How are the Apache Hardened Tomcat AMIs configured?

Our Apache Hardened Tomcat AMIs are built on our DISA STIG Hardened RedHat images, to provide a secure baseline for the application server stack. Because the DISA Application Server SRG is somewhat generic in scope, and many of the controls listed within it are specific to your application code, the final bit of hardening will depend on how you configure your application. We've covered the basics, though:

  • Tomcat is configured to listen with a self-signed SSL certificate on port 8443,

  • We've disabled the Server banner, both at the HTTP header level, and in the Tomcat error pages,

  • and the SSL listener is configured to be restricted to DOD-approved encryption algorithms.

This should be more than enough to get you well down the road to running a fully compliant web application!  But if you think you need more, please don't hesitate to let us know.

Did this solve your problem?