The MQ Appliance network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-75023 | MQMH-ND-001520 | SV-89697r1_rule | Medium |
| Description |
|---|
| For user certificates, each organization obtains certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. |
| STIG | Date |
|---|---|
| IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide | 2017-06-06 |
Details
| Check Text ( C-74875r1_chk ) |
|---|
| Log on to the MQ Appliance CLI as a privileged user. To verify certs, enter: co crypto show certificate [lists all defined cert aliases] Verify the following: All certificate aliases point to standard DoD cert files and none are self-generated. If the certificates were not generated by a DoD approved CA, or if they are self-signed certificates, this is a finding. |
| Fix Text (F-81637r1_fix) |
|---|
| Obtain MQ Appliance and client certs from an approved CA or ECA as required by DoD policy. Log on to the MQ Appliance WebGUI as a privileged user. Import approved certs to the cert directory: - Click on the Administration (gear) icon. - Under Main, click on File Management. - Click cert directory. - Click Actions. - Upload files. - Browse to select MQ Appl cert. - Add. - Browse to select client cert. - Add. - [Repeat Browse and Add for all desired client certs.] - Upload. - Continue. Create cert aliases for use in MQ Appliance configurations (CLI). Enter: co crypto certificate certificate [Repeat certificate command for any additional client certs.] exit write mem y |