Details

Types of management interfaces utilized by the JBoss EAP application server include web-based HTTP interfaces as well as command line-based management interfaces. In the event remote HTTP management is required, the access must be via HTTPS.

This requirement is in conjunction with the requirement to isolate all management access to a restricted network.

Solution

Follow the specific instructions in the Red Hat Security Guide for EAP version 6.3 to configure the management console for HTTPS.

This involves the following steps.
1. Create a keystore in JKS format.
2. Ensure the management console binds to HTTPS.
3. Create a new Security Realm.
4. Configure Management Interface to use new security realm.
5. Configure the management console to use the keystore.
6. Restart the EAP server.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R2_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R2_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-17(2)
• CAT|II
• CCI|CCI-000068
• Rule-ID|SV-213494r615939_rule
• STIG-ID|JBOS-AS-000010
• STIG-Legacy|SV-76563
• STIG-Legacy|V-62073
• Vuln-ID|V-213494

Source

• Tenable.com/audits