WebSphere MQ channel security must be implemented in accordance with security requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-224354	ZWMQ0011	SV-224354r811064_rule		High

Description
WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data. Satisfies: SRG-OS-000505, SRG-OS-000555

Description

WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data. Satisfies: SRG-OS-000505, SRG-OS-000555

STIG	Date
zOS WebsphereMQ for ACF2 Security Technical Implementation Guide	2021-12-14

Details

Check Text ( C-26031r811062_chk )
Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Collect the following Information for Websphere MQ and MQSeries queue manager. - If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries. Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0011) If the following guidelines are true for each channel definition displayed from the DISPLAY CHANNEL command, this is not a finding. ___ Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note: Both ends of the channel must specify the same cipher specification.) ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 ___ Repeat the above step for each queue manager ssid identified.

Check Text ( C-26031r811062_chk )

Refer to the following report produced by the z/OS Data Collection:

- MQSRPT(ssid)

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

Collect the following Information for Websphere MQ and MQSeries queue manager.

- If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries.

Automated Analysis requires Additional Analysis.
Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(ZWMQ0011)

If the following guidelines are true for each channel definition displayed from the DISPLAY CHANNEL command, this is not a finding.

___ Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note: Both ends of the channel must specify the same cipher specification.)

ECDHE_ECDSA_AES_128_CBC_SHA256
ECDHE_ECDSA_AES_256_CBC_SHA384
ECDHE_RSA_AES_128_CBC_SHA256
ECDHE_RSA_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256

___ Repeat the above step for each queue manager ssid identified.

Fix Text (F-26019r811063_fix)
Review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Review the channel’s SSLCIPH setting. Display the channel properties and look for the "SSL Cipher Specification" value. Ensure that a FIPS 140-2 compliant value is shown. ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 Note that both ends of the channel must specify the same cipher specification. Repeat these steps for each queue manager ssid identified.

Fix Text (F-26019r811063_fix)

Review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Review the channel’s SSLCIPH setting.

Display the channel properties and look for the "SSL Cipher Specification" value.

Ensure that a FIPS 140-2 compliant value is shown.

ECDHE_ECDSA_AES_128_CBC_SHA256
ECDHE_ECDSA_AES_256_CBC_SHA384
ECDHE_RSA_AES_128_CBC_SHA256
ECDHE_RSA_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256

Note that both ends of the channel must specify the same cipher specification.

Repeat these steps for each queue manager ssid identified.