Documentation - V-222971

V-222971

Apache Tomcat Application Server 9 Security Technical Implementation Guide

CAT II

Title

Tomcat servers must mutually authenticate proxy or load balancer connections.

Description

<VulnDiscussion>Tomcat servers are often placed behind a proxy when exposed to both trusted and untrusted networks. This is done for security and performance reasons. Tomcat does provide an HTTP server that can be configured to make hosted applications available to clients directly. However, this HTTP server has performance limitations and is not intended to be used on an enterprise scale. Exposing this service to untrusted networks also violates the layered security model and creates elevated r...

Fix Text (Documentation Requirement)

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. Modify each <SSLHostConfig> element where the IP address is behind a proxy or load balancer. Set certificationVerification="true", identify the applications that are associated with the connector, and edit the associated web.xml files. Ensure the <auth-method> is set to CLIENT-CERT.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel