The MQ Appliance messaging server must provide a clustering capability.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-74893	MQMH-AS-001260	SV-89567r1_rule		Medium

Description
This requirement is dependent upon system criticality and confidentiality requirements. If the system categorization and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes. Clustering of multiple messaging servers is a common approach to providing fail-safe application availability when system MAC and confidentiality levels require redundancy. Satisfies: SRG-APP-000225-AS-000154, SRG-APP-000225-AS-000166

Description

This requirement is dependent upon system criticality and confidentiality requirements. If the system categorization and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes. Clustering of multiple messaging servers is a common approach to providing fail-safe application availability when system MAC and confidentiality levels require redundancy. Satisfies: SRG-APP-000225-AS-000154, SRG-APP-000225-AS-000166

STIG	Date
IBM MQ Appliance V9.0 AS Security Technical Implementation Guide	2017-06-09

Details

Check Text ( C-74751r1_chk )
Review system categorization to determine if redundancy is a requirement. If the system categorization does not specify redundancy requirements, this requirement is NA. On each member of the HA pair: Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To run the dspmq command, enter: dspmq -s -o ha One of the appliances should be running as primary, the other as secondary. If HA is not configured and the primary and secondary running, this is a finding.

Check Text ( C-74751r1_chk )

Review system categorization to determine if redundancy is a requirement. If the system categorization does not specify redundancy requirements, this requirement is NA.

On each member of the HA pair:
Establish an SSH command line session as an admin user.

To access the MQ Appliance CLI, enter:
mqcli

To run the dspmq command, enter:
dspmq -s -o ha

One of the appliances should be running as primary, the other as secondary.

If HA is not configured and the primary and secondary running, this is a finding.

Fix Text (F-81509r1_fix)
To configure HA: 1. Use three Ethernet cables to directly connect two appliances together using ports eth1, eth2, and eth3. 2. Configure the three connected MQ Appliance ports (on both appliances) as follows: Interface Purpose IP address/CIDR eth1 HA group primary interface x.x.x.x/24 eth2 HA group alternative interface x.x.x.x/24 eth3 HA Replication interface x.x.x.x/24 On the second appliance, enter the following command from the MQ Appliance CLI: prepareha -s [SecretText] -a [eth 1 IPAddress of first appliance] [-t timeout] On the first appliance, enter the following command: crthagrp -s [SecretText] -a [eth 1 IPAddress of second appliance] crtmqm [HA QM name] –p [port] –sx Note: The queue manager’s data (queues, queue messages, etc.) is replicated from the appliance in the primary HA role (first appliance) to the appliance in the secondary HA role (second appliance).

Fix Text (F-81509r1_fix)

To configure HA:
1. Use three Ethernet cables to directly connect two appliances together using ports eth1, eth2, and eth3.
2. Configure the three connected MQ Appliance ports (on both appliances) as follows:

Interface Purpose IP address/CIDR
eth1 HA group primary interface x.x.x.x/24
eth2 HA group alternative interface x.x.x.x/24
eth3 HA Replication interface x.x.x.x/24

On the second appliance, enter the following command from the MQ Appliance CLI:
prepareha -s [SecretText] -a [eth 1 IPAddress of first appliance] [-t timeout]

On the first appliance, enter the following command:
crthagrp -s [SecretText] -a [eth 1 IPAddress of second appliance]
crtmqm [HA QM name] –p [port] –sx

Note: The queue manager’s data (queues, queue messages, etc.) is replicated from the appliance in the primary HA role (first appliance) to the appliance in the secondary HA role (second appliance).