When connecting to the MQ Appliance network device using the WebGUI, it must implement replay-resistant authentication mechanisms for network access to privileged accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-74947	MQMH-ND-000530	SV-89621r1_rule		Medium

Description
A replay attack may enable an unauthorized user to gain access to the MQ Appliance. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Description

A replay attack may enable an unauthorized user to gain access to the MQ Appliance. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

STIG	Date
IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide	2017-06-06

Details

Check Text ( C-74805r1_chk )
Log on to the MQ Appliance CLI as a privileged user. Verify the MQ Appliance PKI-based user authentication is configured to support multifactor authentication to provide replay-resistant authentication. Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server] Display the parameters of the ssl-server (CLI). Enter: co crypto ssl-server show [Note the name of the valcred] Display the certificates in the ValCred (CLI). Enter: co crypto valcred show Verify all listed client certificates are authorized to access the MQ Appliance. If any are not authorized, this is a finding.

Check Text ( C-74805r1_chk )

Log on to the MQ Appliance CLI as a privileged user. Verify the MQ Appliance PKI-based user authentication is configured to support multifactor authentication to provide replay-resistant authentication.

Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter:
co
show web-mgmt

[Note the name of the ssl-server]

Display the parameters of the ssl-server (CLI). Enter:
co
crypto
ssl-server
show

[Note the name of the valcred]

Display the certificates in the ValCred (CLI). Enter:
co
crypto
valcred
show

Verify all listed client certificates are authorized to access the MQ Appliance.

If any are not authorized, this is a finding.

Fix Text (F-81563r1_fix)
Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance PKI-based user multifactor authentication to provide replay-resistant authentication. Assign the WebGUI to one management port (CLI). Enter: co web-mgmt 9090 write mem y Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI): - Log on to the WebGUI as a privileged user. - Click on the Administration (gear) icon. - Under Main, click on File Management. - Click cert directory. - Click Actions. - Upload files. - Browse to select MQ Appl privkey. - Add. - Browse to select MQ Appl cert. - Add. - Browse to select client cert. - Add. - [Repeat Browse and Add for all desired client certs.] - Upload. - Continue. Create cert aliases (CLI). Enter: co crypto certificate cert:/// certificate cert:/// [Repeat certificate command for any additional client certs.] exit write mem y Create MQAppl private key alias (CLI). Enter: co crypto key cert:/// exit write mem y Create MQAppl ID Credential (CLI). Enter: co crypto idcred exit write mem y Create a client Validation Credential (CLI). Enter: co crypto valcred certificate [Add additional client certificates as required] exit exit write mem y Create SSL Server Profile (CLI). Enter: co crypto ssl-server admin-state enabled idcred protocols TLSv1d2 valcred request-client-auth on require-client-auth on send-client-auth-ca-list on exit exit write mem y Associate SSL Server Profile with WebGUI (CLI). Enter: co web-mgmt ssl-config-type server ssl-server exit write mem y

Fix Text (F-81563r1_fix)

Log on to the MQ Appliance CLI as a privileged user.

Configure MQ Appliance PKI-based user multifactor authentication to provide replay-resistant authentication.

Assign the WebGUI to one management port (CLI). Enter:
co
web-mgmt 9090
write mem
y

Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI):
- Log on to the WebGUI as a privileged user.
- Click on the Administration (gear) icon.
- Under Main, click on File Management.
- Click cert directory.
- Click Actions.
- Upload files.
- Browse to select MQ Appl privkey.
- Add.
- Browse to select MQ Appl cert.
- Add.
- Browse to select client cert.
- Add.
- [Repeat Browse and Add for all desired client certs.]
- Upload.
- Continue.

Create cert aliases (CLI). Enter:
co
crypto
certificate cert:///
certificate cert:///
[Repeat certificate command for any additional client certs.]
exit
write mem
y

Create MQAppl private key alias (CLI). Enter:
co
crypto
key cert:///
exit
write mem
y

Create MQAppl ID Credential (CLI). Enter:
co
crypto
idcred
exit
write mem
y

Create a client Validation Credential (CLI). Enter:
co
crypto
valcred
certificate
[Add additional client certificates as required]
exit
exit
write mem
y

Create SSL Server Profile (CLI). Enter:
co
crypto
ssl-server
admin-state enabled
idcred
protocols TLSv1d2
valcred
request-client-auth on
require-client-auth on
send-client-auth-ca-list on
exit
exit
write mem
y

Associate SSL Server Profile with WebGUI (CLI). Enter:
co
web-mgmt
ssl-config-type server
ssl-server
exit
write mem
y