Details
Tomcat currently operates only on JKS, PKCS11, or PKCS12 format keystores. The JKS format is Java’s standard ‘Java KeyStore’ format, and is the format created by the keytool command-line utility which is included in the JDK. The PKCS12 format is an internet standard, and is managed using OpenSSL or Microsoft’s Key-Manager. This requirement only applies to JKS keystores. When a new JKS keystore is created, if a password is not specified during creation the default password used by Tomcat is ‘changeit’ (all lower case). If the default password is not changed, the keystore is at risk of compromise.
Satisfies: SRG-APP-000033-AS-000023, SRG-APP-000176-AS-000125
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the Tomcat server as a privileged user, run the following command:
sudo keytool -storepasswd
When prompted for the keystore password, select a strong password, minimum 10 characters, mixed case alpha-numeric.
Document the password and store in a secured location that is only accessible to authorized personnel.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Identification and Authentication.This control applies to the following type of system Unix.
References
- 800-53|AC-3
- 800-53|IA-5(2)(b)
- CAT|I
- CCI|CCI-000186
- CCI|CCI-000213
- Rule-ID|SV-222931r615938_rule
- STIG-ID|TCAT-AS-000060
- STIG-Legacy|SV-111393
- STIG-Legacy|V-102445
- Vuln-ID|V-222931