STIGQter: STIG Summary: IBM MQ Appliance V9.0 AS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017: STIGQter: STIG Summary: IBM MQ Appliance V9.0 AS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:SV-89589r1_rule
V-74915
SRG-APP-000395-AS-000109
MQMH-AS-001170
CAT I
10
1. Prepare the key repository on each endpoint client.
2. Request a CA-signed certificate for each client. You might use different CAs for the two endpoints.
3. Add the Certificate Authority certificate to the key repository for each client. If the endpoints are using different Certificate Authorities then the CA certificate for each Certificate Authority must be added to both key repositories.
4. Add the CA-signed certificate to the key repository for each endpoint.
On the MQ Appliance queue manager, define a server-connection channel by issuing a command as in the following example:
[C1]=Client, [QM1]=MQ Appliance queue manager. Replace [QM1] with the actual queue manager name (e.g., FINANCEQM)
To access the MQ Appliance CLI, enter:
mqcli
runmqsc [QM1]
Replace the brackets "[ ]" with a selected parameter:
DEFINE CHANNEL([C1].TO.[QM1]) CHLTYPE(SVRCONN) TRPTYPE(TCP) +
SSLCIPH([TLS_RSA_WITH_AES_128_CBC_SHA or other cipher spec]) SSLCAUTH(REQUIRED) +
DESCR('Receiver channel using TLS from [client name] to [QM name]')
For example:
ALTER CHANNEL(C1.TO.QM1) CHLTYPE(SVRCONN) TRPTYPE(TCP) +
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) SSLCAUTH(REQUIRED) +
DESCR('Receiver channel using TLS from C1 to QM1')
Review system documentation. Identify all message services hosted on the device(s) and determine if any services are hosting publicly available, non-sensitive data. This requirement is NA for publicly available services that host non-sensitive data if a documented ISSO risk acceptance is presented.
Check that TLS mutual authentication configuration is correct by using DISPLAY commands.
To access the MQ Appliance CLI, enter:
mqcli
To identify the queue managers, enter:
dspmq
For each queue manager identified, run the command:
runmqsc [queue name]
DIS CHANNEL(*) CHLTYPE(SVRCONN)
Note the name of SVRCONN channel (client channel) you wish to check.
DIS CHANNEL([name of SVRCONN channel])
Confirm that the parameter "SSLCIPH" specifies the desired cipher spec and that the value of "SSLAUTH" is "REQUIRED".
If either the "SSLCIPH" or "SSLAUTH" value is not correct, this is a finding.
V-74915
False
MQMH-AS-001170
Review system documentation. Identify all message services hosted on the device(s) and determine if any services are hosting publicly available, non-sensitive data. This requirement is NA for publicly available services that host non-sensitive data if a documented ISSO risk acceptance is presented.
Check that TLS mutual authentication configuration is correct by using DISPLAY commands.
To access the MQ Appliance CLI, enter:
mqcli
To identify the queue managers, enter:
dspmq
For each queue manager identified, run the command:
runmqsc [queue name]
DIS CHANNEL(*) CHLTYPE(SVRCONN)
Note the name of SVRCONN channel (client channel) you wish to check.
DIS CHANNEL([name of SVRCONN channel])
Confirm that the parameter "SSLCIPH" specifies the desired cipher spec and that the value of "SSLAUTH" is "REQUIRED".
If either the "SSLCIPH" or "SSLAUTH" value is not correct, this is a finding.
M
3239