Documentation - V-225625

V-225625

zOS WebSphere MQ for TSS Security Technical Implementation Guide

CAT II

Title

Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF).

Description

<VulnDiscussion>IBM WebSphere MQ can use a user ID associated with an ACP certificate as a channel user ID. When an entity at one end of an SSL channel receives a certificate from a remote connection, the entity asks The ACP if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running. Without a validly defined Certificat...

Fix Text (Documentation Requirement)

The responsible MQ systems programmer(s) will create and maintain a spreadsheet that contains a list of all Production WebSphere MQ Remotes and associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ systems programmer(s) and forwarded for approval by the ISSM. The ISSO will define the associated USERIDs, the CNF, and grant the minimal need-to-know access, by granting only the required resources and commands for each USERID in the ACP. Refer to the IBM WebSphere MQ Security manual for details on defining CNF for WebSphere MQ. Generic access will not be granted, such as resource permission at the SSID MQ resource level.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel