STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Apache Tomcat Application Server 9 Security Technical Implementation Guide

V-222963

CAT II (Medium)

JMX authentication must be secured.

Rule ID

SV-222963r960972_rule

STIG

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-000765

Discussion

Java Management Extensions (JMX) provides the means to remotely manage the Java VM. When enabling the JMX agent for remote monitoring, the user must enable authentication.

Check Content

From the Tomcat server run the following command:

sudo grep -I jmxremote.authenticate /etc/systemd/system/tomcat.service
sudo ps -ef |grep -i jmxremote

If the results are blank, this is not a finding.

If the results include:

-Dcom.sun.management.jmxremote.authenticate=false, this is a finding.

Fix Text

If using JMX for management of the Tomcat server, start the Tomcat server by adding the following command line flags to the systemd startup scripts in /etc/systemd/system/tomcat.service.

Environment='CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true'

sudo systemctl start tomcat
sudo systemctl daemon-reload