From z/OS TSS STIG
Part of ZWMQ0014
Certificate Name Filtering is a capability within the ACP that allows certificates to be mapped to a individual USERID Rather than adding a certificate into the ACP and associating it to a specific USERID every time a new certificate is obtained for the remote server, Certified Name Filters (CNF) is used. As authorized valid by Vulnerability ITNT0040, utilize Certified Name Filters to identify individual unique USERIDS that will be used to establish SSL connection to certificates over the use of the Started task USERID. Depending on the filter criteria, a large number of client certificates could be mapped to a single USERID. Failure to properly control the use of Certificate Name Filtering could result in the loss of individual identity and accountability.
Validate that the list of all Production WebSphere MQ Remotes exist, and contains approved Certified Name Filters and associated USERIDS. If the filter(s) is (are) accurate and has been approved by Vulnerability ITNT0040 and the associated USERID(s) is only granted need to know permissions and authority to resources and commands, this is not a finding. Note: Improper use of CNF filters for MQ Series will result in the following Message ID. CSQX632I found in the following example: CSQX632I csect-name SSL certificate has no associated user ID, remote channel channel-name – channel initiator user ID used
The responsible MQ System programmer(s) shall create and maintain a spread sheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ System programmer(s) and forwarded for approval by the IAM. The IAO will define the associated USERIDs, the CNF, and grant the minimal need to know access, by granting only the Required resources and Commands for each USERID in the ACP. Generic access shall not be granted such as resource permission at the SSID. MQ resource level.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer