STIGQter STIGQter: STIG Summary: IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

When connecting to the MQ Appliance network device using the WebGUI, it must implement replay-resistant authentication mechanisms for network access to privileged accounts.

DISA Rule

SV-89621r1_rule

Vulnerability Number

V-74947

Group Title

SRG-APP-000156-NDM-000250

Rule Version

MQMH-ND-000530

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Log on to the MQ Appliance CLI as a privileged user.

Configure MQ Appliance PKI-based user multifactor authentication to provide replay-resistant authentication.

Assign the WebGUI to one management port (CLI). Enter:
co
web-mgmt <mgmt port IP addr> 9090 <timeout in seconds>
write mem
y

Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI):
- Log on to the WebGUI as a privileged user.
- Click on the Administration (gear) icon.
- Under Main, click on File Management.
- Click cert directory.
- Click Actions.
- Upload files.
- Browse to select MQ Appl privkey.
- Add.
- Browse to select MQ Appl cert.
- Add.
- Browse to select client cert.
- Add.
- [Repeat Browse and Add for all desired client certs.]
- Upload.
- Continue.

Create cert aliases (CLI). Enter:
co
crypto
certificate <MQAppl CryptoCert alias: appliance name> cert:///<MQAppl cert file name>
certificate <client CryptoCert alias: subject field fm client cert> cert:///<client cert file name>
[Repeat certificate command for any additional client certs.]
exit
write mem
y

Create MQAppl private key alias (CLI). Enter:
co
crypto
key <MQAppl CryptoKey alias> cert:///<MQAppl privkey file name>
exit
write mem
y

Create MQAppl ID Credential (CLI). Enter:
co
crypto
idcred <MQAppl IDCred name> <MQAppl CryptoKey alias> <MQAppl CryptoCert alias>
exit
write mem
y

Create a client Validation Credential (CLI). Enter:
co
crypto
valcred <Client ValCred name>
certificate <Client CryptoCert alias>
[Add additional client certificates as required]
exit
exit
write mem
y

Create SSL Server Profile (CLI). Enter:
co
crypto
ssl-server <SSL Svr Profile name>
admin-state enabled
idcred <MQAppl IDCred name>
protocols TLSv1d2
valcred <Client ValCred name>
request-client-auth on
require-client-auth on
send-client-auth-ca-list on
exit
exit
write mem
y

Associate SSL Server Profile with WebGUI (CLI). Enter:
co
web-mgmt
ssl-config-type server
ssl-server <SSL Svr Profile name>
exit
write mem
y

Check Contents

Log on to the MQ Appliance CLI as a privileged user. Verify the MQ Appliance PKI-based user authentication is configured to support multifactor authentication to provide replay-resistant authentication.

Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter:
co
show web-mgmt

[Note the name of the ssl-server]

Display the parameters of the ssl-server (CLI). Enter:
co
crypto
ssl-server <ssl-server name>
show

[Note the name of the valcred]

Display the certificates in the ValCred (CLI). Enter:
co
crypto
valcred <name of valcred>
show

Verify all listed client certificates are authorized to access the MQ Appliance.

If any are not authorized, this is a finding.

Vulnerability Number

V-74947

Documentable

False

Rule Version

MQMH-ND-000530

Severity Override Guidance

Log on to the MQ Appliance CLI as a privileged user. Verify the MQ Appliance PKI-based user authentication is configured to support multifactor authentication to provide replay-resistant authentication.

Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter:
co
show web-mgmt

[Note the name of the ssl-server]

Display the parameters of the ssl-server (CLI). Enter:
co
crypto
ssl-server <ssl-server name>
show

[Note the name of the valcred]

Display the certificates in the ValCred (CLI). Enter:
co
crypto
valcred <name of valcred>
show

Verify all listed client certificates are authorized to access the MQ Appliance.

If any are not authorized, this is a finding.

Check Content Reference

M

Target Key

3243

Comments