STIGQter: STIG Summary: IBM MQ Appliance V9.0 AS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The MQ Appliance messaging server must uniquely identify all network-connected endpoint devices before establishing any connection.

DISA Rule

SV-89571r1_rule

Vulnerability Number

V-74897

Group Title

SRG-APP-000158-AS-000108

Rule Version

MQMH-AS-001000

Severity

CAT II

CCI(s)

• CCI-000778 - The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

Weight

10

Fix Recommendation

Run the fix for each affected queue manager and each affected channel.

To access the MQ Appliance enter:
mqcli
runmqsc [queue name]

ALTER CHANNEL([channel name] CHLTYPE(SVRCONN) TRPTYPE(TCP)
SSLCIPH([Use FIPS Approved cipher specs only]) SSLCAUTH(REQUIRED)

Enter "end" to exit runmqsc mode.

Check Contents

Check that TLS mutual authentication configuration is correct by using "DISPLAY" commands.

To access the MQ Appliance CLI, enter:
mqcli

To identify the queue managers, enter:
dspmq

For each queue manager identified, run the command:
runmqsc [queue name]

To display available SVRCONN channels details, enter:
DIS CHANNEL(*) CHLTYPE(SVRCONN)

Note the names of SVRCONN channels (client channels).

Display values for each channel:
DIS CHANNEL([name of SVRCONN channel])

Confirm that the parameter "SSLCIPH" specifies a FIPS approved cipher spec and that the value of "SSLAUTH" is set to "REQUIRED".

MQ cipher specs are available here: https://ibm.biz/BdrJGp Utilize a FIPS approved cipher when specifying SSLCIPH.

If either the "SSLCIPH" or "SSLAUTH" value for each channel is not correct, this is a finding.

Vulnerability Number

V-74897

Documentable

False

Rule Version

MQMH-AS-001000

Severity Override Guidance

Check that TLS mutual authentication configuration is correct by using "DISPLAY" commands.

To access the MQ Appliance CLI, enter:
mqcli

To identify the queue managers, enter:
dspmq

For each queue manager identified, run the command:
runmqsc [queue name]

To display available SVRCONN channels details, enter:
DIS CHANNEL(*) CHLTYPE(SVRCONN)

Note the names of SVRCONN channels (client channels).

Display values for each channel:
DIS CHANNEL([name of SVRCONN channel])

Confirm that the parameter "SSLCIPH" specifies a FIPS approved cipher spec and that the value of "SSLAUTH" is set to "REQUIRED".

MQ cipher specs are available here: https://ibm.biz/BdrJGp Utilize a FIPS approved cipher when specifying SSLCIPH.

If either the "SSLCIPH" or "SSLAUTH" value for each channel is not correct, this is a finding.

Check Content Reference

M

Target Key

3239

Comments