Details

Client-cert authentication requires that each client connecting to the server have a certificate to authenticate. This is generally regarded as stronger authentication than a password as it requires the client to have the certificate and not just know a password.

Rationale:

Certificate based authentication is more secure than password based authentication.

Solution

In the Connector element, set the clientAuth parameter to true and the certificateVerification to required

<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

port=’8443′ minProcessors=’5′ maxProcessors=’75’
enableLookups=’true’ disableUploadTimeout=’true’
acceptCount=’100′ debug=’0′ scheme=’https’ secure=’true’;
clientAuth=’true’ sslProtocol=’TLS’/>
…

certificateVerification=’required’
/>

Default Value:

Not configured

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3090

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.

References

• 800-53|IA-5
• 800-53|IA-5(1)
• CSCv7|16.4

Source

• Tenable.com/audits