Details

Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends the results back to the requestor. Cryptographic ciphers are associated with the connector to create a secured connector. To ensure encryption strength is adequately maintained, the ciphers used must be FIPS 140-2-validated.

The FIPS-validated crypto libraries are not provided by Tomcat; they are included as part of the Java instance and the underlying Operating System. The STIG checks to ensure the FIPSMode setting is enabled for the connector and also checks the logs for FIPS errors, which indicates FIPS non-compliance at the OS or Java layers. The administrator is responsible for ensuring the OS and Java instance selected for the Tomcat installation provide and enable these FIPS modules so Tomcat can be configured to use them.

Satisfies: SRG-APP-000224-AS-000152, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157, SRG-APP-000439-AS-000274, SRG-APP-000440-AS-000167

Solution

In addition to configuring Tomcat, the admin must also configure the underlying OS and Java engine to use FIPS validated encryption modules. This fix instructs how to enable FIPSMode within Tomcat, the OS and Java engine must be configured to use the FIPS validated modules according to the chosen OS and Java engine.

From the Tomcat server as a privileged user:

sudo nano $CATALINA_BASE/conf/server.xml.

In the element, locate the AprLifecycleListener. Either add or modify the FIPSMode setting and set it to FIPSMode=’on’.

EXAMPLE:
className=’org.apache.catalina.core.AprLifecycleListener’
SSLEngine=’on’
FIPSMode=’on’
/>

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication, System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|IA-7
• 800-53|SC-8
• 800-53|SC-8(1)
• 800-53|SC-23(3)
• 800-53|SC-28(1)
• CAT|I
• CCI|CCI-000803
• CCI|CCI-001188
• CCI|CCI-002418
• CCI|CCI-002421
• CCI|CCI-002475
• CCI|CCI-002476
• Rule-ID|SV-222968r615938_rule
• STIG-ID|TCAT-AS-000750
• STIG-Legacy|SV-111567
• STIG-Legacy|V-102609
• Vuln-ID|V-222968

Source

• Tenable.com/audits