Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq To run the "runmqsc [queue mgr name]" command for each running queue manager enter: DIS QMGR EVENT A list of all events will be displayed along with an indication if event logging is enabled. The events are as follows: Authority: AUTHOREV, Inhibit: INHIBITEV, Local: LOCALEV, Remote: REMOTEEV, Start and stop: STRSTPEV, Performance: PERFMEV, Command: CMDEV, Channel: CHLEV, Channel auto definition: CHADEV, SSL: SSLEV, Configuration: CONFIGEV If AUTHOREV event logging is not enabled, this is a finding.
To access the MQ Appliance CLI, enter: mqcli runmqsc [queue mgr name] ALTER QMGR [AUTHOREV](ENABLED) To exit the MQ Appliance CLI, enter: end
Obtain queue security policy requirements from system admin. To verify the Advanced Message Security (AMS) policy for a specific queue manager's queues, enter: mqcli To list the policies for each queue, enter: runmqsc [QMgrName] To display all policies, enter: DIS POLICY(*) If no security policies are found or the specifics of the security policy does not meet documented queue security requirements, this is a finding.
Advanced Message Security can sign and encrypt messages at the point of production, and then decrypt and authenticate them at the point of consumption. At all points in between, the message is protected, either for integrity (using hashing) or for privacy (using encryption). Steps for setting up AMS are not included here. Reference vendor documentation for guidance on setting up AMS. To access the MQ Appliance CLI, enter: mqcli runmqsc [QMgrName] SET POLICY([queue name]) SIGNALG([SHA256, SHA384, or SHA512]) + ENCALG([3DES, AES128, or AES256]) + RECIP(['distinguished name (DN) of the message recipient']) + SIGNER(['Signature DN validated during message retrieval']) end
Review system categorization to determine if redundancy is a requirement. If system categorization does not specify redundancy, interview system administrator to determine how they have configured the MQ appliance to off-load log files onto a different system. Perform on each member of the HA pair. To access the MQ Appliance CLI, enter: mqcli dspmq -s -o ha One of the appliances should be running as primary, the other as secondary. If HA is not configured with the primary and secondary running, or if there is no mechanism implemented to off-load log records, this is a finding.
To configure HA: 1. Use three Ethernet cables to directly connect two appliances together using ports eth1, eth2, and eth3. 2. Configure the three connected MQ Appliance ports (on both appliances) as follows: Interface Purpose IP address/CIDR eth1 HA group primary interface x.x.x.x/24 eth2 HA group alternative interface x.x.x.x/24 eth3 HA Replication interface x.x.x.x/24 On the second appliance, enter the following command from the MQ Appliance CLI: prepareha -s [SecretText] -a [eth 1 IPAddress of first appliance] [-t timeout] On the first appliance, enter the following command from the MQ Appliance CLI: crthagrp -s [SecretText] -a [eth 1 IPAddress of second appliance] crtmqm [HA QM name] –p [port] –sx Note: The queue manager’s data (queues, queue messages, etc.) is replicated from the appliance in the primary HA role (first appliance) to the appliance in the secondary HA role (second appliance).
Log on as a privileged user to the WebGUI. Select Network icon. Interface NTP Service. Verify that refresh interval is set to "600" seconds. If refresh interval is not set to "600" seconds, this is a finding.
Log on as a privileged user to the WebGUI. Select the Network icon. Interface NTP Service. Set refresh interval to "600" seconds. Click "Save configuration".
Log on as a privileged user to the WebGUI. Select Network icon. Interface NTP Service. Verify: - NTP server destinations are configured. - "Enable Administrative state" box is checked. If "Enable Administrative state" is not checked or if no NTP servers are defined, this is a finding.
Log on as a privileged user to the WebGUI. Select the Network icon. Interface NTP Service. Ensure the box next to "Enable Administrative state" has a check mark. Press the "Add" button to add multiple NTP servers. Click the "Apply" button. Add one or more additional NTP servers at least one of which is from a different geographic region. Click "Save configuration".
Check that TLS mutual authentication has been completed successfully by using DISPLAY commands. If the task was successful, the resulting output is like that shown in the following examples. For queue manager to queue manager connections: From queue manager [QM1], enter the following command: DISPLAY CHS(TO.[QM2]) SSLPEER SSLCERTI The resulting output should be like the following example: DISPLAY CHSTATUS(TO.[QM2]) SSLPEER SSLCERTI 4 : DISPLAY CHSTATUS(TO.[QM2]) SSLPEER SSLCERTI AMQ8417: Display Channel Status details. CHANNEL(TO.[QM2]) CHLTYPE(SDR) CONNAME([IP addr QM2]) CURRENT RQMNAME([QM2]) SSLCERTI("[distinguished name]") SSLPEER("[distinguished name]") STATUS(RUNNING) SUBSTATE(MQGET) XMITQ([QM2]) From the queue manager [QM2], enter the following command: DISPLAY CHS(TO.QM2) SSLPEER SSLCERTI The resulting output is like the following example: DISPLAY CHSTATUS(TO.[QM2]) SSLPEER SSLCERTI 5 : DISPLAY CHSTATUS(TO.[QM2]) SSLPEER SSLCERTI AMQ8417: Display Channel Status details. CHANNEL(TO.[QM2]) CHLTYPE(SDR) CONNAME([IP addr QM1]) CURRENT RQMNAME([QM1]) SSLCERTI("[distinguished name]") SSLPEER("[distinguished name]") STATUS(RUNNING) SUBSTATE(MQGET) XMITQ( ) In each case, the value of "SSLPEER" must match that of the Distinguished Name (DN) in the partner certificate. The issuer name must match the subject DN of the CA certificate that signed the personal certificate. For client to queue manager connections: C1=client1, QM1=queue manager 1 From the queue manager [QM1], enter the following command: DISPLAY CHSTATUS([C1].TO.[QM1]) SSLPEER SSLCERTI The resulting output is like the following example: DISPLAY CHSTATUS([C1].TO.[QM1]) SSLPEER SSLCERTI 5 : DISPLAY CHSTATUS([C1].TO.[QM1]) SSLPEER SSLCERTI AMQ8417: Display Channel Status details. CHANNEL([C1].TO.[QM1]) CHLTYPE(SVRCONN) CONNAME([IP addr QM1]) CURRENT SSLCERTI("[distinguished name]") SSLPEER("[distinguished name]") STATUS(RUNNING) SUBSTATE(RECEIVE) The "SSLPEER" field in the "DISPLAY CHSTATUS" output shows the subject DN of the remote client certificate. The issuer name matches the subject DN of the CA certificate that signed the personal certificate. If the connections on each end of the channel are not configured as described above, this is a finding.
Devices (endpoints) may connect an MQ Appliance MQ queue manager as either remote MQ queue manager or MQ client. In order to ensure unique identification of network-connected devices, mutual authentication using CA-signed TLS certificates should be configured. 1. Prepare the key repository on each endpoint (client and/or queue manager). 2. Request a CA-signed certificate for each client and/or queue manager. You might use different CAs for the two endpoints. 3. Add the Certificate Authority certificate to the key repository for each client and/or queue manager. If the endpoints are using different Certificate Authorities then the CA certificate for each Certificate Authority must be added to both key repositories. 4. Add the CA-signed certificate to the key repository for each endpoint. CHOOSE EITHER STEP 5 or 6 BELOW 5. For a queue manager to queue manager connection: a. On [QM1], define a sender channel and associated transmission queue by issuing commands like the following example: DEFINE QLOCAL([QM2]) USAGE(XMITQ) DEFINE CHANNEL(TO.[QM2]) CHLTYPE(SDR) TRPTYPE(TCP) + CONNAME([QM2 address]) XMITQ([QM2]) SSLCIPH([TLS cipher spec]) + DESCR('Sender channel using TLS from [QM1] to [QM2]') The CipherSpecs at each end of the channel must be the same. b. On [QM2], define a receiver channel by issuing a command like the following example: DEFINE CHANNEL(TO.[QM2]) CHLTYPE(RCVR) TRPTYPE(TCP) + SSLCIPH([TLS cipher spec]) SSLCAUTH(REQUIRED) + DESCR('Receiver channel using TLS to [QM2]') The channel must have the same name as the sender channel you defined in step 5.a., and use the same CipherSpec. c. Start the channel. Ref. Connecting two queue managers using SSL or TLS https://goo.gl/1GyPRV 6. For a client to queue manager connection: a. Define a client-connection channel in either of the following ways: - Using the MQCONNX call with the MQSCO structure on [client] - Using a client channel definition table b. On queue manager, define a server-connection channel by issuing a command like the following example: C1=client 1, MQ1=queue manager 1 DEFINE CHANNEL([C1].TO.[QM1]) CHLTYPE(SVRCONN) TRPTYPE(TCP) + SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) SSLCAUTH(REQUIRED) + DESCR('Receiver channel using TLS from [client name] to [QM name]') The channel must have the same name as the client-connection channel you defined in step 6, and use the same CipherSpec. Note: Following are the cipher specs available for MQ: https://ibm.biz/BdrJGp
Display the SSL Server Profile associated with the WebGUI using the (CLI). Log on as an admin to the MQ appliance using SSH terminal access. Enter: co show web-mgmt To note the name of the ssl-server, enter: crypto ssl-server <ssl-server name> show Verify the following are displayed: caching on cache-timeout 3600 If the ssl-server configuration does not exist, or if caching is "off", or if the cache-timeout setting does not equal “3600” seconds (60 minutes), this is a finding.
Display the SSL Server Profile associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server] Define the cache parameters of the SSL Server using the CLI. Enter: co crypto ssl-server <ssl-server name> caching on cache-timeout <3600> exit exit write mem y
For each queue manager on the MQ Appliance for which performance events logging should be enabled, establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq To run the "runmqsc [queue mgr name]" command for each running queue manager identified, enter: runmqsc [queue mgr name] DIS QMGR PERFMEV DIS QLOCAL(SYSTEM.ADMIN.PERFM.EVENT) QDPHIEV end If "QDEPTHHI" is not "75", this is a finding. Ask the system administrator to demonstrate how they monitor an alert on MQ failure events. Verify alarming is set for the following log events: MQRC_Q_FULL, MQRC_Q_MGR_NOT_ACTIVE, MQRC_Q_DEPTH_HIGH If the system admin does not monitor an alarm for the following error codes: MQRC_Q_FULL, MQRC_Q_MGR_NOT_ACTIVE, or MQRC_Q_DEPTH_HIGH, this is a finding.
For each queue manager on the MQ Appliance, enable performance (PERFMEV) event logging. From the MQ Appliance CLI, enter the following: runmqsc [queue mgr name] ALTER QMGR PERFMEV(ENABLED) ALTER QLOCAL(SYSTEM.ADMIN.PERFM.EVENT) QDPHIEV(ENABLED) ALTER QLOCAL(SYSTEM.ADMIN.PERFM.EVENT) QDEPTHHI(75) Monitor the logs and send alerts based on the following failure codes: MQRC_Q_FULL, MQRC_Q_MGR_NOT_ACTIVE, MQRC_Q_DEPTH_HIGH.
To access the MQ Appliance CLI, enter: mqcli show rbm Verify that the cli-timeout displays the approved timeout value of 600 seconds (10 minutes) or less. If it does not, this is a finding.
For the CLI used by the administrator, log on to the MQ Appliance CLI as a privileged user. Enter: co rbm cli-timeout 600 exit write mem y
Log on to the MQ Appliance CLI as a privileged user. To access the MQ Appliance CLI, enter: mqcli To enter configuration mode, enter: co web-mgmt show If the idle-timeout value is not "600" seconds or less, this is a finding.
Log on to the MQ Appliance CLI as a privileged user. To access the MQ Appliance CLI, enter: mqcli To enter configuration mode, enter: co web-mgmt idle-timeout <600 seconds or less> exit write mem y
In the MQ Appliance WebGUI, Go to Administration (gear icon) >> Access >> RBM Settings. Verify that cache setting is defined and specifies "600" seconds. If the time period is not set to "600" seconds, this is a finding.
In the MQ Appliance WebGUI, Go to Administration (gear icon) >> Access >> RBM Settings. Limit cache settings to "600" seconds.
From the MQ Appliance CLI, enter the following command: show version If the displayed version does not correspond to the most recent organizationally approved available firmware update, this is a finding.
Install the most recent organizationally proved firmware update available from the vendor.
From the MQ Appliance WebGUI, click on the Administration (gear) icon. Click on Main >> File Management. Click on the cert directory. Click on the "Details" action to the right of each cert to display its attributes. Verify that each certificate attribute meets organizationally approved requirements. If any certificates have not been issued by a DoD- or CNSS-approved PKI CA, this is a finding.
Install approved certificates that have been issued by a DoD CA.
Request and review system documentation identifying the system categorization level. If the system categorization is not high, this requirement is NA. Ask for and review the HA configuration. On the either member of the HA pair: Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To run the dspmq command, enter: dspmq -s -o ha Each queue manager that is properly configured for HA should show HA(Replicated). If it does not, this is a finding.
To configure HA: 1. Use three Ethernet cables to directly connect two appliances together using ports eth1, eth2, and eth3. 2. Configure the three connected MQ Appliance ports (on both appliances) as follows: Interface Purpose IP address/CIDR eth1 HA group primary interface x.x.x.x/24 eth2 HA group alternative interface x.x.x.x/24 eth3 HA Replication interface x.x.x.x/24 On the second appliance, enter the following command from the MQ Appliance CLI: prepareha -s [SecretText] -a [eth 1 IPAddress of first appliance] [-t timeout] On the first appliance, enter the following command: crthagrp -s [SecretText] -a [eth 1 IPAddress of second appliance] On the first appliance, stop the first queue manager to be HA enabled: endmqm [name of queue manager] Set an HA group: sethagrp -i [name of queue manager]
To access the MQ Appliance CLI, enter: mqcli config crypto show crypto-mode If the current setting is set to "permissive", this is a finding.
To set management access to the highest encryption strength, enable FIPS 140-2 Level 1 mode at the next reload of the firmware. Enter the following commands: config crypto crypto-mode-set fips-140-2-l1 Press "Enter" The following message will appear: "Crypto Mode Successfully set to fips-140-2-l1 for next boot."
Review system categorization to determine if redundancy is a requirement. If system categorization does not specify redundancy, interview system administrator to determine how they have configured the weekly transfer of logs for the MQ appliance. For redundant systems: On each member of the HA pair: Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To run the dspmq command, enter: dspmq -s -o ha One of the appliances should be running as primary, the other as secondary. If HA is not configured with the primary and secondary running, or if there is no MQ log transfer taking place on a standalone system on a weekly basis, this is a finding.
To configure HA: 1. Use three Ethernet cables to directly connect two appliances together using ports eth1, eth2, and eth3. 2. Configure the three connected MQ Appliance ports (on both appliances) as follows: Interface Purpose IP address/CIDR eth1 HA group primary interface x.x.x.x/24 eth2 HA group alternative interface x.x.x.x/24 eth3 HA Replication interface x.x.x.x/24 On the second appliance, enter the following command from the MQ Appliance CLI: prepareha -s [SecretText] -a [eth 1 IPAddress of first appliance] [-t timeout] On the first appliance, enter the following command: crthagrp -s [SecretText] -a [eth 1 IPAddress of second appliance] crtmqm [HA QM name] –p [port] –sx Note: The queue manager’s data (queues, queue messages, etc.) is replicated from the appliance in the primary HA role (first appliance) to the appliance in the secondary HA role (second appliance).
Review system categorization to determine if redundancy is a requirement. If system categorization does not specify redundancy, interview system administrator to determine how they have configured the centralized log management solution for the MQ appliance. On each member of the HA pair: Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To run the dspmq command, enter: dspmq -s -o ha One of the appliances should be running as primary, the other as secondary. If HA is not configured and the primary and secondary running, or if there is no centralized management solution in place to manage MQ logs, this is a finding.
To configure HA: 1. Use three Ethernet cables to directly connect two appliances together using ports eth1, eth2, and eth3. 2. Configure the three connected MQ Appliance ports (on both appliances) as follows: Interface Purpose IP address/CIDR eth1 HA group primary interface x.x.x.x/24 eth2 HA group alternative interface x.x.x.x/24 eth3 HA Replication interface x.x.x.x/24 On the second appliance, enter the following command from the MQ Appliance CLI: prepareha -s [SecretText] -a [eth 1 IPAddress of first appliance] [-t timeout] On the first appliance, enter the following command: crthagrp -s [SecretText] -a [eth 1 IPAddress of second appliance] On the first appliance, stop the queue manager to be HA-enabled: endmqm [name of queue manager] sethagrp -i [name of queue manager] Note: The queue manager’s data (queues, queue messages, etc.) are replicated from the appliance in the primary HA role (first appliance) to the appliance in the secondary HA role (second appliance).
To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS QMGR SSLFIPS If the value of "SSLFIPS" is set to "NO", this is a finding.
To access the MQ Appliance CLI, for each queue manager, enter: mqcli runmqsc [queue manager name] ALTER QMGR SSLFIPS(YES) end
To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS QMGR SSLFIPS If the value of "SSLFIPS" is set to "NO", this is a finding.
To access the MQ Appliance CLI, for each queue manager, enter: mqcli runmqsc [queue manager name] ALTER QMGR SSLFIPS(YES) end
To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS QMGR SSLFIPS If the value of "SSLFIPS" is set to "NO", this is a finding.
To access the MQ Appliance CLI, for each queue manager, enter: mqcli runmqsc [queue manager name] ALTER QMGR SSLFIPS(YES) end
Apply the following check to each queue manager on the MQ Appliance. Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq To check config for each queue, enter: runmqsc [queue mgr name] At the runmqsc prompt, enter: DIS QMGR EVENT Verify the following events are enabled as required. AUTHOREV, INHIBITEV, STRSTPEV, CMDEV, SSLEV, CONFIGEV, PERFMEV If any of the required events are not enabled, this is a finding.
Ensure each queue is configured to log the following event names: AUTHOREV INHIBITEV STRSTPEV CMDEV SSLEV CONFIGEV PERFMEV Use the "runmqsc" command for each queue manager. runmqsc [queue mgr name] ALTER QMGR [event name](ENABLED) Enter "end" to exit the MQ Appliance CLI.
Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq Run the "runmqsc [queue mgr name]" command for each running queue manager. Once at the runmqsc prompt, enter: DIS QMGR AUTHOREV AUTHOREV(ENABLED) - should be the result. If "AUTHOREV" logging is not "ENABLED", this is a finding.
For each queue manager on the MQ Appliance, enable authority (AUTHOREV) event logging. From the MQ Appliance CLI, enter the following: runmqsc [queue mgr name] ALTER QMGR AUTHOREV(ENABLED) end
For each queue manager on the MQ Appliance for which performance events logging should be enabled, establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq To run the "runmqsc [queue mgr name]" command for each running queue manager identified, enter: runmqsc [queue mgr name] DIS QMGR PERFMEV DIS QLOCAL(SYSTEM.ADMIN.PERFM.EVENT) QDPHIEV end If "QDPHIEV" or "PERFMEV" is not "ENABLED", this is a finding. Ask the system administrator to demonstrate how they monitor an alert on MQ failure events. Verify alarming is set for the following log events: MQRC_Q_FULL, MQRC_Q_MGR_NOT_ACTIVE, MQRC_Q_DEPTH_HIGH If the system admin does not monitor an alarm for the following error codes: MQRC_Q_FULL, MQRC_Q_MGR_NOT_ACTIVE, or MQRC_Q_DEPTH_HIGH, this is a finding.
For each queue manager on the MQ Appliance, enable performance (PERFMEV) event logging. From the MQ Appliance CLI, enter the following: runmqsc [queue mgr name] ALTER QMGR PERFMEV(ENABLED) ALTER QLOCAL(SYSTEM.ADMIN.PERFM.EVENT) QDPHIEV(ENABLED) Monitor the logs that send alerts based on the following failure codes: MQRC_Q_FULL, MQRC_Q_MGR_NOT_ACTIVE, MQRC_Q_DEPTH_HIGH.
Obtain documentation that specifies operational limits from system admin. Check the "SVRCONN" channels of each queue manager to confirm that "MAXINST" and "MAXINSTC" values are set to a value that reflects operational requirements. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq To run the "runmqsc [queue mgr name]" command for each running queue manager identified, enter: runmqsc [queue mgr name] To display available SVRCONN channels details, enter: DIS CHANNEL(*) CHLTYPE(SVRCONN) Display values for each channel: DIS CHANNEL(Channel Name) If the value of either "MAXINST" or "MAXINSTC" is greater than the organization-defined limit, this is a finding.
For each queue manager's server connection (SVRCONN) channel(s): To access the MQ Appliance CLI, enter: mqcli runmqsc <queue manager name> >> To display available SVRCONN channels, enter: DIS CHANNEL(*) CHLTYPE(SVRCONN) ALTER CHANNEL(<svrconn channel name>) CHLTYPE(SVRCONN) MAXINST(max allowed channel instances) MAXINSTC(max allowed channels for same client: less than MAXINST) end
Log on to the WebGUI as a privileged user. Click on the "MQ Console" icon. Click "Add" widget at the top right of the screen. Select queue manager intended for OCSP from the drop-down list. Select "Authentication Information". Verify that the authentication type is "OCSP". Click on the "Properties" button. Click "OCSP" on the side bar to verify that the OCSP responder URL is correct. If either the authentication type is not "OCSP" or the OCSP responder URL in not correct, this is a finding.
Log on to the WebGUI as a privileged user. Click on the "MQ Console" icon. Click "Add" widget at the top right of the screen. Select a queue manager from the drop-down list. Select "Authentication Information". Click the "+" (plus sign) to define the authentication method authentication for this queue manager. Specify an "Authinfo" name (e.g., USE.OCSP). Select "OCSP" as the "Authinfo" type. Specify an OCSP responder URL. Click "Create". In the "Local Queue Managers" widget, select the OCSP queue manager you just configured. Click "More..." then select "Refresh Security... "
Confirm that the following command is available and functioning on an authorized MQ client device: amqsevt -m [queue mgr name] {-q SYSTEM.ADMIN.QMGR.EVENT | -q SYSTEM.ADMIN.CONFIG.EVENT | -q SYSTEM.ADMIN.PERFM.EVENT | -q SYSTEM.ADMIN.CHANNEL.EVENT | -q SYSTEM.ADMIN.COMMAND.EVENT} -c -u [user name] If an MQ client application is not enabled to monitor one or more of the above event queues, this is a finding.
Log record aggregation and reporting for each event-logging-enabled queue manager on the MQ Appliance may be accomplished by running the following command from an authorized MQ client device: amqsevt -m [queue mgr name] {-q SYSTEM.ADMIN.QMGR.EVENT | -q SYSTEM.ADMIN.CONFIG.EVENT | -q SYSTEM.ADMIN.PERFM.EVENT | -q SYSTEM.ADMIN.CHANNEL.EVENT | -q SYSTEM.ADMIN.COMMAND.EVENT} -c -u [user name] Note: Any MQ monitoring solution that can connect to MQ as a client may be used to monitor event queues.
In the event of a MQ queue manager failure, an HA configuration must be used. Obtain system documentation identifying the HA configuration. Establish an SSH command line session to either of the pair as an admin user. To access the MQ Appliance CLI, enter: mqcli To run the dspmq command, enter: dspmq -s -o ha Each queue manager that is properly configured for HA should show HA(Replicated). If it does not, this is a finding.
Rudimentary instructions for setting up HA are included here. 1. Use three Ethernet cables to directly connect two appliances together using ports eth1, eth2, and eth3. 2. Configure the three connected MQ Appliance ports (on both appliances) as follows: Interface Purpose IP address/CIDR eth1 HA group primary interface x.x.x.x/24 eth2 HA group alternative interface x.x.x.x/24 eth3 HA Replication interface x.x.x.x/24 On the second appliance, enter the following command from the MQ Appliance CLI: prepareha -s [SecretText] -a [eth 1 IPAddress of first appliance] [-t timeout] On the first appliance, enter the following command: crthagrp -s [SecretText] -a [eth 1 IPAddress of second appliance] On the first appliance, stop the first queue manager to be HA enabled: endmqm [name of queue manager] Set an HA group: sethagrp -i [name of queue manager] Note: The queue manager’s data (queues, queue messages, etc.) are replicated from the appliance in the primary HA role (first appliance) to the appliance in the secondary HA role (second appliance).
Review system categorization to determine if redundancy is a requirement. If the system categorization does not specify redundancy requirements, this requirement is NA. On each member of the HA pair: Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To run the dspmq command, enter: dspmq -s -o ha One of the appliances should be running as primary, the other as secondary. If HA is not configured and the primary and secondary running, this is a finding.
To configure HA: 1. Use three Ethernet cables to directly connect two appliances together using ports eth1, eth2, and eth3. 2. Configure the three connected MQ Appliance ports (on both appliances) as follows: Interface Purpose IP address/CIDR eth1 HA group primary interface x.x.x.x/24 eth2 HA group alternative interface x.x.x.x/24 eth3 HA Replication interface x.x.x.x/24 On the second appliance, enter the following command from the MQ Appliance CLI: prepareha -s [SecretText] -a [eth 1 IPAddress of first appliance] [-t timeout] On the first appliance, enter the following command: crthagrp -s [SecretText] -a [eth 1 IPAddress of second appliance] crtmqm [HA QM name] –p [port] –sx Note: The queue manager’s data (queues, queue messages, etc.) is replicated from the appliance in the primary HA role (first appliance) to the appliance in the secondary HA role (second appliance).
Check that TLS mutual authentication configuration is correct by using DISPLAY commands. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS CHANNEL(*) CHLTYPE(SVRCONN) Note the name of SVRCONN channel (client channel) you wish to check. DIS CHANNEL([name of SVRCONN channel]) Confirm that the parameter "SSLCIPH" specifies the desired cipher spec and that the value of "SSLAUTH" is "REQUIRED". If either the "SSLCIPH" or "SSLAUTH" value is not correct, this is a finding.
The most common way devices (endpoints) may connect an MQ Appliance MQ queue manager is as an MQ client. In order to ensure unique identification of network-connected devices, mutual authentication using CA-signed TLS certificates should be configured. 1. Prepare the key repository on each endpoint client. 2. Request a CA-signed certificate for each client. You might use different CAs for the two endpoints. 3. Add the Certificate Authority certificate to the key repository for each client. If the endpoints are using different Certificate Authorities then the CA certificate for each Certificate Authority must be added to both key repositories. 4. Add the CA-signed certificate to the key repository for each endpoint. On the MQ Appliance queue manager, define a server-connection channel by issuing a command as in the following example: [C1]=Client, [QM1]=MQ Appliance queue manager. Replace [QM1] with the actual queue manager name (e.g., FINANCEQM) To access the MQ Appliance CLI, enter: mqcli runmqsc [QM1] DEFINE CHANNEL([C1].TO.[QM1]) CHLTYPE(SVRCONN) TRPTYPE(TCP) + SSLCIPH([TLS_RSA_WITH_AES_128_CBC_SHA or other cipher spec]) SSLCAUTH(REQUIRED) + DESCR('Receiver channel using TLS from [client name] to [QM name]') end Note: Following are the cipher specs available for MQ: https://ibm.biz/BdrJGp
Check that TLS mutual authentication configuration is correct by using "DISPLAY" commands. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] To display available SVRCONN channels details, enter: DIS CHANNEL(*) CHLTYPE(SVRCONN) Note the names of SVRCONN channels (client channels). Display values for each channel: DIS CHANNEL([name of SVRCONN channel]) Confirm that the parameter "SSLCIPH" specifies a FIPS approved cipher spec and that the value of "SSLAUTH" is set to "REQUIRED". MQ cipher specs are available here: https://ibm.biz/BdrJGp Utilize a FIPS approved cipher when specifying SSLCIPH. If either the "SSLCIPH" or "SSLAUTH" value for each channel is not correct, this is a finding.
Run the fix for each affected queue manager and each affected channel. To access the MQ Appliance enter: mqcli runmqsc [queue name] ALTER CHANNEL([channel name] CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH([Use FIPS Approved cipher specs only]) SSLCAUTH(REQUIRED) Enter "end" to exit runmqsc mode.
To access the MQ Appliance CLI, for each queue manager, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] To display the active authentication object, enter: DIS QMGR CONNAUTH Result: QMNAME([queue mgr name]) CONNAUTH([auth object name]) DIS AUTHINFO(auth object name) Verify that "AUTHTYPE(IDPWLDAP)", and "SECCOMM(YES)" are displayed, and that all parameters are correctly specified to use the organizationally approved LDAP server(s). If these parameter values cannot be verified, this is a finding.
Specify LDAP as the authentication method for each queue manager. To access the MQ Appliance CLI, enter: mqcli runmqsc [queue manager name] DEFINE AUTHINFO('[Object name e.g., USE.LDAP]') AUTHTYPE(IDPWLDAP) CONNAME('[ldap1(port),ldap2(port),ldap3(port)]') SECCOMM(YES) [Ensures encryption is used] SHORTUSR('[short user name]') CHCKCLNT(REQUIRED) BASEDNU('base user DN') REPLACE ALTER QMGR CONNAUTH('[AUTHINFO object name]') REFRESH SECURITY TYPE(CONNAUTH) Type "end" to exit runmqsc mode.
To access the MQ Appliance CLI, for each queue manager, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS AUTHINFO(*) AUTHTYPE(CRLLDAP) CONNAME Verify that an "AUTHINFO" definition of "AUTHTYPE(CRLLDAP)" is displayed and that the CONNAME in parenthesis is the host name or IPv4 dotted decimal address of an organizationally approved LDAP server. If the "AUTHINFO" definition is not equal to "AUTHTYPE(CRLLDAP)", this is a finding.
Specify LDAP as the authentication method for each queue manager. To access the MQ Appliance CLI, enter: mqcli runmqsc [queue manager name] DEFINE AUTHINFO('[Object name e.g., USE.CRLLDAP]') AUTHTYPE(CRLLDAP) CONNAME('[LDAPhost1(port)]') REPLACE Type "end" to exit runmqsc mode.
To access the MQ Appliance CLI, for each queue manager, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] To display the active authentication object, enter: DIS QMGR CONNAUTH Result: QMNAME([queue mgr name]) CONNAUTH([auth object name]) DIS AUTHINFO(auth object name) Verify that "AUTHTYPE(IDPWLDAP)" is displayed. Verify LDAP server user settings are configured to disable accounts after "35" days of inactivity. If "AUTHTYPE(IDPWLDAP)" is not displayed or if the LDAP server user settings are not configured to disable accounts after "35" days of inactivity, this is a finding.
Specify LDAP as the authentication method for each queue manager. To access the MQ Appliance CLI, enter: mqcli runmqsc [queue manager name] DEFINE AUTHINFO('[Object name e.g., USE.LDAP]') AUTHTYPE(IDPWLDAP) CONNAME('[ldap1(port),ldap2(port),ldap3(port)]') SECCOMM(YES) [Ensures encryption is used] SHORTUSR('[short user name]') CHCKCLNT(REQUIRED) BASEDNU('base user DN') REPLACE ALTER QMGR CONNAUTH('[AUTHINFO object name]') REFRESH SECURITY TYPE(CONNAUTH) Enter "end" to exit runmqsc mode. Configure LDAP server to disable accounts after 35 days of inactivity.
To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS AUTHINFO(USE.LDAP) Verify that "AUTHINFO(USE.LDAP)" is displayed under authentication information details. If "IBM MQ Appliance object USE.LDAP not found" is displayed, this is a finding.
Specify LDAP as the authentication method for each queue manager. To access the MQ Appliance CLI, enter: mqcli runmqsc [queue manager name] DEFINE AUTHINFO(USE.LDAP) AUTHTYPE(CRLLDAP) CONNAME('[host name1(port)],[host name1(port)]') ALTER QMGR CONNAUTH('USE.LDAP') REFRESH SECURITY TYPE(CONNAUTH) Enter "end" to exit runmqsc mode.
Using a browser, navigate to the MQ Appliance logon page as a privileged user. Verify the logon page displays the Standard Mandatory DoD Notice and Consent Banner: For the WebGUI, the banner must read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Logging in signifies acceptance of this agreement." For the SSH CLI, the banner must read: "I've read & consent to terms in IS user agreem't. Logging in signifies acceptance of this agreement." If the standard banner is not displayed in both the WebGUI and CLI interfaces, this is a finding.
The custom banner must be set up as follows: 1. Log on to the WebGUI as a privileged user. 2. Click on the Administration (gear) icon. 3. Under Main, click on File Management. 4. Open the "Store" directory. 5. Scroll down to the file, "dp-user-interface-demo.xml". 6. Click in the box to the left of the file name. 7. At the top of the page, click on the Copy button. 8. Select "local:" as the New Directory Name. 9. Enter a New File Name e.g., "ui-customization.xml". 10. Click Confirm copy. 11. Click Continue. 12. Edit the "ui-customization.xml" file. 13. Refresh the browser page. 14. Click "local:". 15. Click the "Edit" link to the right of "ui-customization.xml". 16. Click the "Edit" button. 17. Locate the XML Stanza named "MarkupBanner". 18. 'type="pre-login"'. 19. Replace the existing text with the text of the Standard Mandatory DoD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Logging in signifies acceptance of this agreement." 20. Locate the XML Stanza named "TextBanner". 21. 'type="pre-login"' 22. Replace the existing text with the text of the Standard Mandatory DoD Notice and Consent Banner: "I've read and consent to terms in IS user agreement. Logging in signifies acceptance of this agreement." 23. Click the "Submit" button. 24. Configure the MQ Appliance to use the customized User Interface Customization file: In the WebGUI, click on Gear icon (Administration) then select Device >> System Settings. 25. Scroll to "Custom user interface file" section at the bottom of the page and select the local:/// directory then the "ui-customization.xml" from the drop-down list. 26. Scroll to top of the page. 27. Click "Apply". 28. Click "Save Configuration". Log off of the appliance.
Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS QMGR EVENT A list of all events will be displayed along with an indication of if event logging is enabled. The events are as follows: Authority: AUTHOREV, Inhibit: INHIBITEV, Local: LOCALEV, Remote: REMOTEEV, Start and stop: STRSTPEV, Performance: PERFMEV, Command: CMDEV, Channel: CHLEV, Channel auto definition: CHADEV, SSL: SSLEV, Configuration: CONFIGEV If and required event logging is not enabled for running queue managers, this is a finding.
The following events may be logged for each queue manager on the MQ Appliance: Authority (AUTHOREV), Inhibit (INHIBITEV), Local (LOCALEV), Remote (REMOTEEV), Start and stop (STRSTPEV), Performance (PERFMEV), Command (CMDEV), Channel (CHLEV), Channel auto definition (CHADEV), SSL (SSLEV), Configuration (CONFIGEV) To enable logging for a queue manager, enter the following from the MQ Appliance CLI for each event for which you wish to enable logging: To access the MQ Appliance CLI, enter the following: mqcli runmqsc [queue mgr name] ALTER QMGR [event name](ENABLED) end Note: Any MQ monitoring solution that connects to MQ as a client may be used to monitor event queues.
Check that TLS mutual authentication configuration is correct by using DISPLAY commands. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS CHANNEL(*) CHLTYPE(SVRCONN) Note the name of SVRCONN channel (client channel) you wish to check. DIS CHANNEL([name of SVRCONN channel]) Confirm that the parameter "SSLCIPH" specifies the desired cipher spec and that the value of "SSLAUTH" is "REQUIRED". If either the "SSLCIPH" or "SSLAUTH" value is not correct, this is a finding.
The most common way devices (endpoints) may connect an MQ Appliance MQ queue manager is as an MQ client. In order to ensure unique identification of network-connected devices, mutual authentication using CA-signed TLS certificates should be configured. 1. Prepare the key repository on each endpoint client. 2. Request a CA-signed certificate for each client. You might use different CAs for the two endpoints. 3. Add the Certificate Authority certificate to the key repository for each client. If the endpoints are using different Certificate Authorities then the CA certificate for each Certificate Authority must be added to both key repositories. 4. Add the CA-signed certificate to the key repository for each endpoint. On the MQ Appliance queue manager, define a server-connection channel by issuing a command as in the following example: [C1]=Client, [QM1]=MQ Appliance queue manager. Replace [QM1] with the actual queue manager name (e.g., FINANCEQM) To access the MQ Appliance CLI, enter: mqcli runmqsc [QM1] DEFINE CHANNEL([C1].TO.[QM1]) CHLTYPE(SVRCONN) TRPTYPE(TCP) + SSLCIPH([TLS_RSA_WITH_AES_128_CBC_SHA or other cipher spec]) SSLCAUTH(REQUIRED) + DESCR('Receiver channel using TLS from [client name] to [QM name]') end Note: Following are the cipher specs available for MQ: https://ibm.biz/BdrJGp
Check that TLS mutual authentication configuration is correct by using DISPLAY commands. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS CHANNEL(*) CHLTYPE(SVRCONN) Note the name of SVRCONN channel (client channel) you wish to check. DIS CHANNEL([name of SVRCONN channel]) Confirm that the parameter "SSLCIPH" specifies the desired cipher spec and that the value of "SSLAUTH" is "REQUIRED". If either the "SSLCIPH" or "SSLAUTH" value is not correct, this is a finding.
The most common way devices (endpoints) may connect an MQ Appliance MQ queue manager is as an MQ client. In order to ensure unique identification of network-connected devices, mutual authentication using CA-signed TLS certificates should be configured. 1. Prepare the key repository on each endpoint client. 2. Request a CA-signed certificate for each client. You might use different CAs for the two endpoints. 3. Add the Certificate Authority certificate to the key repository for each client. If the endpoints are using different Certificate Authorities then the CA certificate for each Certificate Authority must be added to both key repositories. 4. Add the CA-signed certificate to the key repository for each endpoint. On the MQ Appliance queue manager, define a server-connection channel by issuing a command as in the following example: [C1]=Client, [QM1]=MQ Appliance queue manager. Replace [QM1] with the actual queue manager name (e.g., FINANCEQM) To access the MQ Appliance CLI, enter: mqcli runmqsc [QM1] Replace the brackets "[ ]" with a selected parameter: DEFINE CHANNEL([C1].TO.[QM1]) CHLTYPE(SVRCONN) TRPTYPE(TCP) + SSLCIPH([TLS_RSA_WITH_AES_128_CBC_SHA or other cipher spec]) SSLCAUTH(REQUIRED) + DESCR('Receiver channel using TLS from [client name] to [QM name]') For example: ALTER CHANNEL(C1.TO.QM1) CHLTYPE(SVRCONN) TRPTYPE(TCP) + SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) SSLCAUTH(REQUIRED) + DESCR('Receiver channel using TLS from C1 to QM1')
Review system documentation. Identify all message services hosted on the device(s) and determine if any services are hosting publicly available, non-sensitive data. This requirement is NA for publicly available services that host non-sensitive data if a documented ISSO risk acceptance is presented. Check that TLS mutual authentication configuration is correct by using DISPLAY commands. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS CHANNEL(*) CHLTYPE(SVRCONN) Note the name of SVRCONN channel (client channel) you wish to check. DIS CHANNEL([name of SVRCONN channel]) Confirm that the parameter "SSLCIPH" specifies the desired cipher spec and that the value of "SSLAUTH" is "REQUIRED". If either the "SSLCIPH" or "SSLAUTH" value is not correct, this is a finding.
1. Prepare the key repository on each endpoint client. 2. Request a CA-signed certificate for each client. You might use different CAs for the two endpoints. 3. Add the Certificate Authority certificate to the key repository for each client. If the endpoints are using different Certificate Authorities then the CA certificate for each Certificate Authority must be added to both key repositories. 4. Add the CA-signed certificate to the key repository for each endpoint. On the MQ Appliance queue manager, define a server-connection channel by issuing a command as in the following example: [C1]=Client, [QM1]=MQ Appliance queue manager. Replace [QM1] with the actual queue manager name (e.g., FINANCEQM) To access the MQ Appliance CLI, enter: mqcli runmqsc [QM1] Replace the brackets "[ ]" with a selected parameter: DEFINE CHANNEL([C1].TO.[QM1]) CHLTYPE(SVRCONN) TRPTYPE(TCP) + SSLCIPH([TLS_RSA_WITH_AES_128_CBC_SHA or other cipher spec]) SSLCAUTH(REQUIRED) + DESCR('Receiver channel using TLS from [client name] to [QM name]') For example: ALTER CHANNEL(C1.TO.QM1) CHLTYPE(SVRCONN) TRPTYPE(TCP) + SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) SSLCAUTH(REQUIRED) + DESCR('Receiver channel using TLS from C1 to QM1')
Check that TLS mutual authentication configuration is correct by using DISPLAY commands. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS CHANNEL(*) CHLTYPE(SVRCONN) Note the name of SVRCONN channel (client channel) you wish to check. DIS CHANNEL([name of SVRCONN channel]) Confirm that the parameter "SSLCIPH" specifies the desired cipher spec and that the value of "SSLAUTH" is "REQUIRED". If either the "SSLCIPH" or "SSLAUTH" value is not correct, this is a finding.
1. Prepare the key repository on each endpoint client. 2. Request a CA-signed certificate for each client. You might use different CAs for the two endpoints. 3. Add the Certificate Authority certificate to the key repository for each client. If the endpoints are using different Certificate Authorities then the CA certificate for each Certificate Authority must be added to both key repositories. 4. Add the CA-signed certificate to the key repository for each endpoint. On the MQ Appliance queue manager, define a server-connection channel by issuing a command as in the following example: [C1]=Client, [QM1]=MQ Appliance queue manager. Replace [QM1] with the actual queue manager name (e.g., FINANCEQM) To access the MQ Appliance CLI, enter: mqcli runmqsc [QM1] DEFINE CHANNEL([C1].TO.[QM1]) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH([TLS_RSA_WITH_AES_128_CBC_SHA or other cipher spec]) SSLCAUTH(REQUIRED) DESCR('Receiver channel using TLS from [client name] to [QM name]') end
To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS QMGR SSLFIPS If the value of "SSLFIPS" is set to "NO", this is a finding.
To access the MQ Appliance CLI, for each queue manager, enter: mqcli runmqsc [queue manager name] ALTER QMGR SSLFIPS(YES) end
For each queue manager on the MQ Appliance for which configuration events logging should be enabled, establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq To run the "runmqsc [queue mgr name]" command for each running queue manager, enter: runmqsc [queue mgr name] DIS QMGR CONFIGEV CONFIGEV(ENABLED) - should be the result. end If "CONFIGEV" is not "ENABLED", this is a finding.
For each queue manager on the MQ Appliance, enable configuration event logging (CONFIGEV). From the MQ Appliance CLI, enter the following: runmqsc [queue mgr name] ALTER QMGR CONFIGEV(ENABLED) end
From the MQ Appliance WebGUI, click on the Administration (gear) icon. Click on Main >> File Management. Click on the cert directory. Click on the "Details" action to the right of each cert to display its attributes. Verify that each certificate attribute meets organizationally approved requirements. If any certificates have not been issued by a DoD- or CNSS-approved PKI CA, this is a finding.
Install certificates that have been issued by a DoD CA.