From z/OS TSS STIG
Part of ZWMQ0011
Associated with IA controls: DCCS-1, DCCS-2, ECNK-1, ECNK-2
WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers.
a) Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Collect the following Information for Websphere MQ and MQSeries queeue manager - If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries. - If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0011) b) For each WebSphere MQ channel configured to communicate with servers using WebSphere MQ, review the MQSssid report(s) and perform the following steps: 1) Find the DISPLAY CHANNEL command to locate the start of the channel definitions. 2) Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note both ends of the channel must specify the same cipher specification.) TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TRIPLE_DES_SHA_US 3) Repeat these steps for each queue manager ssid identified. c) If the all of the items in (b) above are true, there is NO FINDING. d) If the communication lines are controlled by a VPN and are not available in the clear at any point outside the enclave, than this is acceptable and can override the requirement to use SSL. If this is true, there is NO FINDING. e) If any of the items in (b) or (d) above are untrue, this is a FINDING
Use the WebSphere MQ Screen interface envoked by the REXX CSQOREXX. Display the channel properties and look for the "SSL Cipher Specification" value. Ensure that a FIPS 140-2 compliant value of either TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_WITH_AES_256_CBC_SHA is shown. Note that both ends of the channel must specify the same cipher specification. Repeat these steps for each queue manager ssid identified.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer