STIGQter: STIG Summary: IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

WebGUI access to the MQ Appliance network device must accept Personal Identity Verification (PIV) credentials.

DISA Rule

SV-89675r1_rule

Vulnerability Number

V-75001

Group Title

SRG-APP-000391-NDM-000308

Rule Version

MQMH-ND-001160

Severity

CAT II

CCI(s)

CCI-001953 - The information system accepts Personal Identity Verification (PIV) credentials.

Weight

Fix Recommendation

Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance PKI-based user authentication.

Assign the WebGUI to one management port (CLI). Enter:
co
web-mgmt <mgmt port IP addr> 9090 <timeout in seconds>
write mem
y

Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI):
- Log on to the WebGUI as a privileged user.
- Click on the Administration (gear) icon.
- Under Main, click on File Management.
- Click cert directory.
- Click Actions.
- Upload files.
- Browse to select MQ Appl privkey.
- Add.
- Browse to select MQ Appl cert.
- Add.
- Browse to select client cert.
- Add.
- [Repeat Browse and Add for all desired client certs.]
- Upload.
- Continue.

Create cert aliases (CLI). Enter:
co
crypto
certificate <MQAppl CryptoCert alias: appliance name> cert:///<MQAppl cert file name>
certificate <client CryptoCert alias: subject field fm client cert> cert:///<client cert file name>
[Repeat certificate command for any additional client certs.]
exit
write mem
y

Create MQAppl private key alias (CLI). Enter:
co
crypto
key <MQAppl CryptoKey alias> cert:///<MQAppl privkey file name>
exit
write mem
y

Create MQAppl ID Credential (CLI). Enter:
co
crypto
idcred <MQAppl IDCred name> <MQAppl CryptoKey alias> <MQAppl CryptoCert alias>
exit
write mem
y

Create a client Validation Credential (CLI). Enter:
co
crypto
valcred <Client ValCred name>
certificate <Client CryptoCert alias>
[Add additional client certificates as required]
exit
exit
write mem
y

Create SSL Server Profile (CLI). Enter:
co
crypto
ssl-server <SSL Svr Profile name>
admin-state enabled
idcred <MQAppl IDCred name
protocols TLSv1d2
valcred <Client ValCred name>
request-client-auth on
require-client-auth on
send-client-auth-ca-list on
exit
exit
write mem
y

Associate SSL Server Profile with WebGUI (CLI). Enter:
co
web-mgmt
ssl-config-type server
ssl-server <SSL Svr Profile name>
exit
write mem
y

Check Contents

Log on to the MQ Appliance CLI as a privileged user. Verify MQ Appliance PKI-based user authentication is configured.

Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter:
co
show web-mgmt

[Note the name of the ssl-server]

Display the parameters of the ssl-server (CLI). Enter:
co
crypto
ssl-server <ssl-server name>
show

[Note the name of the valcred]

Display the certificates in the ValCred (CLI). Enter:
co
crypto
valcred <name of valcred>
show

Verify all listed client certificates are authorized to access the MQ Appliance.

If any are not authorized, this is a finding.

Spot-check access to the appliance:

Attempt to access the appliance from a browser enabled with an authorized certificate.

If authorized access does not succeed, this is a finding.

Attempt to access the appliance from a browser not enabled with an authorized client certificate.

If unauthorized access succeeds, this is a finding.

WebGUI access to the MQ Appliance network device must accept Personal Identity Verification (PIV) credentials.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments