STIGQter: STIG Summary: IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017: STIGQter: STIG Summary: IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:SV-89677r1_rule
V-75003
SRG-APP-000392-NDM-000309
MQMH-ND-001180
CAT II
10
Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance PKI-based user authentication.
Assign the WebGUI to one management port (CLI). Enter:
co
web-mgmt <mgmt port IP addr> 9090 <timeout in seconds>
write mem
y
Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI):
- Log on to the WebGUI as a privileged user.
- Click on the Administration (gear) icon.
- Under Main, click on File Management.
- Click cert directory.
- Click Actions.
- Upload files.
- Browse to select MQ Appl privkey.
- Add.
- Browse to select MQ Appl cert.
- Add.
- Browse to select client cert.
- Add.
- [Repeat Browse and Add for all desired client certs.]
- Upload.
- Continue
Create cert aliases (CLI). Enter:
co
crypto
certificate <MQAppl CryptoCert alias: appliance name> cert:///<MQAppl cert file name>
certificate <client CryptoCert alias: subject field fm client cert> cert:///<client cert file name>
[Repeat certificate command for any additional client certs.]
exit
write mem
y
Create MQAppl private key alias (CLI). Enter:
co
crypto
key <MQAppl CryptoKey alias> cert:///<MQAppl privkey file name>
exit
write mem
y
Create MQAppl ID Credential (CLI). Enter:
co
crypto
idcred <MQAppl IDCred name> <MQAppl CryptoKey alias> <MQAppl CryptoCert alias>
exit
write mem
y
Create a client Validation Credential (CLI). Enter:
co
crypto
valcred <Client ValCred name>
certificate <Client CryptoCert alias>
[Add additional client certificates as required]
exit
exit
write mem
y
Create SSL Server Profile (CLI). Enter:
co
crypto
ssl-server <SSL Svr Profile name>
admin-state enabled
idcred <MQAppl IDCred name>
protocols TLSv1d2
valcred <Client ValCred name>
request-client-auth on
require-client-auth on
send-client-auth-ca-list on
exit
exit
write mem
y
Associate SSL Server Profile with WebGUI (CLI). Enter:
co
web-mgmt
ssl-config-type server
ssl-server <SSL Svr Profile name>
exit
write mem
y
Log on to the MQ Appliance CLI as a privileged user. Verify MQ Appliance PKI-based user authentication is configured.
Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter:
co
show web-mgmt
[Note the name of the ssl-server]
Display the parameters of the ssl-server (CLI). Enter:
co
crypto
ssl-server <ssl-server name>
show
[Note the name of the valcred]
Display the certificates in the ValCred (CLI). Enter:
co
crypto
valcred <name of valcred>
show
Verify all listed client certificates are authorized to access the MQ Appliance.
Spot-check access to the appliance:
Attempt to access the appliance from a browser enabled with an authorized certificate.
Attempt to access the appliance from a browser not enabled with an authorized client certificate.
If unauthorized access succeeds, this is a finding.
V-75003
False
MQMH-ND-001180
Log on to the MQ Appliance CLI as a privileged user. Verify MQ Appliance PKI-based user authentication is configured.
Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter:
co
show web-mgmt
[Note the name of the ssl-server]
Display the parameters of the ssl-server (CLI). Enter:
co
crypto
ssl-server <ssl-server name>
show
[Note the name of the valcred]
Display the certificates in the ValCred (CLI). Enter:
co
crypto
valcred <name of valcred>
show
Verify all listed client certificates are authorized to access the MQ Appliance.
Spot-check access to the appliance:
Attempt to access the appliance from a browser enabled with an authorized certificate.
Attempt to access the appliance from a browser not enabled with an authorized client certificate.
If unauthorized access succeeds, this is a finding.
M
3243