Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-74899	MQMH-AS-001010	SV-89573r1_rule		Medium

Description
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Messaging servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the messaging server utilizes LDAP, the LDAP traffic must be encrypted. Note: Multiple alternative LDAP hosts may be listed in the CONNAME parameter, separated by commas. Review IBM product documentation for the LDAP fields required when setting up a communication link with the LDAP server. See https://ibm.biz/BdiBGu and https://ibm.biz/BdixXz for a detailed description of these options.

Description

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Messaging servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the messaging server utilizes LDAP, the LDAP traffic must be encrypted. Note: Multiple alternative LDAP hosts may be listed in the CONNAME parameter, separated by commas. Review IBM product documentation for the LDAP fields required when setting up a communication link with the LDAP server. See https://ibm.biz/BdiBGu and https://ibm.biz/BdixXz for a detailed description of these options.

STIG	Date
IBM MQ Appliance V9.0 AS Security Technical Implementation Guide	2017-06-09

Details

Check Text ( C-74757r1_chk )
To access the MQ Appliance CLI, for each queue manager, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] To display the active authentication object, enter: DIS QMGR CONNAUTH Result: QMNAME([queue mgr name]) CONNAUTH([auth object name]) DIS AUTHINFO(auth object name) Verify that "AUTHTYPE(IDPWLDAP)", and "SECCOMM(YES)" are displayed, and that all parameters are correctly specified to use the organizationally approved LDAP server(s). If these parameter values cannot be verified, this is a finding.

Check Text ( C-74757r1_chk )

To access the MQ Appliance CLI, for each queue manager, enter:
mqcli

To identify the queue managers, enter:
dspmq

For each queue manager identified, run the command:
runmqsc [queue name]

To display the active authentication object, enter:
DIS QMGR CONNAUTH

Result: QMNAME([queue mgr name]) CONNAUTH([auth object name])

DIS AUTHINFO(auth object name)

Verify that "AUTHTYPE(IDPWLDAP)", and "SECCOMM(YES)" are displayed, and that all parameters are correctly specified to use the organizationally approved LDAP server(s).

If these parameter values cannot be verified, this is a finding.

Fix Text (F-81515r1_fix)
Specify LDAP as the authentication method for each queue manager. To access the MQ Appliance CLI, enter: mqcli runmqsc [queue manager name] DEFINE AUTHINFO('[Object name e.g., USE.LDAP]') AUTHTYPE(IDPWLDAP) CONNAME('[ldap1(port),ldap2(port),ldap3(port)]') SECCOMM(YES) [Ensures encryption is used] SHORTUSR('[short user name]') CHCKCLNT(REQUIRED) BASEDNU('base user DN') REPLACE ALTER QMGR CONNAUTH('[AUTHINFO object name]') REFRESH SECURITY TYPE(CONNAUTH) Type "end" to exit runmqsc mode.

Fix Text (F-81515r1_fix)

Specify LDAP as the authentication method for each queue manager.

To access the MQ Appliance CLI, enter:
mqcli

runmqsc [queue manager name]

DEFINE AUTHINFO('[Object name e.g., USE.LDAP]')
AUTHTYPE(IDPWLDAP)
CONNAME('[ldap1(port),ldap2(port),ldap3(port)]')
SECCOMM(YES) [Ensures encryption is used]
SHORTUSR('[short user name]')
CHCKCLNT(REQUIRED)
BASEDNU('base user DN')
REPLACE

ALTER QMGR CONNAUTH('[AUTHINFO object name]')
REFRESH SECURITY TYPE(CONNAUTH)

Type "end" to exit runmqsc mode.