Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-74905 | MQMH-AS-001090 | SV-89579r1_rule | Medium |
Description |
---|
To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature. To ensure support to the enterprise, the authentication must utilize an enterprise solution. Review IBM product documentation for the LDAP fields required when setting up a communication link with the LDAP server. See https://ibm.biz/BdsRRk for a detailed description of these options. |
STIG | Date |
---|---|
IBM MQ Appliance V9.0 AS Security Technical Implementation Guide | 2017-06-09 |
Check Text ( C-74763r1_chk ) |
---|
To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS AUTHINFO(USE.LDAP) Verify that "AUTHINFO(USE.LDAP)" is displayed under authentication information details. If "IBM MQ Appliance object USE.LDAP not found" is displayed, this is a finding. |
Fix Text (F-81521r1_fix) |
---|
Specify LDAP as the authentication method for each queue manager. To access the MQ Appliance CLI, enter: mqcli runmqsc [queue manager name] DEFINE AUTHINFO(USE.LDAP) AUTHTYPE(CRLLDAP) CONNAME('[host name1(port)],[host name1(port)]') ALTER QMGR CONNAUTH('USE.LDAP') REFRESH SECURITY TYPE(CONNAUTH) Enter "end" to exit runmqsc mode. |