Documentation - V-224356

V-224356

zOS WebSphere MQ for ACF2 Security Technical Implementation Guide

CAT II

Title

Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF).

Description

<VulnDiscussion>IBM WebSphere MQ can use a user ID associated with an ACP certificate as a channel user ID. When an entity at one end of an SSL channel receives a certificate from a remote connection, the entity asks The ACP if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running. Without a validly defined Certificat...

Fix Text (Documentation Requirement)

The responsible MQ systems programmer(s) shall create and maintain a spreadsheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ systems programmer(s) and forwarded for approval by the ISSM. The ISSO will define the associated USERIDs, the CNF, and grant the minimal need-to-know access by granting only the required resources and Commands for each USERID in the ACP. Refer to IBM WebSphere MQ Security manual for details on defining CNF for WebSphere MQ. Generic access shall not be granted such as resource permission at the SSID. MQ resource level.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel