Details

The SSLEnabled setting determines if SSL is enabled for a specific Connector. It is recommended that SSL be utilized for any Connector that sends or receives sensitive information, such as authentication credentials or personal information.

Rationale:

The SSLEnabled setting ensures SSL is active, which will in-turn ensure the confidentiality and integrity of sensitive information while in transit.

Solution

In server.xml, set the SSLEnabled attribute to true for each Connector that sends or receives sensitive information:

…
SSLEnabled=’true’
…
/>

Default Value:

SSLEnabled is set to false.

References:

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-13
• CSCv6|6.2

Source

• Tenable.com/audits