STIGQter: STIG Summary: zOS WebsphereMQ for ACF2 STIG Version: 6 Release: 2 Benchmark Date: 24 Jul 2020: STIGQter: STIG Summary: zOS WebsphereMQ for ACF2 STIG Version: 6 Release: 2 Benchmark Date: 24 Jul 2020:SV-7283r4_rule
V-6980
ZWMQ0012
ZWMQ0012
CAT II
10
Refer to the following report produced by the z/OS Data Collection:
- MQSRPT(ssid)
NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).
1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions.
2) Verify that each WebSphere MQ queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id)
3) Issue the following ACF2 command, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator’s userid and sslkeyring-id is obtain from the above action:
LIST ssidCHIN PROFILE(CERTDATA, KEYRING)
The output will contain information on the CERTDATA and KEYRING records for the user. Find the CERTDATA entry that has a Key ring name field with sslkeyring-id. Review the ISSUERDN field for this CERTDATA record for the following:
OU=PKI.OU=DoD.O=U.S. Governmemt.C=US
OU=ECA.O=U.S. Government.C=US
NOTE: The Certificate Label Name is case sensitive.
Review the Issuer’s Name field in the resulting output for information of any of the following:
OU=PKI.OU=DoD.O=U.S. Government.C=US
OU=ECA.O=U.S. Government.C=US
4) Repeat these steps for each queue manager ssid identified.
To implement the requirements stated above, the following two items are provided which attempt to assist with (1) Technical "how to" information and (2) A DISA Point of contact for obtaining SSL certificates for CSD WebSphere MQ channels:
1. Review the information available on setting up SSL, Keyrings, and Digital Certificates in the CA-ACF2 Security for z/OS Administrators Guide as well as the WebSphere MQ Security manual. Also review the information contained in the documentation provided as part of the install package from the DISA SSO Resource Management Factory (formerly Software Factory).
2. For information on obtaining an SSL certificate in the DISA CSD environment, send email inquiry to disaraoperations@disa.mil for more info.
a) Refer to the following report produced by the z/OS Data Collection:
- MQSRPT(ssid)
NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of WebSphere MQ, review ssid reports for message CSQU000I.
Collect the following Information for Websphere MQ queue manager
- If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries.
- If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel.
b) Review the ssid report(s) and perform the following steps:
1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions.
2) Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id)
3) Issue the following ACF2 command, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator’s userid and sslkeyring-id is obtained from the above action:
LIST ssidCHIN PROFILE(CERTDATA, KEYRING)
The output will contain information on the CERTDATA and KEYRING records for the user. Find the CERTDATA entry that has a Key ring name field with sslkeyring-id. Review the ISSUERDN field for this CERTDATA record for the following:
OU=PKI.OU=DoD.O=U.S. Governmemt.C=US
OU=ECA.O=U.S. Government.C=US
4) Repeat these steps for each queue manager ssid identified.
c) If the all of the items in (b) above are true, there is NO FINDING.
d) If any of the items in (b) above are untrue, this is a FINDING.
V-6980
False
ZWMQ0012
a) Refer to the following report produced by the z/OS Data Collection:
- MQSRPT(ssid)
NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of WebSphere MQ, review ssid reports for message CSQU000I.
Collect the following Information for Websphere MQ queue manager
- If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries.
- If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel.
b) Review the ssid report(s) and perform the following steps:
1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions.
2) Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id)
3) Issue the following ACF2 command, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator’s userid and sslkeyring-id is obtained from the above action:
LIST ssidCHIN PROFILE(CERTDATA, KEYRING)
The output will contain information on the CERTDATA and KEYRING records for the user. Find the CERTDATA entry that has a Key ring name field with sslkeyring-id. Review the ISSUERDN field for this CERTDATA record for the following:
OU=PKI.OU=DoD.O=U.S. Governmemt.C=US
OU=ECA.O=U.S. Government.C=US
4) Repeat these steps for each queue manager ssid identified.
c) If the all of the items in (b) above are true, there is NO FINDING.
d) If any of the items in (b) above are untrue, this is a FINDING.
M
Information Assurance Officer
3595