The MQ Appliance network device must prohibit the use of cached authenticators after an organization-defined time period.

From IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide

Associated with: CCI-002007

SV-89679r1_rule The MQ Appliance network device must prohibit the use of cached authenticators after an organization-defined time period.

Vulnerability discussion

Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out of date, the validity of the authentication information may be questionable. The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

Check content

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Verify the Authentication Method is set to LDAP and the cache setting is defined and specifies the organization-defined time period. If the Authentication Method is not set to LDAP and the cache setting does not specify the organization-defined time period, this is a finding.

Fix text

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Limit cache settings to an organization-defined time period. Configure other LDAP connection settings as required.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.