STIGQter STIGQter: STIG Summary: zOS WebsphereMQ for RACF STIG Version: 6 Release: 2 Benchmark Date: 24 Jul 2020:

WebSphere MQ channel security is not implemented in accordance with security requirements.

DISA Rule

SV-111903r1_rule

Vulnerability Number

V-6980

Group Title

ZWMQ0012

Rule Version

ZWMQ0012

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Refer to the following report produced by the z/OS Data Collection:

- MQSRPT(ssid)

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions.
2) Verify that each WebSphere MQ queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id)
3) Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator’s userid and sslkeyring-id is obtain from the above action:

RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id)

NOTE: The sslkeyring-id is case sensitive.

The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command:

RACDCERT ID(ssidCHIN) LIST(LABEL(‘Certificate Label Name’))

NOTE: The Certificate Label Name is case sensitive.

Review the Issuer’s Name field in the resulting output for information of any of the following:

OU=PKI.OU=DoD.O=U.S. Governmemt.C=US
OU=ECA.O=U.S. Government.C=US

4) Repeat these steps for each queue manager ssid identified.

To implement the requirements stated above, the following two items are provided which attempt to assist with (1) Technical "how to" information and (2) A DISA Point of contact for obtaining SSL certificates for CSD WebSphere MQ channels:

1. Review the information available on setting up SSL, Keyrings, and Digital Certificates in the RACF Security Administrator's Guide as well as the WebSphere MQ Security manual. Also review the information contained in the documentation provided as part of the install package from the DISA SSO Resource Management Factory (formerly Software Factory).

2. For information on obtaining an SSL certificate in the DISA CSD environment, send email inquiry to disaraoperations@disa.mil for more info.

Check Contents

a) Refer to the following report produced by the MQSeries/WebSphere MQ Data Collection:

- MQSERIES.RPT(MQSssid)

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of MQSeries/WebSphere MQ, review MQSssid report for message CSQU000I.

Refer to the following item gathered from the MQSeries/WebSphere MQ Worksheet in the Preliminary Information Worksheets:

- DOC(MQWMQNFO)

b) If site is running MQSeries 5.2 or below, this is NOT APPLICABLE.

c) For each WebSphere MQ 5.3 and above, review the MQSssid report(s) and perform the following steps:

1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions.
2) Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id)
3) Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator’s userid and sslkeyring-id is obtain from the above action:

RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id)

NOTE: The sslkeyring-id is case sensitive.

The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command:

RACDCERT ID(ssidCHIN) LIST(LABEL(‘Certificate Label Name’))

NOTE: The Certificate Label Name is case sensitive.

Review the Issuer’s Name field in the resulting output for information of any of the following:

OU=PKI.OU=DoD.O=U.S. Governmemt.C=US
OU=ECA.O=U.S. Government.C=US

4) Repeat these steps for each queue manager ssid identified.

d) If the all of the items in (c) above are true, there is NO FINDING.

e) If any of the items in (c) above are untrue, this is a FINDING.

Vulnerability Number

V-6980

Documentable

False

Rule Version

ZWMQ0012

Severity Override Guidance

a) Refer to the following report produced by the MQSeries/WebSphere MQ Data Collection:

- MQSERIES.RPT(MQSssid)

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of MQSeries/WebSphere MQ, review MQSssid report for message CSQU000I.

Refer to the following item gathered from the MQSeries/WebSphere MQ Worksheet in the Preliminary Information Worksheets:

- DOC(MQWMQNFO)

b) If site is running MQSeries 5.2 or below, this is NOT APPLICABLE.

c) For each WebSphere MQ 5.3 and above, review the MQSssid report(s) and perform the following steps:

1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions.
2) Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id)
3) Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator’s userid and sslkeyring-id is obtain from the above action:

RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id)

NOTE: The sslkeyring-id is case sensitive.

The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command:

RACDCERT ID(ssidCHIN) LIST(LABEL(‘Certificate Label Name’))

NOTE: The Certificate Label Name is case sensitive.

Review the Issuer’s Name field in the resulting output for information of any of the following:

OU=PKI.OU=DoD.O=U.S. Governmemt.C=US
OU=ECA.O=U.S. Government.C=US

4) Repeat these steps for each queue manager ssid identified.

d) If the all of the items in (c) above are true, there is NO FINDING.

e) If any of the items in (c) above are untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3597

Comments