STIGQter: STIG Summary: IBM MQ Appliance V9.0 AS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.

DISA Rule

SV-89423r1_rule

Vulnerability Number

V-74749

Group Title

SRG-APP-000400-AS-000246

Rule Version

MQMH-AS-000190

Severity

CAT II

CCI(s)

• CCI-002007 - The information system prohibits the use of cached authenticators after an organization-defined time period.

Weight

10

Fix Recommendation

Display the SSL Server Profile associated with the WebGUI (CLI).
Enter:
co
show web-mgmt

[Note the name of the ssl-server]

Define the cache parameters of the SSL Server using the CLI.
Enter:
co
crypto
ssl-server <ssl-server name>
caching on
cache-timeout <3600>
exit
exit
write mem
y

Check Contents

Display the SSL Server Profile associated with the WebGUI using the (CLI).

Log on as an admin to the MQ appliance using SSH terminal access.

Enter:
co
show web-mgmt

To note the name of the ssl-server, enter:
crypto
ssl-server <ssl-server name>
show

Verify the following are displayed:
caching on
cache-timeout 3600

If the ssl-server configuration does not exist, or if caching is "off", or if the cache-timeout setting does not equal “3600” seconds (60 minutes), this is a finding.

Vulnerability Number

V-74749

Documentable

False

Rule Version

MQMH-AS-000190

Severity Override Guidance

Display the SSL Server Profile associated with the WebGUI using the (CLI).

Log on as an admin to the MQ appliance using SSH terminal access.

Enter:
co
show web-mgmt

To note the name of the ssl-server, enter:
crypto
ssl-server <ssl-server name>
show

Verify the following are displayed:
caching on
cache-timeout 3600

If the ssl-server configuration does not exist, or if caching is "off", or if the cache-timeout setting does not equal “3600” seconds (60 minutes), this is a finding.

Check Content Reference

M

Target Key

3239

Comments