Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-31561	ZWMQ0014	SV-41848r3_rule		Medium

Description
Certificate Name Filtering is a capability within the ACP that allows certificates to be mapped to a individual USERID Rather than adding a certificate into the ACP and associating it to a specific USERID every time a new certificate is obtained for the remote server, Certified Name Filters (CNF) is used. As authorized valid by Vulnerability ITNT0040, utilize Certified Name Filters to identify individual unique USERIDS that will be used to establish SSL connection to certificates over the use of the Started task USERID. Depending on the filter criteria, a large number of client certificates could be mapped to a single USERID. Failure to properly control the use of Certificate Name Filtering could result in the loss of individual identity and accountability.

Description

Certificate Name Filtering is a capability within the ACP that allows certificates to be mapped to a individual USERID Rather than adding a certificate into the ACP and associating it to a specific USERID every time a new certificate is obtained for the remote server, Certified Name Filters (CNF) is used. As authorized valid by Vulnerability ITNT0040, utilize Certified Name Filters to identify individual unique USERIDS that will be used to establish SSL connection to certificates over the use of the Started task USERID. Depending on the filter criteria, a large number of client certificates could be mapped to a single USERID. Failure to properly control the use of Certificate Name Filtering could result in the loss of individual identity and accountability.

STIG	Date
z/OS ACF2 STIG	2015-03-27

Details

Check Text ( C-40336r8_chk )
Validate that the list of all Production WebSphere MQ Remotes exist, and contains approved Certified Name Filters and associated USERIDS. If the filter(s) is (are) accurate and has been approved by Vulnerability ITNT0040 and the associated USERID(s) is only granted need to know permissions and authority to resources and commands, this is not a finding. Note: Improper use of CNF filters for MQ Series will result in the following Message ID. CSQX632I found in the following example: CSQX632I csect-name SSL certificate has no associated user ID, remote channel channel-name – channel initiator user ID used

Check Text ( C-40336r8_chk )

Validate that the list of all Production WebSphere MQ Remotes exist, and contains approved Certified Name Filters and associated USERIDS.

If the filter(s) is (are) accurate and has been approved by Vulnerability ITNT0040 and the associated USERID(s) is only granted need to know permissions and authority to resources and commands, this is not a finding.

Note: Improper use of CNF filters for MQ Series will result in the following Message ID.

CSQX632I found in the following example:

CSQX632I csect-name SSL certificate has no
associated user ID, remote channel
channel-name – channel initiator user ID
used

Fix Text (F-35539r5_fix)
The responsible MQ System programmer(s) shall create and maintain a spread sheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ System programmer(s) and forwarded for approval by the IAM. The IAO will define the associated USERIDs, the CNF, and grant the minimal need to know access, by granting only the Required resources and Commands for each USERID in the ACP. Generic access shall not be granted such as resource permission at the SSID. MQ resource level.

Fix Text (F-35539r5_fix)

The responsible MQ System programmer(s) shall create and maintain a spread sheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ System programmer(s) and forwarded for approval by the IAM.

The IAO will define the associated USERIDs, the CNF, and grant the minimal need to know access, by granting only the Required resources and Commands for each USERID in the ACP.
Generic access shall not be granted such as resource permission at the SSID. MQ resource level.