Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.

From IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Part of SRG-APP-000172-AS-000121

Associated with: CCI-000197

SV-89573r1_rule Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.

Vulnerability discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Messaging servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the messaging server utilizes LDAP, the LDAP traffic must be encrypted.Note: Multiple alternative LDAP hosts may be listed in the CONNAME parameter, separated by commas.Review IBM product documentation for the LDAP fields required when setting up a communication link with the LDAP server.See https://ibm.biz/BdiBGu and https://ibm.biz/BdixXz for a detailed description of these options.

Check content

To access the MQ Appliance CLI, for each queue manager, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] To display the active authentication object, enter: DIS QMGR CONNAUTH Result: QMNAME([queue mgr name]) CONNAUTH([auth object name]) DIS AUTHINFO(auth object name) Verify that "AUTHTYPE(IDPWLDAP)", and "SECCOMM(YES)" are displayed, and that all parameters are correctly specified to use the organizationally approved LDAP server(s). If these parameter values cannot be verified, this is a finding.

Fix text

Specify LDAP as the authentication method for each queue manager. To access the MQ Appliance CLI, enter: mqcli runmqsc [queue manager name] DEFINE AUTHINFO('[Object name e.g., USE.LDAP]') AUTHTYPE(IDPWLDAP) CONNAME('[ldap1(port),ldap2(port),ldap3(port)]') SECCOMM(YES) [Ensures encryption is used] SHORTUSR('[short user name]') CHCKCLNT(REQUIRED) BASEDNU('base user DN') REPLACE ALTER QMGR CONNAUTH('[AUTHINFO object name]') REFRESH SECURITY TYPE(CONNAUTH) Type "end" to exit runmqsc mode.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer