Documentation - V-222974

V-222974

Apache Tomcat Application Server 9 Security Technical Implementation Guide

CAT II

Title

Clusters must operate on a trusted network.

Description

<VulnDiscussion>Operating a Tomcat cluster on an untrusted network creates potential for unauthorized persons to view or manipulate cluster session traffic. When operating a Tomcat cluster, care must be taken to isolate the cluster traffic from untrusted sources. Options include using a private VLAN, VPN, or IPSEC tunnel or by encrypting cluster traffic by using the EncryptInterceptor. The EncryptInterceptor adds encryption to the channel messages carrying session data between Tomcat cluster nod...

Fix Text (Documentation Requirement)

Update the System Security Plan (SSP) and document the network interface, their related IP addresses, and which interfaces transport Tomcat cluster traffic. Also document which interface is multi-cast enabled if using the McastService membership class versus Static. To obtain the information needed for the SSP: sudo grep -i -A3 "<Membership className" $CATALINA_BASE/conf.server.xml Document the address="<ipAddress>" value. Review the OS routing tables. Identify and document which interface is configured to route the Tomcat class D IP multicast traffic. sudo netstat -r END of Documentation instructions. From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. sudo nano $CATALINA_BASE/conf/server.xml Locate the <Interceptor/> element nested within...

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel