STIGQter STIGQter: STIG Summary: IBM MQ Appliance V9.0 AS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication.

DISA Rule

SV-89575r1_rule

Vulnerability Number

V-74901

Group Title

SRG-APP-000177-AS-000126

Rule Version

MQMH-AS-001020

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Specify LDAP as the authentication method for each queue manager.

To access the MQ Appliance CLI, enter:
mqcli

runmqsc [queue manager name]

DEFINE AUTHINFO('[Object name e.g., USE.CRLLDAP]')
AUTHTYPE(CRLLDAP)
CONNAME('[LDAPhost1(port)]') REPLACE

Type "end" to exit runmqsc mode.

Check Contents

To access the MQ Appliance CLI, for each queue manager, enter:
mqcli

To identify the queue managers, enter:
dspmq

For each queue manager identified, run the command:
runmqsc [queue name]

DIS AUTHINFO(*) AUTHTYPE(CRLLDAP) CONNAME

Verify that an "AUTHINFO" definition of "AUTHTYPE(CRLLDAP)" is displayed and that the CONNAME in parenthesis is the host name or IPv4 dotted decimal address of an organizationally approved LDAP server.

If the "AUTHINFO" definition is not equal to "AUTHTYPE(CRLLDAP)", this is a finding.

Vulnerability Number

V-74901

Documentable

False

Rule Version

MQMH-AS-001020

Severity Override Guidance

To access the MQ Appliance CLI, for each queue manager, enter:
mqcli

To identify the queue managers, enter:
dspmq

For each queue manager identified, run the command:
runmqsc [queue name]

DIS AUTHINFO(*) AUTHTYPE(CRLLDAP) CONNAME

Verify that an "AUTHINFO" definition of "AUTHTYPE(CRLLDAP)" is displayed and that the CONNAME in parenthesis is the host name or IPv4 dotted decimal address of an organizationally approved LDAP server.

If the "AUTHINFO" definition is not equal to "AUTHTYPE(CRLLDAP)", this is a finding.

Check Content Reference

M

Target Key

3239

Comments