WebSphere MQ channel security is not implemented in accordance with security requirements.

From z/OS TSS STIG

Part of ZWMQ0011

Associated with IA controls: DCCS-1, DCCS-2, ECNK-1, ECNK-2

SV-7259r2_rule WebSphere MQ channel security is not implemented in accordance with security requirements.

Vulnerability discussion

WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers.Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.

Check content

a) Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Collect the following Information for Websphere MQ and MQSeries queeue manager - If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries. - If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0011) b) For each WebSphere MQ channel configured to communicate with servers using WebSphere MQ, review the MQSssid report(s) and perform the following steps: 1) Find the DISPLAY CHANNEL command to locate the start of the channel definitions. 2) Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note both ends of the channel must specify the same cipher specification.) TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TRIPLE_DES_SHA_US 3) Repeat these steps for each queue manager ssid identified. c) If the all of the items in (b) above are true, there is NO FINDING. d) If the communication lines are controlled by a VPN and are not available in the clear at any point outside the enclave, than this is acceptable and can override the requirement to use SSL. If this is true, there is NO FINDING. e) If any of the items in (b) or (d) above are untrue, this is a FINDING

Fix text

Use the WebSphere MQ Screen interface envoked by the REXX CSQOREXX. Display the channel properties and look for the "SSL Cipher Specification" value. Ensure that a FIPS 140-2 compliant value of either TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_WITH_AES_256_CBC_SHA is shown. Note that both ends of the channel must specify the same cipher specification. Repeat these steps for each queue manager ssid identified.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer