Details

Client-cert authentication requires each client connecting to the server to have a certificate to authenticate. This is generally regarded as stronger authentication than a password as it requires the client to have the certificate and not just a password.

Rationale:

Certificate based authentication is more secure than password based authentication.

Solution

In the Connector element, set the clientAuth to true and, in Tomcat 8.5.x, set the certificateVerification to required

port=’8443′ minProcessors=’5′ maxProcessors=’75’
enableLookups=’true’ disableUploadTimeout=’true’
acceptCount=’100′ debug=’0′ scheme=’https’ secure=’true’;
clientAuth=’true’ sslProtocol=’TLS’/>
…

certificateVerification=’required’
/>

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.

References

• 800-53|IA-5
• 800-53|IA-5(1)
• CSCv7|16.4

Source

• Tenable.com/audits