURTRUSTSTOREPASSWORD ….

You can move the ENCRYPT element up and down trough the protocols stack, this will configure the subsystem to encrypt only the protocols below the ENCRYPT element.

Supportive Information

The following resource is also helpful.

• https://docs.jboss.org/author/display/AS72/Hardening+Guidelines

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-13.

Source

• Tenable.com/audits