Details

The unencrypted HTTP protocol does not protect data from interception or alteration which can subject users to eavesdropping, tracking, and the modification of received data. To secure an HTTP connector, both the secure and scheme flags must be set.

Solution

From the Tomcat server as a privileged user, edit the server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml.

Locate each element which is lacking a secure setting.

EXAMPLE Connector:
connectionTimeout=’20000′
redirectPort=’443′ />

Set or add scheme=’https’ and secure=’true’ for each HTTP connector element.

EXAMPLE:
maxThreads=’150′ scheme=’https’ secure=’true’…/>

Save the server.xml file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl reload-daemon

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CAT|II
• CCI|CCI-000213
• Rule-ID|SV-222935r615938_rule
• STIG-ID|TCAT-AS-000100
• STIG-Legacy|SV-111401
• STIG-Legacy|V-102453
• Vuln-ID|V-222935

Source

• Tenable.com/audits