UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF).


Overview

Finding ID Version Rule ID IA Controls Severity
V-31561 ZWMQ0014 SV-41848r3_rule Medium
Description
Certificate Name Filtering is a capability within the ACP that allows certificates to be mapped to a individual USERID Rather than adding a certificate into the ACP and associating it to a specific USERID every time a new certificate is obtained for the remote server, Certified Name Filters (CNF) is used. As authorized valid by Vulnerability ITNT0040, utilize Certified Name Filters to identify individual unique USERIDS that will be used to establish SSL connection to certificates over the use of the Started task USERID. Depending on the filter criteria, a large number of client certificates could be mapped to a single USERID. Failure to properly control the use of Certificate Name Filtering could result in the loss of individual identity and accountability.
STIG Date
z/OS ACF2 STIG 2015-03-27

Details

Check Text ( C-40336r8_chk )
Validate that the list of all Production WebSphere MQ Remotes exist, and contains approved Certified Name Filters and associated USERIDS.

If the filter(s) is (are) accurate and has been approved by Vulnerability ITNT0040 and the associated USERID(s) is only granted need to know permissions and authority to resources and commands, this is not a finding.

Note: Improper use of CNF filters for MQ Series will result in the following Message ID.

CSQX632I found in the following example:

CSQX632I csect-name SSL certificate has no
associated user ID, remote channel
channel-name – channel initiator user ID
used
Fix Text (F-35539r5_fix)
The responsible MQ System programmer(s) shall create and maintain a spread sheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ System programmer(s) and forwarded for approval by the IAM.

The IAO will define the associated USERIDs, the CNF, and grant the minimal need to know access, by granting only the Required resources and Commands for each USERID in the ACP.
Generic access shall not be granted such as resource permission at the SSID. MQ resource level.