The MQ Appliance messaging server must accept FICAM-approved third-party credentials.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-74887	MQMH-AS-000840	SV-89561r1_rule		Low

Description
Access may be denied to legitimate users if FICAM-approved third-party credentials are not accepted. This requirement typically applies to organizational information systems that are accessible to non-federal government agencies and other partners. This allows federal government relying parties to trust such credentials at their approved assurance levels. Third-party credentials are those credentials issued by non-federal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Satisfies: SRG-APP-000404-AS-000249, SRG-APP-000405-AS-000250

Description

Access may be denied to legitimate users if FICAM-approved third-party credentials are not accepted. This requirement typically applies to organizational information systems that are accessible to non-federal government agencies and other partners. This allows federal government relying parties to trust such credentials at their approved assurance levels. Third-party credentials are those credentials issued by non-federal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Satisfies: SRG-APP-000404-AS-000249, SRG-APP-000405-AS-000250

STIG	Date
IBM MQ Appliance V9.0 AS Security Technical Implementation Guide	2017-06-09

Details

Check Text ( C-74745r1_chk )
Log on to the WebGUI as a privileged user. Click on the "MQ Console" icon. Click "Add" widget at the top right of the screen. Select queue manager intended for OCSP from the drop-down list. Select "Authentication Information". Verify that the authentication type is "OCSP". Click on the "Properties" button. Click "OCSP" on the side bar to verify that the OCSP responder URL is correct. If either the authentication type is not "OCSP" or the OCSP responder URL in not correct, this is a finding.

Check Text ( C-74745r1_chk )

Log on to the WebGUI as a privileged user.

Click on the "MQ Console" icon.

Click "Add" widget at the top right of the screen.

Select queue manager intended for OCSP from the drop-down list.

Select "Authentication Information".

Verify that the authentication type is "OCSP".

Click on the "Properties" button.

Click "OCSP" on the side bar to verify that the OCSP responder URL is correct.

If either the authentication type is not "OCSP" or the OCSP responder URL in not correct, this is a finding.

Fix Text (F-81503r2_fix)
Log on to the WebGUI as a privileged user. Click on the "MQ Console" icon. Click "Add" widget at the top right of the screen. Select a queue manager from the drop-down list. Select "Authentication Information". Click the "+" (plus sign) to define the authentication method authentication for this queue manager. Specify an "Authinfo" name (e.g., USE.OCSP). Select "OCSP" as the "Authinfo" type. Specify an OCSP responder URL. Click "Create". In the "Local Queue Managers" widget, select the OCSP queue manager you just configured. Click "More..." then select "Refresh Security... "

Fix Text (F-81503r2_fix)

Log on to the WebGUI as a privileged user.

Click on the "MQ Console" icon.

Click "Add" widget at the top right of the screen.

Select a queue manager from the drop-down list.

Select "Authentication Information".

Click the "+" (plus sign) to define the authentication method authentication for this queue manager.

Specify an "Authinfo" name (e.g., USE.OCSP).

Select "OCSP" as the "Authinfo" type.

Specify an OCSP responder URL.

Click "Create".

In the "Local Queue Managers" widget, select the OCSP queue manager you just configured.

Click "More..." then select "Refresh Security... "