The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.

From IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Associated with: CCI-002007

SV-89423r1_rule The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.

Vulnerability discussion

When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached authentication information is out of date, the validity of the authentication information may be questionable.

Check content

Display the SSL Server Profile associated with the WebGUI using the (CLI). Log on as an admin to the MQ appliance using SSH terminal access. Enter: co show web-mgmt To note the name of the ssl-server, enter: crypto ssl-server show Verify the following are displayed: caching on cache-timeout 3600 If the ssl-server configuration does not exist, or if caching is "off", or if the cache-timeout setting does not equal “3600” seconds (60 minutes), this is a finding.

Fix text

Display the SSL Server Profile associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server] Define the cache parameters of the SSL Server using the CLI. Enter: co crypto ssl-server caching on cache-timeout <3600> exit exit write mem y

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.