WebGUI access to the MQ Appliance network device must electronically verify Personal Identity Verification (PIV) credentials.

From IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide

Part of SRG-APP-000392-NDM-000309

Associated with: CCI-001954

SV-89677r1_rule WebGUI access to the MQ Appliance network device must electronically verify Personal Identity Verification (PIV) credentials.

Vulnerability discussion

The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.

Check content

Log on to the MQ Appliance CLI as a privileged user. Verify MQ Appliance PKI-based user authentication is configured. Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server] Display the parameters of the ssl-server (CLI). Enter: co crypto ssl-server show [Note the name of the valcred] Display the certificates in the ValCred (CLI). Enter: co crypto valcred show Verify all listed client certificates are authorized to access the MQ Appliance. Spot-check access to the appliance: Attempt to access the appliance from a browser enabled with an authorized certificate. Attempt to access the appliance from a browser not enabled with an authorized client certificate. If unauthorized access succeeds, this is a finding.

Fix text

Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance PKI-based user authentication. Assign the WebGUI to one management port (CLI). Enter: co web-mgmt 9090 write mem y Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI): - Log on to the WebGUI as a privileged user. - Click on the Administration (gear) icon. - Under Main, click on File Management. - Click cert directory. - Click Actions. - Upload files. - Browse to select MQ Appl privkey. - Add. - Browse to select MQ Appl cert. - Add. - Browse to select client cert. - Add. - [Repeat Browse and Add for all desired client certs.] - Upload. - Continue Create cert aliases (CLI). Enter: co crypto certificate cert:/// certificate cert:/// [Repeat certificate command for any additional client certs.] exit write mem y Create MQAppl private key alias (CLI). Enter: co crypto key cert:/// exit write mem y Create MQAppl ID Credential (CLI). Enter: co crypto idcred exit write mem y Create a client Validation Credential (CLI). Enter: co crypto valcred certificate [Add additional client certificates as required] exit exit write mem y Create SSL Server Profile (CLI). Enter: co crypto ssl-server admin-state enabled idcred protocols TLSv1d2 valcred request-client-auth on require-client-auth on send-client-auth-ca-list on exit exit write mem y Associate SSL Server Profile with WebGUI (CLI). Enter: co web-mgmt ssl-config-type server ssl-server exit write mem y

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer